One of the latest hot topics is the reports of the latest NIST password guidelines that repealed what we have long been told to do – make the passwords most complicated and change them periodically.
It is nice to see repealed the odd recommendations like the complicated hard-to-recall passwords, which would result in reusing the same password across many accounts, and the regular password change, which would result in using the easiest-to-guess passwords. It is not nice, however, to see ‘passphrase’ and ‘password manager’ being touted so naively. Caveats should come with these recommendations.
Passphrase: It could be longer and yet easier to remember but it does not necessarily mean a higher entropy despite the troubles of tiresome typing. It is generally made of known words that are just vulnerable to automated dictionary attacks.
The cartoon shown in the linked article reads that a 44-bit entropy is hard to guess. It may be extremely hard for humans to guess, but it would be so easy a prey for criminals who possess the automated attack software with the intelligent dictionaries.
Password Manager: It remembers all my passwords when un-hacked and loses all my passwords to criminals when hacked. It should be operated in a decentralized formation or should be considered mainly for low-security accounts, not for the high-security business accounts that should desirably be protected by all different strong passwords unique to each account.
Then, what else can we do? Can we expect biometrics to solve the problem?
Make sure not to mix up ‘Unique’ with ‘Secret’ and confuse ‘Identification’ with ‘Authentication’
Tech media seem busy arguing on which biometrics is better than the others. But it is all nonsense from security’s point of view. All of them provide the level of security lower than a password-alone authentication in cyberspace. We should instead ask why security-lowering measures have been touted as security-enhancing solutions.
Whether dead or alive, conscious or unconscious, individuals could be identified by biometrics. It often leads people to take it for granted that a good identification of individuals makes a valid authentication of our identity.
Caveats! It is not the case. Biometrics follows‘unique’ features of individuals’ bodies and behaviors. It means that it could be well used when deployed for identification of individuals who may be conscious or unconscious, alive or dead. Due respect could be paid to biometrics in this aspect.
Being ‘unique’ is different from being ‘secret’, however. It would be a misuse of biometrics, which follows ‘unique (not secret) features’, if deployed for security of the identity authentication. A user ID cannot displace the password.
Because of its inherent characteristics, biometrics depends on a fallback means in case of false rejection. In physical security, it could be handled by personnel in charge other than the user. In cybersecurity, however, it needs to be handled by the user themselves, in most cases by way of a password that the user themselves needs to feed. This fact brings down the overall security to below that of a password-alone authentication.
Therefore, so long as the biometrics is backed up by a fallback password, irrespective of which are more accurate than the others, its security is lower than that of a password-only authentication as illustrated in this video.
By the way, we cannot but wonder why and how the biometrics has been touted as a security-enhancing tool for so long, with so many security professionals being silent about these facts
There could be various explanations – from agnotology, neuroscience, psychology, sociology, to behavioral economics and so on. This phenomenon will perhaps be found to have provided an excitingly rich material for a number of scientists and researchers in those fields.
Anyway, as such, confusing “Identification” with “Authentication”, we would be building a sandcastle in which people are trapped in a terrible false sense of security. The huge biometrics business had been made out of a fallacy.
Related article “Misuse of Biometrics Technologies”
We could also think about the situations where we cannot rely on anything but memorized secrets.
Identity Assurance in Emergencies
What is practicable in a calm indoor environment is not necessarily practicable in the turbulent outdoor environment, although the reverse can be said. The difference would be most striking in the cases of battlefield and disaster recovery.
Can we take it for granted that the people in such emergencies must be holding the cards and tokens for their identity authentication?
Can we be certain that the biometrics measures, whether static or behavioral, are practicable for the people who are injured or caught in panic?
Related slide “Identity Assurance in Emergencies”.
Furthermore, we must not forget the meaning of our volition in the authentication.
Democracy in Peril
Democracy must require the individuals to have the rights not to get their identity authenticated without their knowingly confirming it. This volitional process can be achieved only with “volitional” identity authentication made possible by memorized secrets.
Related article “Do You Really Wish to Kill Passwords Dead?”
Being able to create strong passwords is one thing. Being able to recall them is another. And, being able to recall the relations between the accounts and the corresponding passwords is yet another.
At the root of the password predicament is the cognitive phenomena called “interference of memory”, by which we cannot firmly remember more than 5 text passwords on average. What worries us is not the password, but the textual password. The textual memory is only a small part of what we remember. We could think of making use of the larger part of our memory that is less subject to interference of memory. More attention could be paid to the efforts of expanding the password system to include images, particularly unforgettable images, as well as conventional texts.
We propose ‘Intuitive Passwords’ for mitigation of the password predicament.
Related article “Passwords to Succeed Passwords”
Mnemonic Security, Inc.
– Hitoshi Kokuman is the inventor of Expanded Password System that enables people to make use of episodic image memories for intuitive and secure identity authentication. He has kept raising the issue of wrong usage of biometrics with passwords and the false sense of security it brings since 15 years ago.
– Mnemonic Security Inc. was founded in 2001 by Hitoshi Kokumai for promoting Expanded Password System. “Mnemonic” and “Mneme” used in the company name and logo imply that our identity must be protected with our own memory. Following the pilotscale operations in Japan, it is currently searching for the location to set up the global headquarters.