Has anyone mentioned recently that you should use really strong passwords — or how hard it is to come up with them?
I use truly random passwords, generated (and kept track of) by LastPass, for most sites; for the ones that need to be remembered, I’ve got a pretty good password-selection algorithm (which I can’t describe or I’d have to change it). Essentially none of my passwords can be guessed, they’d have to be attacked by brute force. The bad part is that the vast majority of people use passwords that are weak to password-guessing, and that’s not likely to change because those are the only passwords they can easily remember. Worse, they use the same password on multiple sites, so when one site is compromised, many of the others they use will also be.
Is there a better way? No one has come up with one yet, but there might be.
Most current thinking on this subject focuses on trying to slow down password guessing. That does very little, because you can’t make a password algorithm too slow or the site itself won’t be able to check it.
Two-factor authentication can be used against this sort of thing, but it has limited applications, because it slows down access to the site and costs more to implement. It will never be used for more than a few sites, at least as it’s currently designed — at most, maybe your bank, your social media account, and your company VPN access, since those are the ones that are presently the most valuable targets. For run-of-the-mill sites, it’s just too costly and too much of a hassle.
Here’s an alternate thought: what about using a two-website authentication system?
- The first site takes the password you provide (which may be very weak, or shared between multiple sites — it doesn’t matter) and uses it to create a decryption key, with which it decrypts some data (which was randomly generated and encrypted with your password when you created your account).
- The second site uses the decrypted random bytes from the first site as your actual password and lets you in.
The only way mass-password-guessing attacks can work is if an attacker can get ahold of the password file for a site. Then programs on his own system guess common passwords and see if they match the verification data for the password. With this setup, he would need the password files from both sites in order to attack either. Assuming the two sites are on different machines, and managed by different people, that should be exponentially more difficult than stealing the password file from only one.
If he only has the password file from the first site, there’s no way for him to know what random bytes the site came up with, or what password was used to encrypt them, because there’s no way to verify them without the second site’s data. He can guess passwords all day long, but with no way to verify them except by contacting the second site (which could be detected with trivial work), it does him no good.
If he only has the second site’s password file, the passwords themselves are completely random data — he has nothing to guess, because the guessable passwords are only related to the random data by entries in the first site’s password file.
Any two sites with similar levels of traffic could set up an agreement where they’d be each others’ second site.
There are some potentially major problems to overcome with this design. The most obvious:
- If either site is down, then neither can serve their users.
- If either crashes and has to be restored from a backup, the other site would have to restore the password file from the same time, or any user that changed passwords between those times would be locked out.
- Changing passwords might be interesting, in the sense of the ancient Chinese curse “may you live in interesting times.”
On the other hand, the system would provide a defense-in-depth that would be hard to beat, and would allow users to continue using their current weak, shared passwords without the problems presently associated with them.
Will anyone try it? I doubt it. No one expects their site to be compromised (except security experts), and if it is, the consequences to the site’s owner are generally negligible so there’s nothing to drive people to overcome the problems mentioned above. Then again, you never know. Maybe government regulations will drive some people to try it, someday. Maybe some site will realize their vulnerability and start looking for ways to reduce it (and if so, I hope they read this page). Maybe the general public will just generally get more security-conscious over time, or start demanding that the sites they use provide this level of security.
In any case, it’s an interesting idea.