The Password is dead. Long live the Passphrase.

Eliminating the need for a user to enter a password to authenticate themselves has been a hot area of research and development for many years. I have played my part in this process, partly because it has been my job but also because like just about every sane person I hate passwords. My hatred is multifaceted, but after an awful lot of consideration I have boiled it down to just two primary reasons.  Firstly, there are just too many of them, most nearly everything we access has a password or a PIN. One of my favorite slides to use is a waist line shot of a medieval jailer with a big ring of keys. The idea being to imagine what we might look like were all of the keys we have made physical. Secondly it is the inconsistency in length and complexity between sites and applications. I am not going to name the companies but if you limit or implement strange rules on the combinations of uppercase, lowercase, special, and numeric characters I can use I am going to suspect that you have a problem inside your authentication system (I have seen rules set so that users cannot set passwords that look like the ones that are either hard coded inside an app or have hardcoded special characteristics). Oh, and if you limit the number of characters you are going to make my blood boil as I want to be able to kill your password with a passphrase!

Yes, that is right. Even though I fully support all of the efforts to replace a wide array of authentication mechanisms with something that is based on “something I have” or “something I am” or a mashup of them like UnifyID. I still want to have “something I know” as part of certain authentications. And I want it to be a long and as complex as I want and I want it never again to be called a password.

I especially want to use passphrases to authenticate me at critical points in important transactions. I might be really happy to use a password less authentication mechanism to gain access to my email, a great improvement over the saved cookie offered now. Should I however want to delete my mail account do I really want to trust that to an “are you sure?” dialog? Probably, actually most definitely not. Same as when transferring large sums of money, electronically signing an important document or granting delegate access to a key system. I want to be forced to supply something that I and only I know, have both length and complexity but be easy to remember. Enter the passphrase.

I do not need to explain the science when there is an XKCD cartoon that does it so well

XKCD Cartoon on Password Strength
https://xkcd.com/936/

https://xkcd.com/936/

Anyone who has watched me while setting a passphrase will have seen me scouring my environment looking for inspiration. One thing that I have learned is that I can associate where I am, the items surrounding me and my physical sate when I set a passphrase for a particular service. Once upon a time my main corporate passphrase revolved around a chance encounter with the actor Warwick Davis having a good time in the bar of a London hotel where the heating in the bedrooms was stuck on in that rare thing a British summer! It read like a tabloid headline but to this day I can remember it.

There is another reason I want to be able to use passphrases and that is they are a very good mechanism to detect duress. When designing a secure system, process or procedure we must always look to the limits. Duress codes are not something that most private individuals will be that familiar with. The only likely contact they may have is via a home or business security system where entering a special reset code triggers a silent alarm but at the premises appears to have performed a reset (usually by swapping the last two digits). The use and application of duress codes is complex and in some situations contentious but I would like to maintain the ability to be able to implement them. They are also much easier to hide in a passphrase as the user can set their own subtle rules that distinguish the real from the distress.

To get the ball rolling I am suggesting that we all adopt one simple change. Delete the word “password” from our vocabulary and replace it with “passphrase”. Then as we start to roll out more modern authentication solutions and ask users to define a phrase they will see it as a clean break from the past and into the future of easy to remember high entropy phrases that can support features such as hard to detect distress codes.

Leave a Reply

Your email address will not be published.