The Password is dead. Long live the Passphrase.

Eliminating the need for a user to enter a password to authenticate themselves has been a hot area of research and development for many years. I have played my part in this process, partly because it has been my job but also because like just about every sane person I hate passwords. My hatred is multifaceted, but after an awful lot of consideration I have boiled it down to just two primary reasons.  Firstly, there are just too many of them, most nearly everything we access has a password or a PIN. One of my favorite slides to use is a waist line shot of a medieval jailer with a big ring of keys. The idea being to imagine what we might look like were all of the keys we have made physical. Secondly it is the inconsistency in length and complexity between sites and applications. I am not going to name the companies but if you limit or implement strange rules on the combinations of uppercase, lowercase, special, and numeric characters I can use I am going to suspect that you have a problem inside your authentication system (I have seen rules set so that users cannot set passwords that look like the ones that are either hard coded inside an app or have hardcoded special characteristics). Oh, and if you limit the number of characters you are going to make my blood boil as I want to be able to kill your password with a passphrase!

Yes, that is right. Even though I fully support all of the efforts to replace a wide array of authentication mechanisms with something that is based on “something I have” or “something I am” or a mashup of them like UnifyID. I still want to have “something I know” as part of certain authentications. And I want it to be a long and as complex as I want and I want it never again to be called a password.

I especially want to use passphrases to authenticate me at critical points in important transactions. I might be really happy to use a password less authentication mechanism to gain access to my email, a great improvement over the saved cookie offered now. Should I however want to delete my mail account do I really want to trust that to an “are you sure?” dialog? Probably, actually most definitely not. Same as when transferring large sums of money, electronically signing an important document or granting delegate access to a key system. I want to be forced to supply something that I and only I know, have both length and complexity but be easy to remember. Enter the passphrase.

I do not need to explain the science when there is an XKCD cartoon that does it so well

XKCD Cartoon on Password Strength
https://xkcd.com/936/

https://xkcd.com/936/

Anyone who has watched me while setting a passphrase will have seen me scouring my environment looking for inspiration. One thing that I have learned is that I can associate where I am, the items surrounding me and my physical sate when I set a passphrase for a particular service. Once upon a time my main corporate passphrase revolved around a chance encounter with the actor Warwick Davis having a good time in the bar of a London hotel where the heating in the bedrooms was stuck on in that rare thing a British summer! It read like a tabloid headline but to this day I can remember it.

There is another reason I want to be able to use passphrases and that is they are a very good mechanism to detect duress. When designing a secure system, process or procedure we must always look to the limits. Duress codes are not something that most private individuals will be that familiar with. The only likely contact they may have is via a home or business security system where entering a special reset code triggers a silent alarm but at the premises appears to have performed a reset (usually by swapping the last two digits). The use and application of duress codes is complex and in some situations contentious but I would like to maintain the ability to be able to implement them. They are also much easier to hide in a passphrase as the user can set their own subtle rules that distinguish the real from the distress.

To get the ball rolling I am suggesting that we all adopt one simple change. Delete the word “password” from our vocabulary and replace it with “passphrase”. Then as we start to roll out more modern authentication solutions and ask users to define a phrase they will see it as a clean break from the past and into the future of easy to remember high entropy phrases that can support features such as hard to detect distress codes.

RSA Conference 2017: In Search of a Theme

This is the first year in a very long time that I have been at RSAC and not been there representing a major exhibiter. I was expecting that to give me more time to explore see things that I often miss. Turns out that is not the case.  Through a combination of having to walk further as the conference has definitely spread beyond the Moscone and the nearby hotels, and being stopped every few minutes by people asking what I am up to, I think I am actually seeing less than I did last year!

My big observation so far is that I am not really seeing one unifying theme. I do not mean the one that the organizers create which this year is the ever optimistic “The Power of OpportUnity”. I mean the common thing that appears in most presentations, stand shows and hallway chats. The only common thread as with so many other aspects in life at the moment is some degree of uncertainty in the forthcoming stances that will be taken by the incoming administration. If however you dig down a bit you do hear the usual perennial themes. The reality of the lack of skilled personnel in our industry. The need to provide effective controls to our information and identities. The fear that is building within organizations around their reliance on and therefore vulnerability to attacks on their IT infrastructure, be that DDOS, ransomware or fraud, I have heard a dozen people predict a major public business fails in 2017!

It is going to be a long week and I look forward to trying to see more of it.

New site to be ready by RSA Conference

After my experiment with theGrid.io I have decided that whilst it did some amazing stuff my site is not yet ready to be designed by AI. I am also taking the opportunity to add some new features and content types to expose some side projects I have been working on for the last few years.