Wednesday, December 03, 2008

Paul can't be wrong all the time

I have to say that, for once, I totally agree with Paul. In responding to a post by Ben Laurie, Paul disagrees with Ben's opinions of passwords and phishing.

Ben had said (and I'm showing a bit more here than Paul did in his response):

Well, no. If your password is unphishable, then it is obviously the case that it can be the same everywhere. Or it wouldn’t be unphishable. The only reason you need a password for each site is because we’re too lame to fix the real problem. Passwords scale just fine. If it wasn’t for those pesky users (that we trained to do the wrong thing), that is.

First off the phishability and reusability of passwords are distinct and separate issues. They have pretty much nothing to do with each other.

The primary reason one should not use the same password everywhere is that once that password is discovered at one location, then it can be reused at other locations. So, if, for example, you use the same password at Amazon, eBay, PayPal and Facebook, all one needs to do is find out your password on Facebook and then they will be able to sell things in your name on eBay, buy things in your name using PayPal and ship lots of things in your name at Amazon).

As Paul mentioned, there are many attacks to finding your password -- an administrator at Facebook could look it up in the password database, you could have a weak password that the hacker could attack via brute force (and if you're using the same password everywhere, they could use multiple sites to break the password making all/most of the anti-brute force rate limiting capabilities at a given site pretty moot). Just to name a few.

All of that said, Ben did have several good points in his post. Yes, we, as an industry, have done a terrible job in the usability of passwords. The typical user has been prompted for passwords so often and in so many places that they have no feel for when it should or shouldn't happen (one of the best personal defenses against phishing).

Personally, I think the utopia for online identity comes in with strong authentication to a small number of identity providers which assert my identity through SSO and Federation out to a large number of relying parties. Ben's point about the attacks around issuance/re-issuance of such strong credentials is very valid -- they can't be based on much weaker socially engineerable factors. The credentials will end up having to be issued with strong levels of assurance.

I also look forward to being able to login once at the start of my day and maintain that state in a reasonably secure fashion for the entire day without having to re-authenticate every few minutes or deal with "your session has been terminated for your security" when I've been sitting at the computer the entire time.

Tags : / / / / / /


Johnny said...

Your authentication expiration should be hooked to your chair, like the battery of a riding mower.

Conor P. Cahill said...

My riding mower (well, tractor) doesn't have a battery hooked to it. Our small tractor does have a dead mans switch that kicks in if the mower blades are engaged.

In any case, I think my computer should just sense my magnetic presence (or lack thereof) and adjust system access accordingly.

I don't want my stuff to be logged out just because I step away, but I do want it locked so that others can't use it.