Simple questions are usually the most difficult ones to answer. And the most important among them are traditionally labeled stupid and dismissed. The modern days InfoSec is based upon unanswered questions. The lack of theoretical basis allows InfoSec gurus to produce teachings and «best practices» without a limit.
Today I want to address two very basic questions about passwords:
By answering these questions you achieve understanding of the utter malevolence of the password abandonment movements, that are so frighteningly popular today. There is a particularly dangerous movement to replace passwords with bio-metric attributes that can reliably identify your body (e.g. voice, fingerprints, and such). Although these attributes are successfully used in forensic practice for centuries, it does not make them good authentication tokens. Why? Because your password's job is NOT to identify your body.
What are characteristic properties of a password? and what makes your password yours?
I hear you screaming: «WHAT?!?!?!» That means you are ready to investigate what IS a password, what is its job, and what properties do you want your password to possess.
«To authenticate yourself» — is a cliche answer. It is true, but not understood. Let's expand «authenticate» in simple words. You come to a service provider and demand access to your account. The account is yours, from your perspective, not the provider's. Who is the owner of the account from the provider's perspective? The person who has created it in the first place. So that the provider has to establish a relation of identity (or may I say «continuity») between the account creator and the account claimant. This continuity is only obvious for you, and (perhaps) very few people who are constantly, uninterruptably watching you (I hope there are none of them, actually). To other people and machines you are not continuous, but rather a series of episodes that have to be connected somehow. Here come passwords to the rescue.
What do you use a password for?
I feel bad explaining such trivial things, so feel free to skip to the conclusion, but I am not sure that my conclusion is obvious without this prolix explanation.
A password is a shared secret — you and your service provider establish a covenant to keep your password secret and the provider promised to refuse access to your account for everyone unless they demonstrate the knowledge of the password you have agreed upon previously.
Every time you attempt to authenticate you make a specific claim, which is: I have the account XYZ, and am the same person who have created it. You then support this claim by presenting the knowledge of the shared secret. The provider did only share this secret with you, so that he presumes: THERE IS NO ONE ON EARTH WHO KNOWS THIS SECRET EXCEPT YOU AND MYSELF. Therefore, anyone who knows the secret is you. All characteristic properties of a password (or any other equivalent authentication token) follow from the necessity to make the presumption above TRUE.
The characteristic properties of a password are all those features that make the following statement true: «only two of us in the whole world know my password».
#1. I AND ONLY I CONTROL THE PROPAGATION OF MY PASSWORDFirst and foremost, i control every aspect of my password propagation. I decide whether to show my password, even if the whole world knows that I know (or possess) it. I try to maximize the trouble of forceful or deceptive extraction of the password from me. The role of the password in that is to not impede my actions to this end.
Apparently, this is not the case of my fingerprints, that readily make themselves available for every waiter in any restaurant I visit. An impostor does not even have to cut my fingers off, although it is an option too, and way easier one than a torture that is required for memorized passwords.
#2. I CAN CHANGE MY PASSWORDSIt is very important to be able to change your authentication token (even if you don't do it practically). This very ability allows you to get rid of a compromised password, and mitigate the damage if you manage to detect the exposure. Some experts recommend to change your passwords regularly because it is very difficult to know if your password is compromised or not.
Apparently this is not the case of your fingerprints. Shall we discuss a regular procedure of fingerprint alteration?
#3. MY PASSWORD IS NOT MYSELFIt is tightly tied to the changeability of a password but not quite the same. It is very important that the authentication procedure requires not only your password but a pair: your public ID plus your secret password. The first reason is that an ID has to be unique, and a password can not be unique. Your password is obscure to others, conversely you can not see other's passwords, therefore you can not ensure uniqueness. The second reason is that when you identify yourself independently from your password, the provider makes a SINGLE match: the presented password with the memorized password; on the other hand, if you identify yourself by your password, the provider SCANS THROUGH ALL THE MEMORIZED PASSWORDS LOOKING FOR A MATCH, whatever account matches becomes accessible to you — set aside the «hackers» — imagine you misstyped your password, or someone else misstyped it… yes, they demonstrated the knowledge of your password, but they did not demonstrate the knowledge of the link between the given password and the account they mean to access, which is the core idea of authentication (by definition).
Once again, not the case of your fingerprints. At least those imbeciles who promote the bio-metric authentication all over the internet insist to identify and authenticate you by the same token. Don't tell me that the fingerprint recognition is 100% reliable, please.
Besides that, easy to see that the identification is often a subject of a PUBLIC DISPUTE, therefore the identification is and must be based solely on PUBLIC attributes, and decoupled from the authentication and all its secrets — the secrets must remain secret. Conversely, everything that is involved in your identification can and will be public. The identification is in this sense opposite to the authentication. Are your fingerprints used for identification? Yes they are! Thus, your fingerprints are not your secret… not even truly «yours»… so we naturally move on to the next question: what is yours?
besides these three features, what else is required to claim that your password is truly yours, and how does this ownership differ from the ownership of your fingerprints?
#4. A PASSWORD IS EASY TO GIVE AND DIFFICULT TO LOSEI want to be able to present my password to my service provider at any time — even if I have a knife cut on my finger. It is debatable which people do better: keep their fingers, or their passwords. It seems that most people are very successful at keeping fingers, but none of them has a back up copy of their fingers. There is more room for improvement at keeping passwords, if you really need it. On the other hand, passwords are easily accessible «24*7» as long as they are not lost — no knife cuts on my passwords.
I want to be able to give away my passwords. Although it sounds controversial, there are real life cases when specifically for security reasons you ought to give your password to a trusted person. And no, I am not willing to cut a finger off my body, and I do not want it to be my only option.
#5. AN IDEAL PASSWORD IS DEEPLY PERSONALNot only classical passwords stored in human memory fit these criteria above, many other authentication tokens do (to some extent). I kept them in mind while writing — I used the word «password» to indicate the ROLE not the substance. But sometimes you need to associate a password closely with yourself, so you want to keep it as close as possible to you. Where is this place «you»?
My fingers bear my fingerprints, I own my fingers, I control them, I love them, but they are not myself! Losing a finger, does not mean losing self. Same goes to everything else, even though vital parts of one's body. There is only only one thing that you can not lose without losing your sense of self identity — YOUR MEMORY.
So that the password abandonment movement (by forcing you to use completely insecure authentication tokens (such as bio-metric)) not only destroys your privacy, but endangers your identity too.