article development led by
Our authentication system is lacking.
Is improvement possible?
By WiLLiam cheSWick
there is aN authentication plague upon the land.
We have to claim and assert our identity repeatedly
to a host of authentication trolls, each jealously
guarding an Internet service of some sort. Each troll
has specific rules for passwords, and the rules vary
widely and incomprehensibly.
Password length requirements vary: Dartmouth
wants exactly eight characters; my broker, six to eight;
Wells Fargo, eight or more. Special characters are
often encouraged or required, but some characters
are too special: many disallow spaces, single or
double quotes, underlines, or hyphens. Some systems
disallow certain characters at the beginning of the
password; dictionary checks abound, including
foreign language dictionaries.
Sure, brokerage, bank, and medical sites need
to protect accounts from unauthorized use. So do
shopping sites such as Amazon. An email account
might be just as important: ask Sarah Palin.
The value of an account can change over time:
perhaps a new online store is added to a previously
Authentication may be more important to the service provider than to
the client: do I care if someone gains
access to my newspaper account?
am supposed to care, but I do not.) In
this case, the newspaper’s very requirement of a password is a nuisance, and
the password-“strengthening” rules
just increase my annoyance. The marketplace does work here: studies show
that competitive pressure tends to
force sites toward simpler passwords. 4
Not only do these authentication
rules vary widely, the rules themselves
are often considered to be part of the
security secret and not available at
login time, when a hint about the rules
would be helpful. I call these
eye-of-newt password rules: they remind me
of the formulae for magic potions from
Shakespeare. They are often particular,
exacting, and sometimes difficult to
satisfy. Can you think of a long pass-phrase that does not repeat any character more than four times?
The problem is emergent: if we
had only one account, authentication would be much easier. But an
active Internet user can have one- or
two dozen accounts, some important, some not. These authentication
trolls bother most online users, and it
is easy to elicit a litany of complaints
from casual users.
Many of today’s rules are rooted
in the deep past of security concerns,
when access, threats, and targets were
different. Many of these ideas were
presented in the Password Management Guideline, (Technical Report
CSC-STD-002-85), published by the
Department of Defense Computer
Security Center (DoD CSC) in 1985.2
Known as the Green Book, this report was one of the Rainbow Series of
books put out by the U.S. government
in the 1980s and 1990s. Its advice was
good at the time, and much of it still
holds up, but many of our password
aphorisms come from dated assumptions about threats and technology.
This is not a criticism of the original
authors or their document: no sensible