Passwords suck. This is a well known fact. Of course, we have conditioned ourselves to using passwords in painful ways so we accept this fact and move on with our lives. Except, I can’t take it anymore.
Every week it seems there’s another breach, and every week there’s yet another security guru spouting the need for better-stronger-more-secure passwords. If you create a “strong” password that meets xyz requirements then it will take 42.3 bajillion years to crack regardless of what hash algorithm the application is using. The problem with this though is that “strong” passwords are ridiculously hard to remember and passwords that are easy to remember are easy to crack.
So we promote the use of password managers -– tools that we use to store our super-strong-secure passwords in a secure way and we get our passwords from said manager every time we need to use a password.
I mean, yes they work for storing password securely, but the underlying problem is that we use passwords for authentication for nearly everything. This isn’t necessarily a bad thing in theory, but in practice passwords don’t scale for humans. As we become more and more connected to more and more applications we realize we have more and more passwords that we need to remember on an almost daily basis, and they are all very different, variations on a theme, or the same password reused over and over again. Using a password manager for this is complicated and slow, and slow or complicated security processes fail. Often.
No wonder we hear about passwords all the time.
Then we hear about the blame. We blame users for not using secure passwords when things go south.
“Oh that’s why you got hacked… your passwords aren’t secure.”
Of course we blame the users! Don’t believe me? Check the news. We point out that 58% of all passwords breached are under some arbitrary length requirement that normal users don’t understand let alone care about. Sure we do it as a service to others, but we do it in a condescending way as if people should know better.
Or we blame the application developers.
“You didn’t hash your passwords with a key-derived function with 100 iterations so attackers can brute force the passwords if they have an offline copy of your database.”
Really? What the hell does that mean? Especially to a developer that doesn’t understand basic abstraction let alone cryptography? Oh, I’m supposed to use at least 1000 iterations?
Passwords are a mess.
As the old joke goes
“Doctor, it hurts when I do this.”
”Then don’t do that!”
We need to stop using passwords. There will always be uses for passwords, but as a defacto authentication scheme? No. Stop it. Just stop it.
How do we do that then?
The standard answer is to get our identity from somewhere else. This is Federation or Single Sign On. Instead of doing the work yourself, get someone else to do it.
Consider the problem: for the bulk of the applications we use we have one persona, or a set of personas for various groups of applications. Business applications get my business persona; personal applications get my personal persona; educational applications get my student persona; etc. If we use the same basic persona (or identity) for a set of applications why on earth should I have to create a different identity for each application? Why should each application have their own way of authenticating me?
The resistance we see though is the application developer not wanting to give up control of that password. If they control the password, they control the users fate in the application. Actually, it’s a little understandable.
This is a call to action to all those developers: stop it!
Let go of the passwords. Just let go. Loosen your grip. Easy there. I know it’s tough, but it’s time to let go.
In fact, you don’t want to manage those passwords. Do you really want to get blamed when all of your users passwords are stolen because you didn’t know any better? This means less risk for you.
Risk bad. Less risk good.
But wait! Don’t go hooking up with every identity provider you meet. Only hook up with those you like. If you’re building a business application, go federate with the customer’s company; if you’re building a slick new social media site federate with Twitter or Facebook or LiveID or Google.
Keep it simple. You like Twitter as a provider. Joe’s Fish Taco and Identity notsomuch. Having too many providers will confuse your users because they will forget which provider they used.
If you don’t have any user passwords to manage anymore, that means you don’t have any user passwords to manage! Less work. Less hassle. Less annoyed customers because they can’t remember their password.
As users we need to beg the developers of the applications we use to talk with other identity providers, otherwise they won’t see the need. We have to convince them passwords suck.
Is that too much to ask?