Tuesday, January 6, 2015

The Secret Life of Passwords

   I've written about passwords plenty of times in the past.  Passwords are one of the main security touch-points for people, and it's often not a pleasant experience.

   As we've discussed, it's hard for people to pick good passwords and remember them.  So users need "tricks" to help the memory.  One way I've told people to construct a password is to base the password on an embarrassing moment in your life - that way you won't forget the password and you also won't tell it to anyone else.

   Apparently people have been using that, and similar, methods.  NY Times reporter Ian Urbana wrote a great piece on this called "The Secret Life of Passwords".  He asked people to tell him their passwords - yes, you shouldn't do that - but also the story behind the passwords.  There are some very interesting stories.  People seem to memorialize a part of their life in their passwords!  You can read the full story hereLeo Laporte did a great interview with Ian in the Triangulation podcast.  You can hear that here.

   I'd like to focus to two aspects of this story that jumped out at me.

   First is the story of Cantor Fitzgerald.  They are a large financial firm who were headquartered at the World Trade Center in 2001.  When the terrorist attacks hit the towers, Cantor Fitzgerald over two-thirds of their employees were killed.  That was tragic.

   They also had a data recovery disaster.  While they did have off-site backup, most of their key data files and systems were protected by passwords.  And most of those file and system owners were no longer available to provide those passwords.  The CEO had to contact grieving families to get personal information about deceased staff to use to guess passwords.  With help from Microsoft, they were able to figure out or brute-force the passwords and get the firm back online.

   [Note: as most of you know, passwords are stored using one-way hashes so they can't simply be recovered.  If you'd like like a basic explanation of this, look here.  If you want an extra-geeky explanation, look here.]

   This was a tragedy for the nation and for Cantor Fitzgerald.  I hope that none of us ever confronts a similar human tragedy.  But what we can learn from this event is that we may want to include loss of critical passwords in our disaster recovery planning scenarios.

   There are products and tools that can be used to managed privileged accounts and access.  These products can be of use in this situation.  Password vaults are another useful tool.

   One more thing to think about... if something happened to you, how would your family/loved-ones be able to get needed access to your accounts?  One idea is to use a password vault, keep your critical account info there, and keep a copy of the login information in a safe place in an envelope marked ICE (In Case of Emergency).

   Another interesting point brought out in the Secret Life Triangulation discussion is the idea that passwords represent a very small slice in history, even technology history.  We have passwords and our parents have passwords.  Unless you are very young, your grandparents probably don't or didn't use passwords.  Your grandchildren probably do, or will, use passwords, but your great-grandchildren... perhaps not.  So computer passwords might exist for only about 4 generations - a relative blip in history.

   Of course, we've been hearing about the end of passwords for years now.  We won't go into authentication alternatives today, but with initiatives like FIDO, and Steve Gibson's SQRL, perhaps we're closer to a day without passwords!

No comments:

Post a Comment