Password Quality

So, do you administer a system with general user accessing it? Your companies AD, online banking, launch codes? Do you require that passwords be "high quality" - in other words do you require that they be of at least a certain length and further require that they use non-alphanumeric characters in their password, such as numbers braces and the like?

In that case, I expect that most of your users are using 7 or 8 character passwords with the numbers 1 or 2 in them, typically at the beginning (for 1) or in the middle (for 2), if they are REALLY trixy they might be doing 133t letter for number substitution. If I guessed the length wrong, I might be able to figure out the minimum by getting an account and then choosing bad passwords until you tell me the rules. Once I know the rules, human nature helps me narrow down the field of passwords I should try in brute-forcing your accounts from the millions down to the hundred thousand or so that fit your more restrictive scheme.

What? You say your scheme isn't restrictive? It only insists on certain quality measures to insure that folks are using "password" or "qwerty" and they could be using 21 character passwords just as easily as the minimum 7. OK, I'm not interested in the folks using passwords like "afttr2U*sdfvS!&Ennadcczxza)0" If they can remember that, their head is too full of passwords for their account to have anything in it of interest. I'm interested in cracking the vast majority of accounts which will do the minimum required to pass your quality tests and end up with "g00d2g01" and then next rotation will choose g00d3g01. (OK, maybe you are doing comparisons to the last 6 passwords, that would help. You are doing at least 6 revs, right?)

My point is that the best password quality testing would actually just test quality and not announce the rules so much. Sure, a pure brute force will crack a 5 character password reasonably quickly, but who does pure brute force cracking anymore? Do you lock account out after some reasonable number of attempts? How long would it take to crack a 5 character password if you lock me out after every 5 tries and I have to either a) Wait for a timer to expire or b) wait for manual reset ??? Somewhere in the vicinity of a thousand years if the timeout is more than an hour or two, and I would hope that some time in the first decade of trying, you would notice that the account I'm attacking keeps getting locked out.

There are reasonably good safeguards to keep attackers from logging in using brute force cracking, which just leaves stupid password trying like "xyzzy" and "Passw0rd" which ANY good password quality test would reject. They way we're trying for quality right now is worse than annoying, it's counter productive in that if gives attackers more information about the password space that they would be cracking than we should be and encourages predictable passwords.

What's with not solving electronic identity problems?

There are a lot of interesting technical problems involved in figuring out a way to reliably identify people online, but none of the ones I'm aware of are insurmountable. At this point, it's ridiculous that we don't have a good way of saying (online, electronically):

1. I trust identities from entity A, B and Monkey. Anyone they vouch for as being who they say that are I'll (mostly) believe.
2. If you want me to buy into who you tell me you are, you need to go through the hoops of A, B or Monkey. I don't care if you are already identity registered with C, D and Unicorn. I only trust the list I gave you (via a simple registration, not by answering any of your silly questions...)
3. I get to choose what identity authority I trust for what purposes and which items of my identity they get to publish.

For example, I would like the State of Washington to issue me a drivers license / Washington resident identity. They get to use that for traffic stops and maybe border crossings, plus I can at my discretion use that identity to authenticate myself to other places that trust the state of WA.

I also would like the Postal Service to issue me an identity which I will keep for a lifetime (or until I believe it's been compromised) I can use portions of that identity code to tell people how to physically mail stuff to me without telling them where I live. There's no reason someone mailing me a rebate coupon needs to know where I physically reside, and if the USPS was tracking a PKI which internally linked to physical addresses, I could give out a code that only the USPS could use to find me. It also means I could change that physical location without much trouble, and for only myself. In the best of all worlds, it also means that I could produce one-time-use physical mailing addresses and get a LOT less junk mail. Abusive spouses could send child support checks directly to the recipient without danger to the abused...

We're currently defaulting to trusting lots and lots of identity managers (Facebook, Twitter, MySpace etc) who:

• Don't think of themselves as identity managers (with the exception of Google)
• Aren't checking that you really are even a human, much less the human you claim to be
• Aren't interested in providing this service

If you don't think we are trusting these places to identify people, just look at some of the friends lists and tell me that every person individually qualifies each request by some other means. Law enforcement and others (like the press) are using the lack of authentication to gather information as they go to press, or prepare indictments. I'm all for supporting good law enforcement, but these are examples of where the current state of affairs is biting people in the hiney.

It would be great to see:

1. A good cryptographic API that addresses key exchange with multiple PKIs is open source and non proprietary
2. PKI which conforms to #1 (the more the better) and allows for multiple levels of trust and multi-key encryption providing for field level access to identity information based on the key issued as well as quorum based decryption (three of these 7 keys are required for actions A, D and F)
3. Open, free access to multiple services (public and private) which use such a system
4. Integration into online services which use identity in some way

Note that I'm not calling for the death of immunity on the Internet here, just for application of some level of trust for identities that we care about knowing. For those of you that might respond with "Hey, OATH or OpenAuth provides these things" you are partially correct. What's being looked at now is the management of authentication and authorization, rather than identity. It's an important step in the right direction, but essentially does not address the problem that authentication is not identity and identity is a complex object with dozens, possibly hundreds of attributes.