Interesting People mailing list archives
IP: : password changing...
From: Dave Farber <dave () farber net>
Date: Mon, 18 Mar 2002 09:54:13 -0500
------ Forwarded Message From: "Mike O'Dell" <mo () ccr org> Date: Mon, 18 Mar 2002 09:41:05 -0500 (EST) To: dave () farber net Cc: mo () ccr org Subject: password changing... studies at bell labs showed that insisting on regular password changes actually *reduced* the strength of passwords chosen. The reason should be relatively simple to understand - people can only remember only so many things, but moreover, the "likely to remember good password" universe of a single person is relatively small. forcing that set to be used up quickly ultimately degrades the quality of the password chosen out of human frailty. very quickly, writing down a very good password and keeping it on your person becomes *less* of a risk than picking poor ones. (this is a clear conflict between the algorithmic optimum and an operationally viable operating point.) today we have the compound problem that we are awash in authentication. our bank cards, our calling cards, the cypherlocks on our doors all require a "PIN", and every bloody site on the Internet seems to require "registration". the good news is that most sites have adopted an email address as "username", which solves the problem of remembering different identities. but there is still the problem of remembering passwords. MacOS these days has support for "keyrings" to help the Internet side of things, allowing relativelys safe storage of credential information. this is a very worthy stab at the problem, but hardly a complete one. biometrics is problematic if taken alone, ignoring the problem of ubiquitous sensors. if your biometric data is somehow compromised, it becomes "the password you cannot change". so while biomets are useful, they can only be part of the answer. i believe this is a much larger problem than people realize. it is deeply rooted in the notion of identity, not only with respect to electronic surrogation and delegation, but in the real world as well. proving of identity is very hard, and we haven't yet established a model supporting "gradations of veracity" - allowing the work to fit the risk, so to speak. one problem lurking behind this is the well-documented inability of most people to accurately judge risk. this induces a "just pick the maximum strength" attitude, and that then produces a gross dislike for the resulting level of effort required. this leads to the inevitable "security or convience" argument which has somehow become a choice not only bipolar but binary. we may well be reduced to a very difficult choice: adopting some kind of common physical carrier for assorted electronic credentials, which obviously opens the door to all kinds of "official" use and misuse, or facing the prospect of drowning in assorted authenticators which simply increases the likelyhood of any particular one being compromised because of the weak choices induced by the frailties of human memory. yours in monotone increasing age, -mo ------ End of Forwarded Message For archives see: http://www.interesting-people.org/archives/interesting-people/
Current thread:
- IP: : password changing... Dave Farber (Mar 18)