XKCD is a web comic that is often brilliant, always geeky, and occasionally very useful even for non-geeks to understand some of the issues that face us in our increasingly geeky culture.
This recent strip really laid-bare the entire problem with passwords in that currently people are being told to memorize short gibberish passwords that are fairly easy for modern computers to crack.
But there is another issue that is not covered here and that is that most websites have very low limits on the length of passwords. Many sites will require ‘at least 8′ characters, but will have a maximum of 12-16 characters, making the ‘difficulty to guess: HARD’ in the strip above unobtainable. MSN.net (and hotmail and Windows Live and all those associated services) has a maximum of 16 characters. Using ‘human’ characters of simply letters and spaces, this works out to somewhere in the 25-30 bits of entropy range, or about the same as a very hard to remember password of 9 characters. Adding in a non alphanumeric word separator helps a lot,”Alive&Springy94″ is a lot better than “Alive Springy”.
The other thing that is difficult to understand is that each additional bit of entropy DOUBLES the security of the password. this is exactly why we were told to use random passwords, because extending the pool of characters to chose from made a dramatic difference in the strength of the password. Even in 1995 “Shiva” was a terrible password, but “Sh/va” was basically uncrackable because adding all the non-alphanumerics to your password cracker meant instead of taking 2 days to crack it now took 8 days by adding two more bits of entropy, and who could devote 8 days of computer time to crack one password?
But computers are so fast now that every single possible 8 character password can be checked in hours by a dedicated hacker. Every. Single. Possible. Password. 8 Characters isn’t secure, at all. Right now, 12 characters is about the minimum, but that won’t be true much longer, we’re fast approaching the 15-16 character password length, but that is assuming fully randomized passwords for maximum entropy.
So what’s going to happen?
You might think that passwords will simply get long and we’ll all move to the 4 random common words model in the xkcd strip, and that might happen. I don’t think so. Longer passwords have a definite diminishing return because people are stupid and lazy. I’m not being insulting, it’s how we are built. People presented with a password dialog that allows 8-200 characters will almost all type in 8 characters. And they will type in the SAME 8 characters at every single password prompt on every web page and every login. Sure, you might not do that. I don’t do that. But better than 90% of humans will do that.
And even if you don’t do that and I don’t do that, we have to have a way to manage those passwords. Sure, 4 random common words are easy to memorize for one login on one website, but I have 600 logins. I have google and web boards and banks and farcebook and webmail and AppleIDs and GitHub, and so on. It doesn’t matter how simple a process we have for generating easy to remember passwords, I can’t remember 600 of them; no one can.
So, let’s imagine five years from now. I have a new computer that I’ve just setup and I go to login to gmail. I fire up my web browser, I go to gmail, and I see a screen asking for logins and password. I go up and click on my password manager (exactly like I do now) and enter my master password. My manager fills in the use rename and the 15 character password, exactly like now.
OK. So this is all today’s technology, and instead of having 600 unique passwords I have 600 unique passwords that are all controlled by a single master password. This is pretty secure because my password manager is completely local to my machine and not something someone else easily has access to, but it is still a single point of failure.
So what will happen next is crucial. Gmail notices that I’ve never logged in from this commuter before and so, despite having my login information correct, it doesn’t log me in. Instead, it searches around my computer for my iPhone 6GS++. If it finds it, it used the NFC chip in the computer and the phone to verify that not only do I know my user name and password, but I have my phone. This is good enough to log me in. If it CAN’T find my phone (maybe I’m still using an old iPhone 4S+ without NFC), then it tells me to go get my phone/authenticator and enter the code from the Google Authenticator. Or it send a code to my phone viaSMS or voicemail. Once I do this, it logs me in.
Then it asks me if this is a computer I trust. Since it’s my computer, I do, and so Google won’t ask for my password again for a couple of weeks, or a month, whatever. Once that time is up I have to login again, and pass the “thing I have” test again. If it’s not a trusted computer, then it checks for the something I have every time I login.
The funny thing is, at least with Google, this is all possible right now, with the possible exception of the NFC negotiation. What will change is that in 5 years, a lot more people will be doing this as ‘normal’ passwords will be easier and easier to crack. This is called two-factor authentication and it is the future of passwords. It’s been around a long time, but the difference that will make it universal is the ubiquity of mobile phones and the ability to automatically and seamlessly manage the ‘thing you have’ check. Right now you have to pull out your authenticator or your phone and you have to manually type in the code and you have to do it pretty quickly before the code expires and it’s all a bit of a pain to do all the time.
Blizzard has been doing this for years with their World of Warcraft game, though it’s still a bit too clumsy and inconvenient for most people to be willing to do it. However, with NFC and the prevalence of mobile phones, this is definitely coming.
Oh, and if you’re using a password of less than 12 characters for anything important, change it now.