There’s no shortage of security people who will tell you that passwords are broken. It’s also not a coincidence how many of them sell products to supplement or replace passwords. Microsoft just announced that the passwordless future is here. In their announcement they make it clear that passwords are broken, and they should know– they broke them !
This passwordless future requires that Microsoft follow in Apple’s and Google’s footsteps in deciding which software you are allowed to run on your computer. These vendors don’t trust you to manage your own security, instead they want you to hand all trust over to them. Without them in control, they don’t believe your hardware can be trusted and untrusted hardware isn’t allowed to login to the passwordless future. As more vendors follow in Microsoft’s footsteps to implement passwordless logins, they too will anchor their trust in the hardware and ultimately in Microsoft (or Apple or Google). In the name of security and convenience your computer will be less and less your own.
and add the two numbers and a symbol at the end (something I refer to as a “password mullet”–upper case letter in the front, numbers and symbols in the back)
Sigh… My work AD account’s password mullet is, let’s see… my base password, now with 9 additional chars. I feel personally attacked here :).
Yea, password mullet. Gonna steal that. It’s my sense that this whole “passwords suck” tripe is a bunch of paternalistic bullshit. I don’t (and yet do) have a lot more to say about that.
Imagine if banks, government sites, health services, etc., all started requiring this kind of login (and associated commercial hardware, from Windows, Apple, or Google, naturally) to access the websites you need…all in the name of “security.”
As if ubiquitous captchas weren’t already annoying enough!
Yes and no. Read the article for why they do suck. Read the article why they suck less than being forced to submit to Big Tech control and surveillance.
It could also be said that “humans suck” but that might be outside the scope of this topic.
I did read the article and I still think that the pain of passwords is kind of overrated. But I’m also a bit of an ex-smoker in this regard (actually an ex-smoker too). I woke up one morning, kind of like I did one day with cigarettes, and decided I wasn’t going to suck at passwords anymore.
I read a couple of articles. Find out how to make very difficult passwords that are very difficult for computers and went about slowly changing all my passwords and loading them into a password manager. Without technology, I agree that they would suck. But with the proper tools, they do not.
So I confess that I am likely not the most objective person. But even with my biases declared - I believe very firmly that passwords hurt is an unnecessary myth. Perhaps that be countered with reason (and I welcome a better argument). But that is where I stand today.
For every user, like you and me, who uses a mass of unique, strong passwords and remembers those passwords with assistance, e.g. tools like a password manager, how many users are there who don’t? How many users are there who have a “mullet”?
I believe the critical point highlighted here is the 2 factor authentication. Strong passwords in conjunction with 2FA are about as secure as it gets today.
Having recently conducted a security audit in answer to the question “What happens to my digital life if I lose my phone?”, passwords and 2FA don’t cover all the issues.
Web sites have an endless variety of special conditions for account management including password rules (causing mullets), security questions (which people provide with truthful answers !!), recovery phones (oops, another lost phone problem), and recovery codes (did you remember to generate your recovery code, save it, and read all the rules about how to use it?).
Account recovery is the elephant in the room. It is too difficult for people to understand and maintain all the information required (are you listening password manager software?), and there are huge security holes in many of their implementations.
I’d love to see statistics on abandoned accounts, but come on, people need to access and recover their bank accounts, retirement accounts, credit bureau accounts, and government accounts (IRS, SSA, USPS, DMV). It’s impossible as it stands today.
This is an important point. You have to consider not just the threats a particular person faces when deciding on authentication measures, but also consider the entire account lifecycle.
Authentication is only as strong as the weakest link in the account lifecycle. It’s like the videos from “Lockpicking Lawyer” where he evaluates a fancy hotel or gun safes with sophisticated digital locks, but a cheap “backup” key lock he can pick easily. If you have sophisticated 2FA authentication, but someone can reset it by providing “recovery account” information about you that’s readily available on the Internet, they’ll just go for the weakest link.
directs to a site that is http not https and it references a site that does not clearly state that you have to click the screen to change what is on it (had to find out accidentally). Other than that pretty interesting.
I have noticed this when trying to recover my dad’s Google account (fortunately, not a critical thing, because I never managed to do it). It’s impossible if you weren’t there at the generation of the account, because the logic of why they’re asking for most information is not fully understood by my dad, and the reason is also suspect given Google’s known hunger for personal data. So the result is a system that is nearly impossible for many legitimate end users to actually use correctly, yet (probably) fairly simple for a semi-talented hacker to crack into?
Therefor you can use the browser add-on HTTPS-Everywhere.
What people also forget while speaking about passwords and co: the threat scenario is always different. 2FA for bank account (both should not be same smartphone like many people do) is important, but I don’t need 2FA for Purism forum.
Nobody wants to get access to my forum account here. And if someone says right now “he opened up a challenge, lets hack” … fine, but nearly everything is public and even account information like e-mail doesn’t help to get any real information about me (is not even same e-mail address like the one I bought L5 with). In worst case I just create a new account and I’m fine. Why I should use 2FA or something else here? But I’m also in a totally different threat situation like Kyle_Rankin. If someone get hands on his forum account, he can do harm with it.
I really wish all security professionals had this insight. Far too many design one-size-fits-all solutions, generally against a spy movie threat. This leads to situations where they often dismiss security solutions that would work well for average threats, because they can conceive of a spy movie threat that would work around it. For instance, I think most people in security agree that SMS 2FA isn’t ideal and there are practical workarounds for it that your average attacker now has access to. However a lot of security professionals just issue a blanket “don’t use SMS 2FA!” statement and ignore the fact that many average folks will see that and disable 2FA altogether, even though it would provide them better protection than passwords alone.
This was the whole problem with password policy for decades–security professionals wrote policy strictly aiming for attackers with high-performance computing performing dictionary attacks and ignored the human side of things. Hackers focused on the human side.
Exactly. I go to greater lengths for my own security (PureBoot, Qubes, Librem Key, strict use of hardware kill switches, heavy use of GPG, among other things) because of the risks I face (and the stakes behind those risks) than I would consider reasonable for an average person that doesn’t face the same threats. I also have a much higher tolerance for inconvenience than I would expect most people to have.
At Purism we try hard to maintain a balance here between having sensible defaults that are reasonably secure, on a good foundation, while also offering more secure options for those folks who need it. The main challenge we (and specifically I) face is that I believe very strongly in empowering users to manage their own security, and that means I often have to pass on industry-standard security measures that would remove control from the user and place it in Purism’s hands.
This is one reason why we are still only getting started on the security measures on the Librem 5, for instance. Traditional phone security approaches all center on the “jail model” of locking down the hardware so it only runs binaries signed by the vendor and restricting what access not only apps have, but what the user has (unless they break out of jail). I don’t like the jail model. We have a good foundation for Librem 5 security, but still only a foundation. There’s a lot more still to build on top of it.
This is sad, as Google has the best collection of recovery options, but they don’t tell you about any of this when you setup your account. You need to setup and write down your recovery codes before disaster strikes. There is no human customer support.
Most other sites are limited to emailing a password reset link or asking you one to several of the security questions that you didn’t write down.
I recommend creating a spreadsheet with all account information for each of your critical accounts. This includes username, email address, password, 2FA-phone, security questions and answers (not truthful!), recovery code(s), PINs, backup phone, … Do a dry-run recovery to make sure you understand what you need.
I would NEVER use a password manager, at least on the same machines that I wanted to protect. I have an analog password manager and that is an index card spiral book. I can remember all my passwords, even the 24 character ones. But what is tricky, is when you make new passwords . . . lol. That is why I write them down and after a few times of that, it will never leave my memory. I then discard the analog record of said password.
MS can suck it. They love to say one thing but then be doing another the entire time behind your back. Corporations are being forced to comply with draconian orwellian measures all with the guise of, we are here to protect you.
The average user, however, would benefit from using a password manager. It is like @Kyle_Rankin and @Ick posted above, you need to assess your personal thread level and also the thread-level of each account.
E.g. I also use a spiral book for the most important accounts, esp. financial accounts. If I would face a state attacker, they would be able to freeze my accounts in minutes.
However, the average script kiddie hacker is after your financials. If I don’t have them on my machine. A little bit of attack surface is reduced.
For other accounts I prefer using a password manager since it is way easier to handle a lot of passwords and you only need to remember one.
Other accounts may need another form of protection.
It always depends on what you need to protect from whom.
If you find the right balance, the burden of secure usage becomes a lot lighter.
