Yep, I looked it up. The last time I ranted about passwords was this article back in 2023. In the meantime there have been some pretty high profile data breaches, including some that may have affected readers of this blog. Yet here we are and there’s still no really good answer to dealing with the problem we have with passwords.
It’s become pretty common now for big tech companies to give you the option to automatically create strong passwords and then save them for you. Then you can use biometrics like Apple’s Face ID to store them all behind a wall. This doesn’t help much if the password manager itself is hacked, and that did happen not long ago. But at least it makes it easy for you to use a unique password for every site as opposed to using the same one over and over. I suppose that’s something.
Conventional wisdom has moved away from things like punctuation and deliberate misspellings. The latest trend is length. Apparently, the longer your password is, the longer it’s going to take to hack using brute force. The problem, as I see it, is that we have passed the point of brute force.
I think about it this way. I play an app called Knotwords. It’s available for free on several platforms. It’s a game where you have an empty crossword puzzle and no clues. But you do get some idea of which letters go into which spots. It’s hard to explain but if you’re into word games, try it. Trust me.
The point there is that after you’ve played about 100 rounds of this game, you see patterns in words. It’s a lot easier to guess the letters starting with the end of the word. Letters like “S,” “G,” and “D” are almost always the very last letter if they’re toward the end of the word. This makes me feel like it’s easier to guess passwords than it should be.
See, a truly random password would be impossible to guess. But it would also be impossible to remember. So humans pick words as passwords. And words can be decoded using AI. I don’t want to give the bad guys any ideas, but I have a feeling they’re already there. You don’t have to brute force a long password if you can figure out the first couple of letters. And that’s going to become an increasingly big part of the problem as AI learns how humans think.
But yet even as we know that, we still have no idea how to deal with it. I think AI is going to create a whole new crisis in password management and we still don’t know how to effectively deal with the password problems we have now.
I’ve been doing a lot of reading about CAPTCHA technology as I continue to beef up security on this blog. You know the tech I’m talking about… it’s the thing that makes you declare that you’re not a robot. For some reason robots aren’t capable of doing that, supposedly.
CAPTCHA seems to work in ways that most people don’t realize. It’s not about somehow knowing which images contain motorcycles. It’s analyzing the way you’re using your mouse, the amount of time it takes you to do things, and eliminating patterns that would suggest that you aren’t a highly random human. It’s a real rabbit hole if you’re interested in checking it out at some point.
However, CAPTCHA is still dependent on the idea that AI can’t perfectly mimic us. early forms of this technology have already been defeated and it’s likely that today’s reCAPTCHA will be too. reCAPTCHA is developed by Google. I don’t know if that should make you more or less comfortable with the technology. It does mean at least that the developer has enough money to keep working on new ways to make it stronger.
Still, at some point someone will devise an AI that can figure out someone’s password based on their thought processes. They’ll probably call it KRAMER because of this scene:
At that point, we’ll all be sunk. I’ll just leave you on that happy note.
The post It’s been about a year since I ranted about passwords soooooooo…. appeared first on The Solid Signal Blog.
Continue reading...
The best answer so far still isn’t that good
It’s become pretty common now for big tech companies to give you the option to automatically create strong passwords and then save them for you. Then you can use biometrics like Apple’s Face ID to store them all behind a wall. This doesn’t help much if the password manager itself is hacked, and that did happen not long ago. But at least it makes it easy for you to use a unique password for every site as opposed to using the same one over and over. I suppose that’s something.
Do passwords really need to be so long?
Conventional wisdom has moved away from things like punctuation and deliberate misspellings. The latest trend is length. Apparently, the longer your password is, the longer it’s going to take to hack using brute force. The problem, as I see it, is that we have passed the point of brute force.
I think about it this way. I play an app called Knotwords. It’s available for free on several platforms. It’s a game where you have an empty crossword puzzle and no clues. But you do get some idea of which letters go into which spots. It’s hard to explain but if you’re into word games, try it. Trust me.
The point there is that after you’ve played about 100 rounds of this game, you see patterns in words. It’s a lot easier to guess the letters starting with the end of the word. Letters like “S,” “G,” and “D” are almost always the very last letter if they’re toward the end of the word. This makes me feel like it’s easier to guess passwords than it should be.
Humans are the problem
See, a truly random password would be impossible to guess. But it would also be impossible to remember. So humans pick words as passwords. And words can be decoded using AI. I don’t want to give the bad guys any ideas, but I have a feeling they’re already there. You don’t have to brute force a long password if you can figure out the first couple of letters. And that’s going to become an increasingly big part of the problem as AI learns how humans think.
But yet even as we know that, we still have no idea how to deal with it. I think AI is going to create a whole new crisis in password management and we still don’t know how to effectively deal with the password problems we have now.
By the way, CAPTCHA will not save us
I’ve been doing a lot of reading about CAPTCHA technology as I continue to beef up security on this blog. You know the tech I’m talking about… it’s the thing that makes you declare that you’re not a robot. For some reason robots aren’t capable of doing that, supposedly.
CAPTCHA seems to work in ways that most people don’t realize. It’s not about somehow knowing which images contain motorcycles. It’s analyzing the way you’re using your mouse, the amount of time it takes you to do things, and eliminating patterns that would suggest that you aren’t a highly random human. It’s a real rabbit hole if you’re interested in checking it out at some point.
However, CAPTCHA is still dependent on the idea that AI can’t perfectly mimic us. early forms of this technology have already been defeated and it’s likely that today’s reCAPTCHA will be too. reCAPTCHA is developed by Google. I don’t know if that should make you more or less comfortable with the technology. It does mean at least that the developer has enough money to keep working on new ways to make it stronger.
Still, at some point someone will devise an AI that can figure out someone’s password based on their thought processes. They’ll probably call it KRAMER because of this scene:
At that point, we’ll all be sunk. I’ll just leave you on that happy note.
The post It’s been about a year since I ranted about passwords soooooooo…. appeared first on The Solid Signal Blog.
Continue reading...
