Security Engineering: A Guide to Building Dependable Distributed Systems

3 Passwords Humans are incapable of securely storing high-quality cryptographic keys, and they have unacceptable speed and accuracy when performing cryptographic operations. (They are also large, expensive to maintain, difficult to manage, and they pollute the environment. It is astonishing that these devices continue to be manufactured and deployed. But they are sufficiently pervasive that we must design our protocols around their limitations.) —KAUFMAN, PERLMAN, AND SPECINER [444] Taking care of old-fashioned access control tokens such as metal keys is a matter of common sense. But common sense is not always adequate for the measures used to protect computer systems. The human-machine gap causes security problems in a number of contexts, from straightforward system administration to the ways in which users mismanage security products such as encryption software [803]. (I won't use the fashionable euphemism " human computer interface " : " chasm " might be better.) However , most of the problems arise in a simple context in which they are relatively easy to analyze and discuss—the management of passwords. In addition to things that are " obviously " passwords, such as the password you use to log on to your computer and the PIN that activates your bank card, there are many other things (and combinations of things) that have an equivalent effect. The most notorious are the likes of Social Security numbers and your mother's maiden name, which many organizations use to recognize you. For example, AT&T's wireless service contract states that anyone who knows your name, address, phone number and the last four digits of your social security number is authorized to make changes to your account; it also disclaims all liability for lack of privacy [201]. The ease with which such data can be guessed or found out from more or less public sources has given rise to a huge identity theft industry [285]. Criminals obtain credit cards, mobile phones, and other assets in your name, loot them, and leave you to sort out the mess. In the United States, about half a million people are the victims of this kind of fraud each year. Passwords are one of the biggest practical problems facing security engineers today. They are the (often shaky) foundation on which much of information security is built. Remembering a password is contingent on frequent use (so that passwords are imprinted well on memory) and consistent context (so that different passwords do …