I'm sorry, but the password you remember sucks. It's not your fault, it's just the way our brain works. Our brains love finding and remembering patterns. If you can reuse the same password for multiple things and web sites, you would prefer it (and most of you end up doing that). If you made up the password from scratch, then surely it contains some patterns that you (your pattern-oriented brain) like. I can bore you with how selecting a password that's both long and contains special characters contains more entropy and is harder to "crack", but whatever, your password was chosen because it has lower entropy than just a purely random one. Even if your were offered multiple computer-generated passwords, you would select one that's "easier to remember", which is wrong. Oh, and if you do remember a truly, painfully random and long password, it took you so much effort to remember it that you will be more likely to either reuse it, or divulge it by accident or otherwise.
The best password is the one you can't remember.
So, of course, that means that the compromise was to use a unique, randomly generated and nearly impossible to remember password for everything except a password to your "keychain". That "keychain" is an encrypted file containing all your passwords but protected with a supposedly strong "master password" that you must remember. That's a lot better, but it still shifts the problem by essentially putting all your passwords within a single point of failure.
One dangerous thing about passwords is that, well, even a good password is not secure enough. Password databases are often stolen, and it still doesn't change the fact that a simple faked login form you got from that email could be enough to impersonate you in a web site. So, two-factor authentication is the next step: Your user name is validated against "something you know", your password, and "something you have", typically your cellphone. It could be a "number generator" App, or it could be as simple as getting a code from a SMS.
This leads to the biggest problem with security: Good security tends to be so much less usable that, in the end, users end up using the less secure option. Users see security as an obstacle to "getting access to the thing", so if they can use "12345" as a password, they'll do, and if they can't, they'll be annoyed. So, to convince users to set up two-factor authentication won't appeal to much apart to a few paranoid and security freaks.
That's why I find SQRL so interesting. The SQRL fan-made introduction page will surely explain it better than I can using text alone, but suffice to say that logging in to a web site becomes as simple as unlocking the SQRL App and taking a photo of the web page.
A few interesting things should be noticed about SQRL. First, instead of communicating a password to the web site, the SQRL App communicates with a huge 256-bit master key, which is equivalent to a password of over 60 characters. Also, this master key was safely randomly generated by a computer, for computers. This is very similar to public key cryptographic tools like PGP and SSH, that store private keys in a password-protected keychain.
Now, there are two potential issues. First, how do you "backup" that master key? Writing it down would be quite painful, like those old NES games that would "save" your game by having you write down a 40-character code. Your backup could be printed, but then, who prints from their cellphones? The safest bet would be to save it in picture form and backed up with your other (non-public) photos, but of course encrypted with your password.
But that leads to the second issue: What if you forget your password, or if somebody steals your master key and its password? Well, it shows you need three-factor authentication: Something you know, something you have, and something you are, meaning your identity. Typically, it resolves to those highly-insecure "security questions" or "password hints", which are worse than almost any bad password. But in the case of SQRL, it means making a backup of a "identity unlock lock" file that can be used to revoke an insecure (stolen or forgotten) master key. This time, to close the loop, the identity unlock lock key is encrypted with a randomly-generated password, a painful 20 or some character sequence that you must write down and never, ever place online or in the same place as the identity lock key. Annoying, but then if you've ever dealt with FileVault on Mac OS X or entering activation codes in Windows, it's not that bad if done only once.
Hopefully, I just scared you into changing all your passwords right now. Don't worry, new things like SQRL will make it easier for you. Until then, I recommend LastPass (or KeyPassX), using two-factor authentication everywhere it is offered, and filling those security questions with non-sensical garbage (that can be spoken over the phone) that will be stored in an encrypted file you regularly back up with a copy of your encrypted password database. That sucks, but, hey, not as badly as your passwords.
Published on November 25, 2013 at 20:45 EST
Older post: Revision A
Newer post: Cutting the Cord