Awareness in a password

Mimmo Cosenza

Nòva 24, Sunday, October 4th 2015

We are all registered in dozens of online services, but we do not use more than a handful of different passwords, often simple variations of a couple of them. If Oscar, the name with which in the cryptographic literature it is usual to identify the intruder (Opponent), intercepts even only one of our passwords, it would be easy to derive others to impersonate us, laying us bare, in the many services we are signed in.

It is no coincidence that the most serious and frequented services advise to use a complex and different password for each site we use: if Oscar captures one of them, he could not impersonate ourselves with other suppliers. But it is an unequal battle between the limited memory and calculation abilities of our mind and those of Oscar. There are, for sure, mental techniques to create and recreate at need distinct passwords for each site and resistant to the attacks of Oscar, but they are not as widespread as they deserve.

People who have been using the network for several decades have put their trust in the care that service providers have of our passwords. Trust based on the fact that it is a known practice, therefore a foregone conclusion, to ensure that the passwords are not saved as plaintext in the database of the users. Unfortunately, believe it or not, it is not like that: inaccuracy is reigning sovereign. In fact, if we bothered to survey the services which record passwords as clear text in their databases, we would be astonished by the massive dose of social irresponsibility and technical incompetence of the suppliers.

Any unfaithful service provider’s collaborator who gained access to that database would have access to the credentials of all users as well. If we then consider, as said at the beginning, that users use a few different passwords, the unfaithful Oscar could easily strip them even in the other services for which they signed up. But that’s not the end of the story. Some of the cited unaccoutable providers, after you registered with them, also take the trouble to communicate via email your password in clear text. And it’s not over yet. If, as it happens to all of us, you do not remember your password of one of these nefarious services, they promptly email you your forgotten password in clear text again. If there is one thing that attracts Oscar is the email, and for two good reasons. First, because, unless you use an encrypted channel, emails go in clear text from one computer to another, before reaching ours, by increasing the chances that Oscar will listen to us. Secondly, because the eavesdropped emails can be saved. If Oscar decided to spare us today, because he was listless, he could always decide to get you naked in any tomorrow.

If so much irresponsibility and incompetence afflicted only the services provided by private companies, all in all, the free market could sooner or later remedy, even in Italy, rewarding those who use safe techniques known for decades. But when it is the Public Administration to provide such infamous services to jeopardize the security and online privacy of its citizens, then this irresponsible practice becomes intolerable.

The online protection of citizens’ security and privacy is as important as the one in the analog world, which is an integral part of the founding social contract of every democratic nation, from Rousseau forward.

In the United States, all the Public Administration is obliged to adopt the open cryptographic standards defined by the National Institute of Standards and Technology (NIST), and cryptography has adopted for decades the nineteenth-century Kerckhoffs’ principle

A cryptographic system is only safe if it is completely published, with the sole exception of the encryption key.

This conceptual axiom should be immediately transposed to the user registration schemes for online services, at least for those provided by the Public Administration and based on the login/password pair.

In fact, this pair (single factor) is still considered to be superior to biometric techniques when three criteria are weighed together: usability, safety and, above all, deployability. Any State should take care to identify and define safe registration schemes and submit them to peer review (i.e. open evaluation among professionals and experts). It should then code the reference implementations of the scheme in the major programming languages and publish the source code on GitHub, the world’s largest open source repository. Finally, the adoption of the result should be imposed on all providers of public online services that use single factor registration/authentication schemes.

The same State that obliges us to use seat belts and helmets, must impose on itself the respect of the online security of its citizens. If politicians do not want to do it for us, they should do it at least for themselves, because, sooner or later, an Oscar wittier than others could have them tweet 140 chars more embarrassing than they are used to.