Our password system is broken, and has been for over 50 years!

There has been a lot of commentary over the weekend about the pronouncement from Nadine Dorries that she shares her login with her staff:

I’m not planning to add to that overall commentary because others have done that already.

The issue that I want to address is that this is that it’s symptomatic of a broken system.

Passwords as a method of verifying authentication was adopted by computing in it’s very earliest of days. Passwords probably originated as a way of identifying who was doing what in the earliest time-sharing system which was MIT’s Compatible Time-Sharing System (CTSS) in the mid-1960s.

This early password system suffered from many of the same problems we experience with passwords today – in other words the password system has been broken for over 50 years and yet we persist.

The CTSS has been documented as the first case of password theft, this was caused by an insider circumventing the system. Allan Scherr, a researcher, wanted more computer time, which was very limited at the time. Scherr came up with the idea that he could increase his own usage by using the time that others weren’t using. He did this by using a privilege that had been granted to him which was to get a physical printout of any of the files on the system, so Scherr asked for a printout of the password file, which was, a text file:

There was a way to request files to be printed offline by submitting a punched card with the account number and file name. Late one Friday night, I submitted a request to print the password files and very early Saturday morning went to the file cabinet where printouts were placed and took the listing out of the M1416 folder. I could then continue my larceny of machine time.

Things got a bit more interesting when Scherr handed the password list out to other students and one of them decided to use it to log in to the computer lab director’s account and leave “taunting messages”.

Since those days in the mid-60’s we have been trying to convince ourselves that passwords are still the right way to go.

We’ve spent many hours training people how best to use passwords – long, complex, changing, non-repeating, etc.

We’ve invested many hours into code to strengthen passwords stores and probably just as many hours deploying, fixing and then redeploying that code.

Many lines of journalistic content have been invested on passwords and password related problems.

Passwords have resulted in an immeasurable volume of hours in lost productivity as people struggle to work out what the right password is. How many times have you lost hours of your working day caused by a password problem?

Then there’s all of the damage caused to individuals and organisations by hacked, poorly protected or poorly handled passwords.

We have, at least, created an opportunity for people to create applications to manage our passwords and to build businesses on the back of that opportunity.

Yet, the fundamental issues that existed 50 years ago still exist and those issues primarily surround the weak link in the password chain and that’s the human. Humans will always circumvent the system from inside. This is normally because people are very poor at estimating the risk of poor password practices and will circumvent them for almost any advantage. I suspect that Nadine Dorries gives her staff her password because there’s an advantage to her to do so, even if it is very unwise.

We’ve fixed the password problems in the physical world by using physical security which limits the access to the person with the physical entity. We started using physical keys as a way of securing physical property over 1000 years ago! Imagine how strange it would seem to go up to your car and type in a password, we’d soon have people patrolling car parks to stop miscreants trying to brute force attack on the car keyboard. How about walking up to a highly secure office environment, tapping on the small window in the door and saying “The weather in Moscow is mild for the time of year”? Would you expect to be let in?

In conclusion, the last 50 years have shown us that passwords have fundamental problems that we shouldn’t expect to fix because that would require humans to change. We need to move to a different authentication system, one based on physical security.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s