Pico: No More Passwords! (Transcript of Discussion)

Frank Stajano: My title should give you a hint about my position towards this problem. What’s a password? A password is a way to drive users crazy! Passwords were not so bad when you had only one or two of them, and when a password of eight or nine characters was considered a safe password. Nowadays computers have grown so powerful that ten character passwords can be bruteforced with the kind of computer you buy in the supermarket next to your groceries. And you don’t just have one or two passwords: you have dozens of them, because there are so many more services that now require you to have a password. If you, poor user, listen to the computer security people, they will say that your passwords must be unguessable, otherwise attackers with figure out what they are; they must be impossible to brute-force, therefore you must fill them up with special symbols, and a strong mix of upper and lower case, and put in numbers as well; and you must not write them down, so you must make sure that you don’t forget the complicated passwords that you make up; and, however many passwords you have, they must all be different. This set of requirements is a problem. If you look at what people who develop websites think, for them the password is very convenient, because every user knows how to authenticate by password, so no training is needed; it’s very cheap, because you don’t need any equipment at the prover end; and it’s very easy to implement, because there are standard library functions for computing the hash and so on. For software developers, the password is an easy way to do user authentication. But if you ask users, then passwords are a real pain. While each developer individually thinks it’s OK to use a password (“well, everybody else also requests a password, so what’s wrong if I do too?”), users, instead, end up with so many passwords that remembering them all is an unmanageable problem. That’s what we call the tragedy of the commons. If you look at these requirements that we (the unreasonable computer security people) inflict on regular users, it’s obvious that there’s an empty intersection between them: no passwords will satisfy all of these constraints, so users are quite fed up with passwords, and rightly so. I haven’t done a proper user study but I have acted (as I’m sure every one of you has too) as the informal help