Source URL: https://simonwillison.net/2024/Nov/21/password-policies/#atom-everything
Source: Simon Willison’s Weblog
Title: How some of the world’s most brilliant computer scientists got password policies so wrong
Feedly Summary: How some of the world’s most brilliant computer scientists got password policies so wrong
Stuart Schechter blames Robert Morris and Ken Thompson for the dire state of passwords today:
The story of why password rules were recommended and enforced without scientific evidence since their invention in 1979 is a story of brilliant people, at the very top of their field, whose well-intentioned recommendations led to decades of ignorance.
As Stuart describes it, their first mistake was inventing password policies (the ones about having at least one special character in a password) without testing that these would genuinely help the average user create a more secure password. Their second mistake was introducing one-way password hashing, which made the terrible password choices of users invisible to administrators of these systems!
As a result of Morris and Thompson’s recommendations, and those who believed their assumptions without evidence, it was not until well into the 21st century that the scientific community learned just how ineffective password policies were. This period of ignorance finally came to an end, in part, because hackers started stealing password databases from large websites and publishing them.
Stuart suggests using public-private key cryptography for passwords instead, which would allow passwords to be securely stored while still allowing researchers holding the private key the ability to analyze the passwords. He notes that this is a tough proposal to pitch today:
Alas, to my knowledge, nobody has ever used this approach, because after Morris and Thompson’s paper storing passwords in any form that can be reversed became taboo.
Via Bruce Schneier
Tags: passwords, security
AI Summary and Description: Yes
Summary: The text critiques historical password policies developed by prominent computer scientists, highlighting their lack of scientific validation which led to ineffective security practices. It suggests the adoption of public-private key cryptography for more secure password management as an alternative.
Detailed Description: The article addresses the shortcomings of password policies that have been in place since 1979, primarily postulated by Robert Morris and Ken Thompson, two leading figures in computer science. It underscores the misguided nature of these policies, which were established without rigorous testing or evidence of their effectiveness. The main points of the analysis include:
– **Historical Context**: Password policies recommending complexity—such as including special characters—were introduced without scientific backing, leading to widespread misapplication and misunderstanding of secure password practices.
– **Invisible Weaknesses**: The implementation of one-way password hashing obscured the weaknesses in users’ password choices, preventing administrators from recognizing security flaws in their systems.
– **Delayed Recognition of Flaws**: The scientific community did not fully grasp the ineffectiveness of these policies until the 21st century, a realization partially spurred by password database breaches that brought to light the vulnerability of user passwords.
– **Proposed Alternative**: Stuart Schechter suggests a shift towards public-private key cryptography as a more secure method of password management, which would allow for the secure storage of passwords while still enabling analysis by researchers holding a private key.
– **Current Landscape**: Despite this proposal’s potential benefits, there is a prevailing reluctance to adopt such methods because reversing any stored passwords has become discredited since the original studies by Morris and Thompson.
This analysis serves as a cautionary tale for security professionals regarding outdated practices and the importance of evidential foundation in developing security measures. It reflects a pressing need for innovation in password management techniques and the importance of continuously challenging and updating security standards based on empirical evidence.