Password: WhYdO1 ne3dT0d*th1s

Alejandro Cerro
|
July 14, 2015
Image
Chalkboard in a store window reading I changed my password to "incorrect" so when I forget it will tell me "your password is incorrect"

Passwords are the bane of my existence. I loath them. Every time that I try out some new service or need to get something for my school work and I'm faced with that all too familiar field prompting me to enter a password the fire of hatred in my belly is stocked a bit more. This hatred is fueled further when I'm informed that my password does not meet the requirements for a password. As a user nothing is more aggravating than being told that to install an app that will show me kittens as a background I need a 15 letter password with no repeating letters that must include a symbol, a number, a capital letter, an emoji, a sample of blood and one Kanji character. Given the fact that I have over 200 passwords to different sites its a wonder that I don't spend most of my money replacing computers that have had unfortunate accidents with blunt objects.

Unfortunately passwords are essential in this day and age. It would be foolhardy to try to do most things without them. They secure our information, our bank accounts, our access to paid services and so much more. Here at Code Koalas when we build a website or a content management solution for one of our clients we discuss with them various security concerns, including using good passwords to secure their data. One of the benefits of using Drupal to build these systems is the ability to assign 'roles' to users that can limit their access to the content and the structure of the site. This type of compartmentalization is a good security practice when you are dealing with a system where lots of different users are going to be updating content. Of course each user still needs to have and remember their passwords, so we also talk with them about the various schemes and programs that can be used to manage passwords by end users.

No matter how valuable and necessary they are, they are inherently flawed. Passwords were a stop-gap solution that was created long before people wrote words. They haven't changed much since the days of guards with swords standing outside of doors. What has changed is how they are implemented and bypassed.

When mechanical computing machines were invented it didn't take long for people to realize that they could create better and faster encryption than a human could. Of course as the encryption got better, so did the encryption cracking, leading to the mess we have today. Interestingly enough this has made passwords less secure because they don't address the single most critical flaw - the user.

Alternatives

It doesn't matter how mathematically secure a password is if the user can't remember it. This has led to the number one password being "password" and it shouldn't be surprising. Humans are good at pattern recognition, not randomness. We can look at clouds and see fluffy bunnies, or stare at a modern piece of art and understand it. Ask us for a random string of characters and we fail miserably. Add to this the fallibility of memory and problems really start to pile up. Leading to the inevitable post-it notes on the monitor.

A number of different options have been developed to deal with this issue. Some options are wholly dependent on the user, such as using a pass phrase instead of a single word. With this technique the user chooses a long phrase, say "the password is anything but password." This adds entropy to the password, thus making it more secure. Similarly you could employ the method illustrated in the XKCD comic below of using four random common words. Both of these methods are easy for the user to remember, but hard for hackers to guess. They are not un-crackable[^1] however, but can be made more secure with the inclusion of punctuation and special characters such a @ or #.

Password entropy at it's finest

This can become problematic if you have several hundred passwords that are unique. To address this problem, clever people have designed programs that will generate long passwords built with random characters for you. LastPass is one such solution, and is one that we use here at Code Koalas. With it you only have to remember one password, which is the one to the LastPass application, and it will generate secure passwords for you. If you need to be able to access your passwords from a public computer, LastPass offers a couple of portable options that can be installed on a flash drive. LastPass is an extremely secure platform, and when they have had security breaches, such as this one that happened in June of 2015, user passwords where not compromised. The reason is that your actual passwords are not stored on any LastPass servers, only the master password, and they use very good security to keep it safe. So when we talk to our clients about possible methods that they can use to keep their site safe, LastPass is at the top of the list. It provides great security and simplicity mixed with a good user experience.

Is There Not A Better Way?

Of course all of these options still don't answer the fatal flaw of the user having to remember a password. Some time ago I read a Medium article written by Justin Balthrop discussing the very issue. In it he suggested an alternate authentication scheme.

  1. Instead of asking users for a password when they try to log in to your app or website, just ask them for their username (or email or mobile phone number).
  2. Create a temporary authorization code on the backend server and store it in your database.
  3. Send the user an email or SMS with a link that contains the code.
  4. The user clicks the link which opens your app or website and sends the authorization code to your server.
  5. On your backend server, verify that the code is valid and exchange it for a long-lived token, which is stored in your database and sent back to be stored on the client device as well.
  6. The user is now logged in, and doesn’t have to repeat this process again until their token expires or they want to authenticate on a new device.

From a user experience point-of-view I like this idea...a lot. This cleans up the problems that user have with passwords and it is easy to use. There is even a company - Unloq.io - that is developing a product to do something along those lines. Of course, there are still problems with this technique, as pointed out by the comments on the post, but it addresses the fatal flaw of passwords.

As much as I'd like them to, passwords are not going anywhere anytime soon. So it is up to us, as developers and designers to implement secure systems that work for the user. The user won't develop a complicated password scheme while registering for your product, he will go with the route of least resistance. By removing as many obstacles as possible for him, we provide them with a better experience, which ultimately will keep them coming back to use our products.

[^1]: If you would like to read up on how these pass-phrases can be cracked, this great XKCD wiki goes into a lot of detail, and has several links.