Shostack + Friends Blog Archive


New School Approaches to Passwords

Adam Montville [link to no longer works] left a comment on my post, “Paper: The Security of Password Expiration“, and I wanted to expand on his question:

Passwords suck when they’re not properly cared for. We know this. Any other known form of
authentication we have is difficult because of the infrastructure required to pull it off. That
sucks too. Does this leave us at a stalemate where we need to get people to care about their

I think the answer is “almost.” We need to agree that passwords suck when they’re not properly cared for, and that caring for them is hard. So we need to assume that passwords will tend to be poor, reused, etc, and develop methods to deal with that. Most of our mechanisms today punish users. We tell them to memorize 100 or more unique passwords, and then “security experts” abuse them for re-use or using a password management tool.

Cormac Herley has claimed that the password has a set of properties including being subject to memorization that make it impossible to replace, and we should accept that and start engineering for it. (“A Research Agenda Acknowledging the Persistence of Passwords” and “Passwords: If We’re So Smart Why Are We Still Using Them?“)

Similarly, Nate Lawson posted “On the evolving security of password schemes” which closes “most admins focus too much on increasing entropy of user choices and not enough on decreasing the attacker’s guess rate and implementing responses to limit their access when they do get a hit.” Indeed.

We need to observe the world, and ask how we can work within the constraints it presents regardless of if those constraints are economic, sociological or evolutionary.

3 comments on "New School Approaches to Passwords"

  • Passwords absolutely need to be cared for. As a Symantec employee, I’ve seen many examples of what happens when people and companies don’t take care of their passwords, or choose ones that will provide the most protection. But along with password protection, the world of two-factor authentication is rapidly progressing, which offers additional protection alongside passwords. With the influx of devices, there is a unique opportunity for organizations and users to easily safeguard themselves with two-factor authentication, which is a great way for users to stay secure while interacting online on either a computer or a mobile device.

  • Beverly says:

    To be fair, it isn’t that passwords suck. It’s that we all suck at choosing ones that are both secure and easy to remember!

  • Adam says:


    In that case, it sounds to me like passwords have unrealistic requirements.

Comments are closed.