March 18, 2021

Passwords should be illegal

As part of modernizing U.S. infrastructure, America should eliminate passwords.

Our use of passwords to build security on the internet is akin to using flammable materials to build houses in densely-populated cities.  Every single website that collects, stores and transmits password invites a new cybersecurity catastrophe.

When half of Chicago burned down in 1871, citizens reflexively blamed the disaster on evil actors: arsonists, immigrants, communists.  After the fire, the first response of political leaders was to impose martial law on the city to stop such evil-doers.  From our modern perch, it seems obvious that the blame and the fix was misplaced.  Even if the spark were lit by somebody with bad intentions, the scale of the disaster was caused by outdated infrastructure.  Chicago had been built out of combustible materials that were not safe in a densely-built city.

Our continued use of passwords on the internet today poses the same risk.

Just as a small fire in a flammable city can turn into a massive disaster, on the internet, a single compromised password can lead to a chain reaction of compromised secrets that can open vast parts of the internet to hacking.  The fundamental problem is that we store and transmit many of the secrets that we use to secure the internet, including passwords, on the internet itself.

In the 2020's using, transmitting, and storing passwords on the internet should be as illegal as constructing a Chicago shanty out of incendiary cardboard.

Physical key-based authentication systems are cheap.  They keep secrets secure on computer chips that are not connected to the internet and that never reveal their secrets on the network.  If physical keys were used everywhere we currently use passwords, all internet hacking would be far harder and slower.

Key-based login systems have been available for decades, but because standards are not mandated, they are adopted almost nowhere.  Physical keys are slightly more inconvenient for system-builders, and consumers do not demand them because the dangers of hacking are invisible.  It is an excellent example of a situation where change is needed, but the marketplace will not create the change on its own.

That is why our country's best response to the increasing wave of hacking disasters should be led by people like the folks at NIST, rather than the U.S. Army.  We should standardize, incentivize, mandate, and fund the use of non-password based authentication in all computer systems over the next few years. A common set of standards should be set, so that people can log into all systems using trustworthy physical keys that cannot be hacked remotely.

Eliminating passwords would make more of a difference to cybersecurity than any clever retaliation scheme that the cybersecurity soldiers might cook up.  Although there are certainly evil actors on the internet, we ourselves are the ones who empower hackers by perpetuating our own dangerous practices.

As we modernize U.S. infrastructure, we should prioritize modernizing standards and requirements around safe authentication systems on the internet.


Posted by David at March 18, 2021 12:28 PM
Comments

Seconded. The worst thing is how passwords have become this sort of horrible API between web sites and web browsers. Mediated by HTML forms and password agents like LastPass and 1Password. Literally, our login technology is "heuristics from a browser plugin try to identify the fields for authentication, then transmit a shared secret".

And then you get into a context where your password agent doesn't work (like, say, Netflix on your TV). and now you're typing #7EJ,chpj6},qH}HLwdR with an on screen keyboard.

Posted by: Nelson at March 19, 2021 12:48 PM

Yes. And it looks like the colonial hack that shut down petroleum on the east coast last month was due to yet another compromised password.

https://www.bloomberg.com/news/articles/2021-06-04/hackers-breached-colonial-pipeline-using-compromised-password

It's not good enough for physical authentication to just be an option. Critical systems are made by ordinary people using lots of ordinary consumer software, and as long as using passwords is ordinary practice, that is what they will do. We need to get rid of passwords everywhere.

Posted by: David at June 6, 2021 05:33 AM
Post a comment









Remember personal info?