Skip to content

No Password Encryption

January 8, 2020

Who can remember passwords anyway?

Real Bernie Sanders reaction source

Larry David is an American comedian. He was the lead writer and producer of the Seinfeld TV series. During the previous and current election cycles he has played Presidential candidate Bernie Sanders in skits on Saturday Night Live. His “Bernie” rails about issues with passwords.

Today I want to talk about reducing our dependence on passwords.

On SNL in October 2015, his “Bernie” branched off the topic of Hillary Clinton’s e-mails to famously rant:

What’s the deal with e-mails anyway? I forgot my password the other day, so they say “We’ll email you a new one.” But I can’t get into my email to get the password. I mean, talk about a ball-buster.

In the SNL cold open about the most recent debate three weeks ago, “Bernie” reprised the complaint:

Apple lies, Amazon lies, even my I-Phone lies. Every time it says it’s at 1 percent battery, it stays on for at least 20 minutes. The other times it’s at 7 percent—it shuts down immediately. Apple, what are you trying to hide? And what’s my password?!!

Passwords are still needed. But, and this is the key, we wish to reduce our dependency on them and still be safe. Also the method fits nicely with today’s need for access to encrypted information by law enforcement. We have already discussed this recently here. The trick is to make information safe enough to please us, but not have as many passwords that we need to remember. “Bernie” would be happy.

Let’s next review why we use passwords at all.

Why We Have Passwords

Passwords have been used forever. See our friends at Wikipedia for a story by Polybius, an ancient historian, on how eons ago the Roman military used watchwords. Passwords have been used since the beginning of computing, forever in our world, to safeguard computer systems. The MIT computer system, CTSS, used them starting in 1961 to protect users. This is the reason Fernando Corbató is credited with the invention of computer passwords.

The goal of passwords and watchwords, is simple: Control access. Both the real and fake Bernies use e-mail passwords to keep their communications private. We try to select good passwords, but the management of them can be challenging. It’s not just that people like “Bernie” forget theirs—it’s that our efforts to keep them in our heads often make them too easy to figure out. Jimmy Kimmel showed this in a 2017 segment on his own show.

Passwords are Dead

Managing passwords has lead to the theme, “passwords are dead.” If they are dead, then we must have alternative methods. Some are based on biometrics such as fingerprints and eye scans; others are based on additional hardware. Fingerprints are one of the most popular, but have major drawbacks:

  • They can be unreliable.

  • They can be attacked.

  • They cannot be changed.

I can attest that fingerprints are unreliable. I use a Global Pass to speed my re-entry into the US. After my flight arrives at the airport, I use a Global Pass machine that checks my fingerprints. The machine fails to recognize my fingerprints, every time. This forces me to talk to a custom agent and convince them am who I claim to be. Thus defeating the reason for using the Global Pass.

A 2012 study by Joseph Bonneau, Cormac Herley, Paul Oorschot, and Frank Stajano tilted “The Quest to Replace Passwords” compared 35 alternatives to passwords on their security, usability, and deployability. They showed that most do better on security, many do better on usability. But all alternatives do worse on deployability. The authors conclude:

“Marginal gains are often not sufficient to reach the activation energy necessary to overcome significant transition costs, which may provide the best explanation of why we are likely to live considerably longer before seeing the funeral procession for passwords arrive at the cemetery.”

Colorful language, but the point is that passwords are hard to beat.

How to Remove Them

I have a proposal on how to avoid reliance on just passwords. At least for many applications. The idea is: You would use a password and add a secret password that you do not remember. You do not even know this password. You do not write it down. Clearly, this is additional security if you do not even know the secret password. No one can steal it from you or guess it.

So the issue is: How do you access your own stuff without accessing the secret password? The answer is simple: You run a program that tries all the possibilities. Let this take some time {T}. This point is that for many situations you will not mind if {T} is large. For example, when the access that you are protecting occurs rarely. The security that this affords is based on this: An attacker can and will definitely be able to get access by expending {T} time, if they also know you standard password. But this protects against mass attacks. An attacker may be able to get your data, but will not be able to get millions of people’s data.

Let’s examine a few applications:

{\bullet } End-to-end Encryption: The secret password could be protected by a {T} of order years or even decades of computer time. This would allow law enforcement to get information it needs, while stopping causal attackers.

{\bullet } Recovery of your data: The secret password could be protected by a {T} of order days of computer time. Your computer backup data is secured by such a password. Then it crashes. You need to run such a computation to recover the data. In many situations this would be fine.

{\bullet } A banking site: You would still use a good password. The extra secret one could have a {T} of an hour say. Then when you need to pay an on-line bill, you would have to wait a reasonable amount of time.

{\bullet } Not need to place passwords in your will: Omada King, in his 2013 book The Making Identity, wrote:

[A]ccording to a recent survey from the University of London, one in ten people are now leaving their passwords in their wills to pass on this important information when they die.

This could be avoided by using a secret password with {T} of order months. When it is needed the heirs would run the recovery program and get the access they need.

Ken’s Words

Ken points out that merely trying more than a few possibilities will usually generate a suspicious-activity message and usually a shutdown. So a system would have to be set up to permit “self-hacking.” Ken has a small rotation of “password extenders” not written down and often has to try two or three before gaining access to non-financial sites where he is registered.

Ken is sometimes asked to monitor chess tournaments for possible cheating using the initial “screening” phase of his system. This phase requires minimal effort from Ken as it is supposed to be automated on a server that any chess tournament director would have quick access to, but for various reasons the International Chess Federation (FIDE) has not (yet) erected such a server. So Ken posts the auto-generated reports at a private location known only to him and the arbiter(s) of a particular tournament.

Ken does not maintain a password scheme for the reports. This would become a headache precisely because of the difficulties people have with passwords. Ken does not want to assume the responsibility for managing them. Instead he includes a “quasi-password” as part of the URL he creates. These are often multi-lingual puns or references to quirky artists or factoids in the home country of the tournament. Being memorable and unusual enables the arbiter’s browser to learn the word and link without collision.

This maximizes convenience: For Ken to e-mail reports or zipped folders as attachments would be cumbersome under daily updates. With Ken’s way, the arbiter can view updates even without having to pull up Ken’s previous e-mails with links, just by typing some letters of the weird word in the browser address bar. Hiding directory listings and a “no robots” directive completes minimal security for temporary use during the tournament.

The First and Last Word?

We mentioned Fernando Corbató having originated passwords. But before his passing last July 12, he came to regret them. Here he is quoted:

“It’s become a kind of nightmare. I don’t think anybody can possibly remember all the passwords.”

Open Problems

How practical do you find the “no-password” idea? At least the above suggestion may save us from having to place passwords in our wills.

5 Comments leave one →
  1. A.G.McDowell permalink
    January 8, 2020 12:45 am

    It is possible that work described at is relevant to this. There may be problems with increasing the work factor by requiring repeated attempts, because these can be performed in parallel if the attacker has all of the information they need to verify a password guess. This makes life easier for attackers who have access to large amounts of computer hardware, and there are economies of scale here, both from standard economics, and because for very large cpu requirements it becomes economic to redesign using specialized hardware, such as FPGAs – see bitcoin mining, which went from cpu to gpu to fpga to asic.

  2. January 8, 2020 2:55 am

    I think involving some time T is a good idea, but I don’t understand why you would use it to brute force find out a secret password. Also, wouldn’t your computer learn it after time T? So I suppose it would need to be changed every time.

    Why doesn’t, instead, the server ask you to solve some computationally hard problem, like the mining of some cryptocurrency, that would take about T amount of time? This would put an invisible cost to each log-in.

  3. January 8, 2020 1:38 pm

    One of Ken’s and my classmates at Princeton when we were undergraduates there (I won’t say how long ago!) worked in the computer center and had access to everyone’s password on the mainframe (how times have changed). He told me that half of the passwords were: NCC-1701. And the odd thing is that everyone thought they were being very clever in their choice of password.

  4. January 13, 2020 5:45 am

    Invoking a ‘second password’ or similar is a bizarre way of adding a delay to an operation. Better is to just hard-code a fixed delay. Setting T based on some assumed rate of computation (password attempt speed, some hard computational problem, etc) is vulnerable to agents with faster/better technology than you assumed. For instance, many systems protect against brute force attacks by artificially waiting a few hundred milliseconds at each login attempt.

  5. January 14, 2020 2:45 pm

    Back when I was at UB, I was a teaching assistant for the software engineering course. I mentored three different groups of students who developed apps & games related to challenging users to memorize random mappings from letters to digits. It was quite fun and I still use one of my mappings as part of my online passwords. It’s quite convenient and it reduces memorization difficulties. Back then, I wrote this informal webpage on it:

    Anyways, it was a fun experience! Ultimately though, I think it’s difficult to get people to adopt new login techniques. It probably needs to be twice as fast and give the user points that can be redeemed for prizes. Otherwise, passwords will probably live on.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s