Simple questions are usually the most difficult ones to answer. And the most important among them are traditionally labeled stupid and dismissed. The modern days InfoSec is based upon unanswered questions. The lack of theoretical basis allows InfoSec gurus to produce teachings and «best practices» without a limit.

Today I want to address two very basic questions about passwords:

What are characteristic properties of a password? and what makes your password yours?

By answering these questions you achieve understanding of the utter malevolence of the password abandonment movements, that are so frighteningly popular today. There is a particularly dangerous movement to replace passwords with bio-metric attributes that can reliably identify your body (e.g. voice, fingerprints, and such). Although these attributes are successfully used in forensic practice for centuries, it does not make them good authentication tokens. Why? Because your password's job is NOT to identify your body.

I hear you screaming: «WHAT?!?!?!» That means you are ready to investigate what IS a password, what is its job, and what properties do you want your password to possess.
Read more →