Passwords May Never Die for Legal Reasons

Joe Stanganelli, Founder and Principal, Beacon Hill Law | 10/10/2013 | 62 comments

Joe Stanganelli

"Passwords are dead," a Google information security manager decreed at last month's TechCrunch Disrupt. Other pundits have come to the same conclusion. However, these reports are greatly exaggerated.

Admittedly, passwords can be problematic, as this message board comment from E2 Editor-in-Chief Sara Peters illustrates:

You can set up the system so that users must use a password that's more than 8 characters long and has a mixture of uppercase letters, lowercase letters, numbers, and special characters; and that it be changed every three months, and when you change it, it can't be the same as any password you've had previously. That's not hard.

Not hard? Really? Because just thinking about that makes me want to shoryuken the nearest IT manager so hard that he goes back in time and changes his major to art history.

Besides, eight-character passwords are easily cracked, because they typically represent common password patterns. Real password protection comes from length and uncommon patterns. And, yes, a hacker might still crack a long and unusual password if he gets his hands on a list of encrypted hashes, but even that can be guarded against with honeypots.

But, as password naysayers whine, who wants to memorize a long password? So they are dead, right?

Biometrics have become hot in security circles. But a closer look shows that they simply don't compare to passwords. One reason is flexibility. Password choices are limited only by the imagination, but a person has only so many biometric markers. Dave Aitel, CEO of the penetration testing firm Immunity Inc., wrote in a USA Today article, "It's silly to only have 10 possible passwords your whole life (20, if you count toes)."

Worse, biometrics are generally neither temporary nor secret. Unlike a password, biometrics are easily observable (and therefore replicable) by others, and there's far less you can do about it if one gets compromised. "Today, if your Twitter account gets hacked, you just change the password -- but if you are using a biometric, you will be stuck with that hacked password for the rest of your life," Aitel wrote. "We need to keep that in mind before we start using biometrics to authenticate universal sign-ins and financial transactions."

Biometrics may be more hackable than passwords. Fingerprints, irises, and even chaotic heartbeat patterns can all be mimicked. Fingerprints, once the go-to biometric, have become disfavored since hackers revealed how easy it is to dupe the iPhone 5s fingerprint scanner.

Perhaps the best indicator that passwords are still one's best security bet is the arrest of Ross William Ulbricht, (a.k.a. Dread Pirate Roberts), the alleged Silk Road drug broker. Before arresting Ulbricht, FBI agents followed him -- to the San Francisco Public Library. What were they waiting for? They wanted Ulbricht to open his laptop and enter his passwords. Only after Ulbricht had done that did they swoop in to arrest him and seize his (now conveniently decrypted) laptop for evidence.

Had Ulbricht used a fingerprint scanner or other biometric-based security, law enforcement agents could easily have used his biometric markers to access the machine. Such markers are neither secret nor protected by the Constitution. However, compelling suspects to fork over a password is not always so easy. The US government has repeatedly had to go to court to compel a defendant to reveal a computer password, and it has not always succeeded. This is because a suspect's fingerprints and certain other biometric indicators are physical evidence, so they are not protected by the Fifth Amendment privilege against self-incrimination -- unlike, sometimes, the humble password.

The poor password isn't perfect, and two-factor identification combining a password with a hard token may be better (though a man-in-the-middle phishing attack can defeat that modus operandi). Still, if the full force and might of the US federal government can't always decrypt a perp's password-protected hard drive, declaring the death of the password is not just premature, but downright irresponsible.

Copyright © 2020 TechWeb, A UBM Company, All rights reserved.