Features

net.wars: Enter password

by Wendy M Grossman | posted on 21 December 2007


Some things, you just can't fake.

Wendy M Grossman

A few years ago, a friend of mine got a letter from an old girlfriend of her son's bearing news: my friend had, unknown to both her and his father, a 15-year-old grandson in Australia. The mother had married someone else, that marriage had broken up, and now the son was asking questions about his biological father.

I saw the kid, visiting his grandparents, out playing tennis the other day. It wasn't just the resemblance of face, head shape, and hair; the entire way his body moved as he ran and hit the ball was eerily and precisely like his father.

"You wouldn't need a DNA test," I said, aside, to my friend. She laughed and nodded, and then said, "We did one, though."

Biology: the ultimate identifier.

A few weeks ago, I did a piece on the many problems with passwords. Briefly: there are too many of them. They're hard to think up (at least if they're good ones), remember, and manage, and even when you have those things right you can be screwed by a third-party software supplier who makes the mistakes for you. The immediate precipitating incident for the piece was the Cambridge computer security group's discovery that Google makes a fine password cracker if your software, like Wordpress, stores passwords as MD5 hashes

Some topics you write about draw Pavlovian responses. Anything involving even a tiny threat to Firefox, for example, gets a huge response, as some school officials near where I'm staying have just discovered (kid doctors a detention letter to say he's being punished for not using Firefox and posts it on Digg; school becomes the target of international outrage). Passwords draw PRs for companies with better ideas.

I think the last time I wrote about passwords, the company that called was selling the technology to do those picklists you see on, for example, the Barclaycard site. You don't type in the password; instead, you pick two letters from picklists offered to you. There are a couple of problems with this, as it turns out now. First of all, if your password is a dictionary word the system doesn't really protect all that well against attacks that capture the letters, because it's so easy to plug two letters into a crossword solving program. But the big thing, as usual, is the memory problem. We learn things by using them repeatedly. It's a lot harder to remember the password if you never type the whole thing. I say picklists make it even more likely the password gets written down.

This time round, I got a call from Biopassword, which depends on behavioral biometrics: your personal typing pattern, which is as distinctive to your computer as my friend's grandson's style of movement is to a human. You still don't get to lose the password entirely; the system records the way you type it and your user name and uses that extra identifier to verify that it's you. The technology runs on the server side for Internet applications and enterprise computer systems, so in theory it works no matter where you're logging in from.

Ever used a French keyboard?

"A dramatic change does affect its ability," Biopassword's vice-president of marketing, Doug Wheeler, admitted. "But there are ways to mitigate the risk of failing if you want to provide the capability." These include the usual suspects: asking the person questions no one else is likely to be able to answer correctly, issuing a one-time password (via, for example, a known personal device such as a mobile phone), and so on. But, as he says, the thing companies like about Biopassword is that it identifies you specifically, not your cell phone or your bank statement. "No technology is perfect."

Biopassword starts by collecting nine samples, either all at once or over time, from which it generates a template. Wheeler says the company is working on reducing the number of samples as well as the number of applications and clients the system works with. He also notes that you can have your login rejected for matching too perfectly – to avoid replay attacks.

It's an intriguing idea, certainly. A big selling point is that unlike other ideas in the general move to two-factor identification it doesn't require you to learn or remember anything – or carry anything extra.

But it doesn't solve the key issue: passwords are an intractable problem located at the nexus of security, privacy, human psychology, and computer usability. A password that's easy to remember is often easy to crack. A password that's hard to crack is usually impossible to remember. Authenticating who you are when you type it will help – but these systems still have to have a fallback for when users are grappling with unfamiliar keyboards, broken arms, or unpredictable illness. And no user-facing system will solve the kind of hack that was used against the Cambridge group's installation of Wordpress (though this hole is fixed, now), which involved running a stored password through an MD5 hash and presenting the results to the Web site as a cookie indicating a successful login..

But it's good to know they're still out there trying.


Technorati tags:   
It's me! Honest! - You can discuss this article on our discussion board.

Wendy M. Grossman’s Web site has an extensive archive of her books, articles, and music, and an archive of all the earlier columns in this series. Readers are welcome to post here, at net.wars home, follow on Twitter or send email to netwars(at) skeptic.demon.co.uk (but please turn off HTML).