Interesting People mailing list archives

Previous By Date Next
Previous By Thread Next

IP: : password changing...

From: Dave Farber <dave () farber net>
Date: Mon, 18 Mar 2002 09:54:13 -0500

------ Forwarded Message
From: "Mike O'Dell" <mo () ccr org>
Date: Mon, 18 Mar 2002 09:41:05 -0500 (EST)
To: dave () farber net
Cc: mo () ccr org
Subject: password changing...

studies at bell labs showed that insisting on regular password
changes actually *reduced* the strength of passwords chosen.
The reason should be relatively simple to understand - people
can only remember only so many things, but moreover, the
"likely to remember good password" universe of a single person
is relatively small.  forcing that set to be used up quickly
ultimately degrades the quality of the password chosen out of
human frailty.  very quickly, writing down a very good password
and keeping it on your person becomes *less* of a risk than
picking poor ones.  (this is a clear conflict between the
algorithmic optimum and an operationally viable operating
point.)

today we have the compound problem that we are awash in
authentication. our bank cards, our calling cards, the cypherlocks
on our doors all require a "PIN", and every bloody site on
the Internet seems to require "registration".  the good news
is that most sites have adopted an email address as "username",
which solves the problem of remembering different identities.
but there is still the problem of remembering passwords.

MacOS these days has support for "keyrings" to help the Internet
side of things, allowing relativelys safe storage of credential
information.  this is a very worthy stab at the problem, but
hardly a complete one.

biometrics is problematic if taken alone, ignoring the problem
of ubiquitous sensors.  if your biometric data is somehow
compromised, it becomes "the password you cannot change".  so
while biomets are useful, they can only be part of the answer.

i believe this is a much larger problem than people realize.
it is deeply rooted in the notion of identity, not only with
respect to electronic surrogation and delegation, but in the
real world as well.  proving of identity is very hard, and
we haven't yet established a model supporting "gradations
of veracity" - allowing the work to fit the risk, so to speak.
one problem lurking behind this is the well-documented inability
of most people to accurately judge risk. this induces a "just
pick the maximum strength" attitude, and that then produces
a gross dislike for the resulting level of effort required.
this leads to the inevitable "security or convience" argument
which has somehow become a choice not only bipolar but binary.

we may well be reduced to a very difficult choice:  adopting
some kind of common physical carrier for assorted electronic
credentials, which obviously opens the door to all kinds of
"official" use and misuse, or facing the prospect of drowning
in assorted authenticators which simply increases the likelyhood
of any particular one being compromised because of the weak
choices induced by the frailties of human memory.

yours in monotone increasing age,

    -mo



------ End of Forwarded Message

For archives see:
http://www.interesting-people.org/archives/interesting-people/
Previous By Date Next
Previous By Thread Next

Current thread: