Published in ACM SIGSAC Review, Vol. 5, No. 4, Fall 1987

PASSWORD-BASED AUTHENTICATION
(Versus Volatile User Memory)

Bill Neugent
McLean, Virginia

Some people say that passwords are worthless. I think that statement is a little too strong. I know passwords work, because I’m always forgetting my passwords (and combinations) and getting locked out of things. In a sense, that’s the price I pay for security--occasionally being made to look stupid. Some people aren’t willing to pay such a price. They write all their passwords down and are never locked out of anything.

One Defense agency where I worked became distraught that so many people were remembering safe combinations by writing the combinations on desk calendars. An official written order was issued throughout the agency: all desk calendars were to be locked in safes at the end of the day. To be honest, I had never even considered that approach. Sometimes a solution is so obvious and simple that we cannot see it. On the other hand, one expects innovative solutions from an organization responsible enough to be entrusted with our national security.

Yet even the Defense department has not found a good solution for passwords. Today in the Defense department we use two approaches for password management. In the first approach, the security officer creates passwords and distributes them to users. The main criterion for the passwords is that they be random, so that bad guys cannot guess them.

Unfortunately, the main characteristic of randomness is that the passwords are singularly impossible to memorize. Users write these passwords down and keep them in their wallets. That way, the passwords are not lost if users’ desk calendars are stolen.

It would take a trained pickpocket to get these passwords. Fortunately, all trained pickpockets are already fully employed in Paris and Rome, making more money from tourism than any national government could afford to pay them.

Of course, one advantage of this first approach to password management is that the work of inventing and distributing passwords creates jobs, which benefit the local economy. Some Defense organizations don’t appreciate this advantage, however.

The second approach to password management is for the users to invent their own passwords. The main advantage of this approach is that it entertains the users. We Americans especially enjoy this approach, and our passwords thus reflect the same zany good humor we use in naming our children. Let’s face it, this kind of thing makes work fun, and that’s no small advantage in a world where work must compete with television for peoples’ attention.

The trouble with these two approaches is that they lead to passwords that are either easy to steal or easy to guess. The approaches also have the disadvantage of reminding us of our human inadequacies. After all, the problem is not with the approaches, but with the shameful way we inadequate humans fail to live up to the approaches’ promise.

We need a better system. Some people recommend voiceprint machines. There is concern that the machines might keep some regular employees out, but if people can’t recreate their own voices, maybe you don’t want them in. If they’re hoarse from a cold, maybe that’s just Nature’s way of telling them not to go to work and contaminate their coworkers.

Fingerprint machines are popular at places who appreciate the fact that your computerized print can be used against you in a court of law. Personally, I’d prefer to avoid entering these places. That’s fortunate, because I once tried a fingerprint machine, but couldn’t succeed in being enrolled--my print wouldn’t “take.” On the other hand, I once managed to enroll on a signature machine, but then it wouldn’t let me in. The people who ran these machines accused me of being erratic. I think their mothers were erratic. I’d prefer to think of myself instead as being inscrutable, at least to machines.

Actually there are several approaches that are promising. One is to have the system automatically generate passwords, but in such a way that the passwords are pronounceable. This should make the passwords easier to memorize, especially for those people who are skilled at such things as remembering names at cocktail parties. There will be those people, however, who stubbornly will continue to write down their passwords, if only because it is such a heinously traumatic event to forget your password and be humiliated before the security officer.¹

The second promising approach is to have the system automatically check user-invented passwords, to ensure that they are long enough, are different from the old password, and so forth. To me, this seemed an excellent approach--almost foolproof.

Recently, however, I went to update my own password, and discovered that my own organization has adopted this automated-review approach. I had made up a very clever new password, using concatenated names of my old pets. To my astonishment, the computer came back and said that my clever password was “too obvious.”

I thought, "Obvious? Chip Chip? Puddy Tat?" My family hadn’t thought the names obvious at the time.

So I used the names of other peoples’ pets, with no luck. I tried several variations.

Finally I decided that the computer was not smart, but dumb. (I often think this way when I’m being outwitted.) I decided it must be rejecting my passwords for having only letters. I needed to add a number.

So, quite cleverly, I added a “1” on the end of the string. That was rejected, too. So I chose another number at random, and finally the password was accepted.

While I was basking in the glow of this success, the computer came
back and asked me to repeat the password. Well, shoot! After au those tries, I couldn’t remember which number I had used, or even whose pets. So I guessed. To my surprise, I guessed right. So I quickly wrote it down. Only then did I realize what I had done.

Now I know that software can’t smile. But something was definitely grinning at me. I felt a perfect idiot. Then I thought, "Wait--nobody’s perfect."

Of course, I quickly burned the password and swallowed the ashes. But the mental scar remains. For the first time in my career, I wrote down a password. And I was tricked into doing so by security software.

The moral of all this is that we’ve a way yet to go. But technological improvements are helping. For example, some systems that have been hit by dial-up hackers now are going with new approaches that require not only a password, but also possession of some type of smart card. Users don’t seem to mind this, because the cards at least give them a place to write their passwords.

On a higher plane, this entire situation could be seen as social progress. After all, in the sixties it was we humans who were wracked with uncertainty about our identities. Now our computers have shouldered this concern for us.

1. Some people feel that security officers, like prison guards, are jaded by association with people who commit infractions. These people are reluctant to sacrifice their own esteem by confessing to stupidity, especially if they believe the security officer might take particular satisfaction from the confession.

ACM COPYRIGHT NOTICE. Copyright © 1987 by the Association for Computing Machinery, Inc. Permission to make digital or hard copies of part or all of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, to republish, to post on servers, or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from Publications Dept, ACM Inc., fax +1 (212) 869-0481, or permissions@acm.org. This copy is posted by permission of ACM and may not be redistributed.

Updated: 20-Oct-2005