Passwords
TLDR: Passwords are bad. In Utopia devices manage identity with public-key cryptography. Devices authenticate users through a mixture of biometrics and analog signatures.
Prerequisites: None
Passwords are an extremely bad way of securing things. As humans naturally conceive of them, they’re a single word that’s easy to remember, which as it turns out, also makes it (extremely) easy to guess. After decades of people getting hacked, the standard advice turned into “add some symbols or something”, when it almost certainly should have been “use a passphrase, not a password.”
The above XKCD comic is from 2017, and is bad.
It’s not wrong. Passphrases are much, much better than passwords. But it’s bad because it nudges readers towards some bad ideas. For example:
Bad Idea: A four-word phrase is secure.
Reality: Four English words selected uniformly at random are more secure than a hard-to-remember password that’s in a common format, but less secure than eight randomly selected letters/digits/symbols. If you select a common phrase like “I love my kids” it will get broken immediately.
Bad Idea: 1000 guesses/sec is a reasonable upper-bound on what attackers will do.
Reality: It is not hard for an attacker to brute-force check more than a billion passwords per second today (the record is around 100 billion/sec), and the computational power of future attackers grows exponentially. Back in the 60s when computer passwords were first used it would be secure to use two common English words. But a password with just 44 bits of entropy like the “correct horse battery staple” password could be brute-forced in under five hours with a dictionary attack. The NSA in ten years might be able to brute-force it in seconds.
Bad Idea: If I just make my password more complicated, my account will be secure.
Reality: Even if you have a truly high-entropy (hard-to-guess) password, there are dozens of ways in which you might be vulnerable. For instance, you might have a logger installed on your system, snooping on what keys you press. Or more likely, one of the websites that you use your password on isn’t secure, and is either hacked or simply sells your data. Your password could be 100 random symbols, but if you use it in more than one place… game over.
Having a secure passphrase is good, but it’s a totally insufficient way to protect important systems. And, the good news is, the world is beginning to come around to this perspective. Many companies are beginning to champion better methods, and new tools are available to help users.
I Want to Speak to the (Password) Manager
When a data breach occurs (e.g. Yahoo, Facebook, Google, etc), hackers can gain access to the password that you used with that service. It’s one thing to change your Instagram password upon hearing the news of the breach, and quite another to change all your passwords across all services. Worse, there are almost certainly data breaches that we don’t know about, making shared passwords fundamentally insecure.
The solution is easy (in theory): Use a new and completely independent password for each website.
If you are manually tracking passwords, one better-than-nothing strategy can be to remix a simple password on each website. So Facebook would get “facebooKpassword123!” while Google would get “googlEpassword123!”. The main problem with this method, among many others, is that all an attacker has to do is read your password and they’ll have a very good ability to guess other passwords.
If you’re doubtful that a hacker will be able to read a password that’s been generated by you and become skilled at guessing other passwords you’ve generated, consider that advanced machine learning systems exist, and there’s quite a lot of data about what sorts of passwords people use. It might not even be a human that’s reverse-engineering your passwords from one leaked instance.
The correct strategy here is to use a password manager, such as the one included in your browser, 1Password, BitWarden, or one of the many others. These managers will be able to generate very high security unique passwords for each service you use. And because security is the entire business model for the companies providing these tools (at least if you don’t use the browser ones), there’s reason to suspect that they’re being appropriately paranoid about not making user data vulnerable to hackers.
The Key to Security
Password managers are good. If you’re not using one, you should start today. It will almost certainly be an upgrade to your current practice. But they don’t fix everything. Password managers introduce a single point of failure (similar to email), that if compromised can bring down your entire online identity.
Here’s another good method for improving digital security that you’re already familiar with: two-factor authentication. When you log into some accounts from a new device, you’ll be prompted to confirm your identity using a mechanism other than a password, such as clicking a button on your mobile device or entering a one-time code that’s sent to you. This greatly improves security by forcing a would-be hacker to get access to both your password and your phone/email.
But wait. If someone steals my mobile device and can get past the lock screen (easier than you might think!), does that mean I’m screwed? Using my mobile they can access my email, and from there they can reset all my passwords and do all the two-factor authentication they want.
Using a password manager introduces a single point of failure (though a much better one than re-using passwords). Using email to reset passwords introduces another single point of failure. Multi-factor authentication, on the other hand, increases the number of things an attacker must have to gain access, and it changes them to be less digital and more about physical reality.
There’s a way in which all security is just a matter of making it more annoying for an adversary to profit off you than off someone else (or from honest work). It’s not like physical locks are infinitely secure, after all. “Unbreakable security” isn’t the point.
The point of all this is to change the way in which we secure things. A hacker on the other side of the world can, in the absence of two-factor authentication, anonymously attack people all over the world from the safety of his bedroom. If he needs your phone to gain access to your money, he’s screwed. Similarly, if someone gains access to your phone but doesn’t have the technical knowledge of how to bypass the lock screen, there’s a good chance you can disable access remotely before you’re compromised.
None of this stops clever attackers. The most potent form of attack has been, and perhaps always will be, social engineering. But social engineering attacks, like stealing physical devices, can’t be done at scale. Security through passwords and other bad software, on the other hand, creates weapons-of-mass-theft. If someone (or some team/nation/artificial intelligence) found a backdoor that let them get full remote-access to all the world’s iPhones, they could potentially ruin the global economy, or perhaps use that leverage to gain even more control. Cryptocurrencies have been making things worse, in their own way, with hundreds of millions of (mostly) anonymous dollars going to whoever finds a security vulnerability.
But just as new technologies could render annoyingly complex security schemes trivial to break, technology also has the potential to produce even more robust mechanisms for security that are less annoying than the systems we use today. There’s an interesting question about where, in the limit of technological progress, the balance lies between technologies for offense, and those for defense. Only time will tell, but I’m cautiously optimistic.
Utopian Passwords
There’s much to be said about creating more secure software and hardware, but we’ll focus right now on the question of how computers confirm user identity.
In Utopia almost nobody uses passphrases (much less passwords).
Instead, the most common form of security is public-key cryptography. Here’s a nice 6-minute intro by Computerphile:
Each Utopian has, on their device, a keyfile. In this file is a collection of keys: the known public keys from each service, the public/secret key-pairs used with them, and any symmetric/temporary keys that have been established to increase speed. Keyfiles are managed by the operating system of trusted devices in a way that no service or application can directly gain access to the keys inside. Instead, software can manually request encryption/decryption, and network traffic is automatically encrypted/decrypted by the device by default.
Keyfile security is designed to be invisible. When you go to a Utopian website, your keyfile will automatically establish a unique identity with that website. Users never have to log-in or create passwords, and batch-entering profile information (like name and email, or linking one account to another) is as simple as pressing a couple buttons.
The chips that keyfiles are stored on are designed to be tamper-proof, and to never have secret keys leave the chip. If someone tries to open the chip up, it is rigged to melt. When a person sets up a new device, they generate new public/secret keys for that device. There is then an automated process by which the old device reaches out to every online service with a message that approves the new device as belonging to the same person (or organization). The new device’s public keys then become sufficient to access old accounts.
In addition to guaranteeing that secret keys never leave the safety of the security chip, this method of having multiple devices has a few additional perks:
Services can know when a person has switched devices (and can remember which is which).
Users can, similar to adding a device, remove trust in a linked device by broadcasting a “my other device-has-been-compromised” message.
Temporary permissions can be granted to a machine (such as one in a public location) by approving that machine’s keys for a limited time, and/or until a known device revokes the trust.
The primary downside to this strategy is that it’s difficult to grant access to an account if someone has no trusted devices on hand, and that it’s hard to recover accounts in the case where all trusted devices have been lost. In Utopia almost everyone has a trusted mobile device with them at all times, but in the rare case where a fire or other emergency destroys one’s keyfiles, it’s sometimes possible to work with organizations and governments to manually recover lost accounts. To reduce the risk of lost keyfiles, some people opt to store a backup trusted device in a bank vault.
Utopian Lock-Screens
Keyfiles are only half of the problem, however. Devices still need to verify the identity of their user.
Each device in my conception of Utopia contains a chip which functions as a security-guard for the device. In its circuits is a model of the device and how likely it is to be in the wrong hands. After a certain amount of idle time, the guard will become alert and lock the device. As time passes the guard gets increasingly paranoid, and can encrypt sensitive user data and will eventually encrypt almost the entire device’s memory and power-down the device for long-term hibernation. (How long it takes for a device to do these things depends on settings that the user can change.)
When a user wakes up a device, it activates basic sensors to better model its surroundings and who is trying to use it. Data from fingerprint scanners, cameras, microphones, accelerometers, and geolocation all come together with a prior probability of attack to form a Bayesian estimate of whether it’s in the right hands. No one piece of data is necessary to unlock the device — by combining methods the system can form a robust model out of noisy sensors. Almost every time, unlocking a personal device in Utopia is as simple as picking it up.
But for those who need additional protection, Utopian devices can also be equipped with a patterned lock screen that asks for a signature from the user. Unlike a symbolic code like a PIN, signatures are analog. Everything from the timing of the movements to the pressure applied can be used to authenticate the swipe that someone uses to demonstrate their identity. These gestures are then converted into long sequences of numbers, that take the place of passwords. The device’s guard is in charge of how precisely a signature must be done in order to get access. If a user appears suspicious, perhaps by failing the signature several times, additional attempts will be met with increased scrutiny.
(This strategy could be employed with normal passwords. It’s reasonable to allow common typos of a password or near-misses to succeed, as long as after several failed attempts the alternative-passwords are revoked, and the user is forced to enter the password precisely. It annoys me how many times I get my password almost correct on the first try, and my computer rejects it.)
In Utopia, particularly paranoid people can create additional signatures for hidden accounts on a device. These hidden accounts aren’t visible within the main account, so when threatened with a wrench to unlock their device, the paranoid person can unlock a dummy account and pretend like that’s all there is.
(At the time of writing, it appears as though the FIDO Alliance is attempting to implement a simple plan to kill passwords and bring the world closer to Utopia. Let’s hope they succeed.)