Usable Security

I do not see a lot of promise in this approach, because I do not think you can make an algorithm that will generate passwords that are memorable across a large enough portion of the population without drawing from a relatively predictable pool. Memorability is more personal than that - this is why I want to provide real-time feedback and base minimum password requirements on an entropy estimate - so that people can create something memorable for themselves that is of at least a constant strength.

However, one idea some colleagues at NEU had suggested was a password selection system where the random algorithm is trained based on passwords a user enters in the system. Say the user inputs a list of passwords they feel they’ve been able to remember - the algorithm would look for patterns and try to replicate those in passwords generated for that user. When it generated a new password it could generate a set and let the user select from amongst them - which would also further train the algorithm. The problem, of course, is the development of said algorithm. This would be an interesting approach, but I think real-time feedback and dynamic help systems offer more generally applicable promise.

This idea reminds me of an idea of Norm Hardy’s:

http://www.cap-lore.com/code/Mem.html

This is impractical.

Fact: Users hate complex passwords and will always choose the same weak password given a chance

Observation: Users will write down complex passwords on a post it note and leave it around their computer. (Don’t get me wrong - there is *nothing* wrong about writing down a password if you store that properly)

Observation: I have a 20 or so character password, but I bet most of you do not. Don’t write security protocols that make freaks like me happy - do it for the general case. Security is only as strong as the weakest link, and that’s my Mum.

==> Therefore, we have to work with humans in mind, rather than tin foil hat brigade.

Fact: DVDs containing all possible MD5 and SHA1 hashes cost $20 at DefCon

Fact: Rainbow cracking takes less than a second on modern hardware after the tables have been loaded

Fact: Rainbow cracking is extremely effective. Brute forcers can find > 30% of all passwords inside an hour.

Fact: lost and forgotten passwords cost industry billions each year. It’s totally unproductive use of operational expenditure.

==> Forcing users to change passwords frequently is a waste of time. Don’t do it.

The day of the password is over.

We must stop investing in passwords and backdoors like Q&A’s password recovery schemes. Passwords have a non-zero cost, so let’s invest that non-zero cost in something users can handle easily and securely without making them tin foil hat lovers.