The Life and Death of Passwords: The Password Problem with Wolfgang Goerlich
Our documentary, “The Life and Death of Passwords,” explores with industry experts the history of passwords, why passwords have become less effective over time, and how trust is established in a passwordless future. With this interview series, we take a deeper dive into their insights and share bonus footage.
Today: Wolfgang Goerlich, advisory CISO at Cisco Security, reflects on the history of passwords, the limitations of human memory and what we can learn from the eternal nature of security.
Password problems
Chrysta: When did we know that passwords couldn’t provide us an official level of security on their own? When did that become clear?
Wolfgang: When we look at the history of passwords, what’s fascinating to me is the very first time we’ve had a password was on this computer in IBM, 70 94 in MIT, in the late fifties, early sixties. The very first time we had a password breach was on an IBM, 70 94, at MIT, in the late fifties, early sixties.
Right away, things broke. Right away, we ran into problems. They were hard to remember. They were hard to scale. When we went from one computer to multiple computers, we ran into even more problems. But from the very beginning, we knew that this was not a way that was conducive to how people think and operate.
What are some of the problems with passwords?
People are meaning-making machines. We’re storytellers. So what do we do? We tell stories with our passwords. That means it’s a loved one. That means it’s a pet. That means it’s a favorite hobby. You look at Ken Thompson’s early password, which was a chess move. We look at Eric Schmidt’s early password, which was his wife’s name. We create things that are easy for us to remember and in doing so, those are of course, things that are easy for adversaries to guess. And once they’re out there, they’re easy for criminals to use again and again, to log into other systems.
How are good security practices for systems and the capacities of human memories often put in odds with one another?
Humans are fantastic at doing so many things, but we all have limitations. And one of those cognitive limitations is around our memory. You know, there’s a great paper: “The Magical Number Seven, Plus or Minus Two: Some Limits on Our Capacity for Processing Information,” and I love that. We remember about seven things. Give or take a couple, depending on how you chunk it. That’s why there’s seven numbers in a phone number, right? That’s why a lot of the early passwords are seven characters.
Now, when we move beyond that, it becomes very difficult to remember a 14-character, or 32-character password. Now, the way to handle that of course is with chunking. So with chunking, am I remembering seven numbers? Or am I remembering seven objects? Maybe it’s seven words from my favorite song, or maybe it’s seven things that I’m out of in the refrigerator.
There’s certainly ways that we can bootstrap our authentication systems to match our cognitive abilities. But at the end of the day, what we’re doing is we’re relying on something that people are not good at, remembering a long thing and doing it repeatedly over a very long term. Not something that the human mind is designed to do.
The passwordless solution
Chrysta: What does passwordless mean? What is it?
Wolfgang: One of the ways that we’ve moved towards to protect authentication is multifactor. So it’s a series of different factors, one of them being that password. Along the way we realized, do we even need the password, if we’ve got different factors, stronger factors to rely on?
As we move in the direction of passwordless, which is of course authenticating without that password, that is really the path that we’re going to take. Using other factors that are easier to use, easier-to-authenticate things that we carry with us, things that perhaps we are when we look at biometrics.
I’d like to follow that up and ask: why is easy important?
An interesting property about the human condition is the more constraints we put on somebody, the more likely they are to be creative. And we have created security, which is effectively a Chinese finger puzzle. The tighter we pull, the more users are either not going to pick up the puzzle at all, or just work around us. So throughout the application of security, wherever we look, we need to find ways that we can reduce friction, increase ease of use, and just as importantly, increase accessibility.
Who invented passwordless, or who invented this concept, or how has it evolved since its conception?
We can’t really say with any certainty who invented passwordless. We’ve all looked at this problem, how do we authenticate? And we’ve looked for ways to make it better. Maybe it’s where we are. Maybe it’s a certificate. Maybe it’s something we have with us. Maybe it’s biometrics. We’ve looked at different ways of doing it over time. And it really hasn’t been until the past couple years that we’ve had enough underlying infrastructure and enough of the standards to really move forward with passwordless.
You mentioned some of the infrastructure that helps support making it more possible. What are some of the technologies and tools that are making it more practical to have a broader use of passwordless?
The ubiquity of cell phones, of mobile devices with good high-quality sensors in all of our pockets, has provided a foundation which we can build passwordless on. We haven’t had that before. We would’ve had to provision equipment that would’ve taken a long time.
And how does a passwordless authentication fundamentally differ from the traditional, “Do you know the secret word?” kind of password check?
A lot of this [security] is based on a shared secret. I share a little secret with the machine and it remembers me because I remember that secret, but that shared secret has all the problems that we’ve talked about.
When we move to passwordless, what we’re doing is saying, “Let the machine remember a secret, and let my machine remember a secret, and I have my machine and it will authenticate to your machine.” By moving away from putting the demands on the human to putting the demands on the technology, we can have both a greater user experience and a greater degree of security properties.
"We also need to do a good job in getting the word out there. That passwordless is reducing a lot of these concerns, not adding to them." - Wolfgang Goerlich
Debunking common passwordless myths
Chrysta: What are some of the most common myths or misconceptions about password security and passwordless technology?
Wolfgang: There are many myths around passwords. “Maybe we just need a bunch of random characters. Maybe we have three exclamation marks. That’ll make it secure. Maybe we switch our E’s to threes.” There are a whole bunch of different ways that passwords can be constructed. And what we see time and time again is, while these myths may persist, the adversaries can very easily crack or guess those passwords. We know what people are going to do because people are predictable.
When we look at passwordless, there are also some myths that are popping up around that too. What about privacy? Do I now have to worry about an organization storing all my biometrics? Do I have to worry about people spying on what applications I’m going to? So we do need to be very cognizant about the privacy concerns, we do need to be very cognizant about the usability concerns. But also we need to do a good job in getting the word out there. That passwordless is reducing a lot of these concerns, not adding to them.
When we do eliminate passwords, are we sacrificing the imperfect security that they do provide?
There is a little bit of a problem with passwordless, in that we’re defining authentication by what it’s not. I like to compare this to the horseless carriage. A hundred years ago in my hometown of Detroit, what was high tech was a horseless carriage. It's a carriage without a horse. That belies all the improvements in speed safety, the culture change that came with the automobile.
In a similar way, if we only think of authentication as removing the password, we are going to miss out on a lot of the improvements that we can make in authentication. So when we move to adopt passwordless authentication, it cannot only be to remove the password, but it also has to be to add an additional risk-based authentication mechanism to increase overall security at the same time.
How about concerns about the security of biometrics? You mentioned folks not being sure if they can trust having their biometric information saved on their phone. They don’t want somebody else to access it. Can people trust using their face or their fingerprint to unlock their phone?
Bruce Schneier once famously said that security has two parts — the feeling of security and the reality of security. For passwordless to be successful, we have to address both. And there are some very real concerns about biometrics. There’s some very real concerns about people’s data.
What I like about most passwordless technologies is they keep that data in people’s pockets. They keep that data in people’s hands. They don’t create conditions where the data can be shared out. So we need to make sure the technology is good, the reality of security. And at the same time, we need to have an ongoing conversation with people who adopt this to make sure that they’re comfortable, to make sure they understand what they’re setting up for, and to make sure that the feeling of security is addressed as well.
When can we say goodbye to passwords? Will we ever be fully rid of them?
In an ideal world, we say goodbye to passwords altogether. They don’t work. We’ve got six decades of proof of that. But along that way, we’ve built up a lot of systems that have passwords, a lot of infrastructure. So in the next couple years, what we want to do is look for customer-facing, workforce-facing use cases where we can replace that password, give them a better experience, and reduce the risk of those credentials being stolen while we maintain the hybrid environment into the future.
What excites you most about this evolution and how we establish connections or establish trust?
As a security professional, very rarely have I been able to show up and say, “Hey, I’m going to make your life better.” Usually, I show up and people scramble. It’s a little uncomfortable for them. It’s a little uncomfortable for me.
But with passwordless, we really are able to do more for them as we’re doing more for the security of the environment. What is glorious about all that is, it’s transparent and invisible to the end user. So we can do more, we can serve people better at the same time, increasing these security properties.
And what advice would you give to the average user, who’s stuck with their passwords for now to help keep themselves and their data safe?
What I would encourage folks to do is use a password safe. Don’t worry about trying to remember all that. Have the password safe generate a very secure token, and use your biometrics to get into that safe, but use that safe to handle that downstream communication so that all your applications are available with one click.
When we look at the history of passwords, what lessons can we learn about the eternal nature of security?
The eternal state of authentication is one of failure — and that sounds so negative, but it’s the case. If you look at 1969, the very first word was sent over the internet. That word was “lo-”, and people that hear that go, “lo and behold.” No, it was “login.” It’s just, they only got two characters out before it crashed. Very first internet connection 1969, and already we were having authentication problems.
"From the very beginning we've been facing authentication problems. It's way past time for us to move forward and to a more reliable infrastructure for authentication." - Wolfgang Goerlich
From the very beginning we’ve been facing authentication problems. It’s way past time for us to move forward and to a more reliable infrastructure for authentication.
Next in our extended interview series: Christi Volny, a senior software engineer for the Duo Single Sign-On platform at Cisco Security, discusses the breaking point for passwords, the tipping point for passwordless, and why she trusts the math.