On Password Complexity - and why it doesn't matter

The lowly password is one of the oldest technologies in recorded history that is still in use, right up there with beer, bread and bows.  So, why have we failed to eject passwords, even though we know better.  I mean, really, we all certainly know that passwords are prone to losing the very attribute that otherwise makes them useful, that of being a shared secret.  Once it becomes a discoverable or broadly-shared secret, game over.

So, how do we protect passwords?  Largely, we presume that controls added to the passwords themselves (length, complexity, age, history, randomness) will actually do some good.  For a short investment period, they do.  However, once you've added age, history and non-dictionary, the rest is a crap shoot.  The real problem that we have is that users are not like key generating machines - the passwords they select are decidedly NON-random, closely clustered on predictable fault-lines, and look more like housing tracks following BART stations than a random distribution.  With the advent of GPUs and collaborative hash-cracking rainbow table generation, even salted hash is rapidly eroding in usefulness.  We're reaching a real tipping point here, people, where it doesn't matter what you do to the password, it's reaching the pint where you can't add more complexity and still have a human remember it.  We're going to have to go to crazy salt next, where we salt our password hashes with 60-80 byte random strings.

Problem 2 with passwords is that we know they are trivial to crack if we can gain access to the hashes.  Passwords can be cracked in minutes, not days, and creating highly complex passwords doesn't really effectively change that problem space, particularly with GPUs and rainbow tables.  Here's a tough question you should be asking yourself:  Since we know that to be the case, why do you ask users to create and remember crazy complex passwords?

Here I insert a pseudo-joke told to me by Kevin Flanagan, awesome crypto guy at RSA.  He noted the irony that organizations achieve FFIEC multi-factor compliance and FedEx tokens to their customers, and then the user account is a Hotmail, GMail or Yahoo!mail account.  The irony is nearly snort-out-loud funny, except that it's one of pain.  When you have a super-strong password, yet the only thing required to change it is to login to a web-mail account, who are we kidding here?  If you're armoring passwords and not armoring your password reset process, you have ventured into the realm of self-delusion and waste.  You must armor both, if that is your path.  I think an alternative path is much better, personally.  Multi-factor, adaptive authentication, fraud detection over the life of the transaction, span of control & toxic combination/segregation of duties and authorization certification are far more effective than forcing KX@CWLIJv909rdRwp032 as a password.

No, we can't really rely on passwords much longer at all, their usefulness is fading like that of the buggy whip -- great technology that provided acceleration in transportation for 3000+ years that has been eclipsed.  Passwords are ready to fall into antiquated history as anything more than 1 factor amongst 3-4.  Once you're past 2 into multi-factor, why keep password at all?