The Forgotten Origin of Passwords
Why you would happily trade your freedom in exchange for an illusion of security.
This post will not end with a pitch in favour of using passwords. It begins by tracing the origins of the password and how that has affected our relationship with identity & authentication. Somewhere near the middle, I will dismiss the use of passwords for authentication altogether. At the end, I will tell you why.
Before you read this article, think about buying Password (by Martin Paul Eve). I’m not getting paid to promote this. In fact, the following post also serves as a criticism of this book!
Object Lessons is a series of short, beautifully designed books about the hidden lives of ordinary things.Where does a…www.bloomsbury.com
The Legacy of the Password
In human societies, identity has historically/socially been the primary vector of access to human constructs of space. The password is the guardian of space; it sole purpose is to include/exclude people from those constructs.
Within the Military
Martin attributes the emergence of the contemporary password to mili- tary societies, seeking to restrict access (Martin, 2016: 11).
‘This was acutely developed in Ancient Rome, where an elaborate system of “watchwords” was deployed that shares many of the characteristics of contemporary passwords (most notably, a secure second channel). “Halt, who goes there?” is the canon- ical challenge.’
For the military, the password was a dichotomy between friend and foe; a way to exclude undesirables from controlled areas.
Within Medieval Guilds
Martin fails to fully discuss the other historical emergence of passwords: protection through inclusion. Rather than adopting the military mindset of excluding people from supposedly entering areas, passwords are used as ways to demarcate a designated societal locus. The password is used, in this case, as a way to demonstrate belonging and signal a specific affiliation.
Access to Medieval guilds often required extensive training and adherence to a set of best practices; this “two-factor authentication” would be one’s barrier to inclusion within the codified world of medieval artisans. The password was built as a way to maintain trust within communities, as opposed to keeping people out of territorial zones.
Knowledge & Identity
As far back as Ancient Mesopotamia, the Akkadian word for “password” was the same as the word for “omen”. Not only did the word celebrate the almost-mythical difficulty of deciphering (thus giving whoever can do so power), but it also connotes to a shared community responsibility.
Western Logocentricity: The Word was God
We point our attentions millennia later to ‘the Bible’s gospel of John, where the very first line of the very first verse reads, “In the beginning was the Word, and the Word was with God, and the Word was God.”’ (Martin, 2016: 55) Short of being the cause of Western logocentricity, this important citation is from the Western world’s most influential book. Our society’s worldview is that the Truth (God) can only be found by the knowledge, which is transmitted via representation (the Word).
The Assumption: Only Knowledge Can Confirm Identity
Our societies have built themselves and an elaborate accompanying infrastructure around the notion that only knowledge can prove identity, to the point that most of us take these infrastructures and notions for granted. Armies and walls exist to protect us from foreign invaders. Laws and law enforcement pre- vent us from doing evil. Passwords exist ubiquitously on the Internet because only possession of secret knowledge can prove our identities.
These are assumptions that persist on the Internet as they are firmly anchored in military thought. (Martin, 2016: 25) According to Janet Abbate,
‘In the years since the Internet was transferred to civilian control, its military roots have been downplayed.. . . But the Internet was not built in response to popular demand. . . . Rather, the project reflected the command economy of military procurement.’
In Post-Napoleonic military thought, a dichotomous distinction between friend and foe is vital. Every action must pertain towards defeating a designated opponent. Further down the chain of command, every action must be broken down into as few options as possible, preferably between do’s and do not’s, to maximize military discipline. It is, therefore, no surprise that the core units of the Internet are 1s and 0s.
The Utility of Passwords
Internet’s short history and Western society’s dichotomous vision of security has led to what Alan Liu calls an “unreal hunger for security” that ‘cor- responds to an unlimited and perhaps opposed desire for connectedness in the information age’ (Martin, 2016: 60).
For most users, the password screen is presented to be the thin layer of security that ensures connectivity while assuring security. It is actually an effective piece of security theater.
The Vulnerability of Passwords
Password breaches are increasingly frequent and have cost the livelihoods of millions. Brute-force attacks from complex password-cracking software and human limitations (the average person uses less than five different passwords), make those breaches relatively easy to execute. In airport security, for instance, there is no statistical evidence that passports and electronic barriers provide any additional security from terrorist attacks and/or hijackings.
Passwords are clearly vulnerable to compromise. They are ubiquitous on the Internet because it provides a commonplace assurance of security. Like any piece of security theatre, its main value comes from its ability to delude users into a false sense of security, rather than actually providing adequate security.
At the public-private key level, again, citizens are surrendering their identities in return for an illusion of security. On the Internet, key-pairings and digital certificates are representations of your identity. The Public Key Infrastructure is centred on the assumption that a handful of certificate authorities based in the USA, reliant on secretive public root keys, have the credentials (authority, ability, and expertise) to handle identities. Unfortunately, several CA and PKI compromises have cost millions of digital identities.
Foucault’s Power/Knowledge Nexus
Like PKI, passwords move beyond Liu’s trade-off between security and connectivity; power/authority is also given away with the password. In Discipline and Punish, Michel Foucault turns “Knowledge is Power” on its head and formulates a notion of Power/Knowledge (Martin, 2016: 93).
He observes how power can create the instrumental conditions necessary ‘to monopolize the right to specify how truth and knowledge are understood’ (ibid). ‘In a (religious) confession, the penitent is told (power) to produce statements of truth (knowledge) about his or her forbidden desires.’ ‘This creates a “feedback loop” as the knowledge that is produced empowers the confessor to absolve the penitent of sins.’ (ibid) In passwords, the keepers of digital keys and passwords force the citizens to submit secret knowledge (the password) to access a website. At no point does anyone ask themselves why citizens must give away this secret to authorities, nor does anyone question why some authorities seem to have the ability to bypass security (govware, spyware, and legally sanctioned crypto-backdoors).
How do we break free?
We are stuck between a rock and a hard place.
Though we know that passwords are fundamentally insecure and feed into the Power/Knowledge feedback loop of the authorities, most of us would still choose to use them as there are no viable alternatives. CAPTCHA puzzles have to keep up with increasingly intelligent AI-software. Biometric authentication still needs to get around the faked signature problem. Phone and SMS based identification is impractical and also vulnerable to man-in-the-middle attacks.
Besides, the current alternatives still fail to address the core Power/Knowledge problem. So how do we graduate from the Password? We must eliminate as many sources of centralisation as we can. The Power/Knowledge feedback loop can be broken if:
- Passwords are replaced with Pins. They are no longer stored in a directory.
- Key pairings and password hashes can’t be traced. Digital identities are distributed among several chosen trust-actors.
- The same pin can be used for an infinite number of servers, giving the citizen access to an infinite number of communities. A four to eight-digit pin code could act as a shortcut to an infinite number of unique access-code hashes, matched with other hashes generated via Elliptic Curve Cryptography.
These conditions fulfilled, the citizen regains control over his/her identity and uses his/her pin as a way to access an infinite number of communities safely. Rather than giving away the power to exclude to the government and military; we return to the Guilds of old when ciphers were used to include people in communities, protected from malevolent beings and prying eyes.
This article was originally published today on LinkedIn Pulse. If you enjoyed reading this piece, let me know BY CLICKING RECOMMEND!! It helps me tailor my content further down the line.