Passwords are Not for Security

Picture a kindergarten classroom. Every kid has a space to hang up their coat, their bag, and maybe to store their lunch. While it’s technically possible that one kid may steal another kid’s lunch, more likely a kid will take home the wrong bag by accident. Organizing a bunch of on-the-run kindergartners is an exercise in identity management. Whose coat is this? Where did you last see your bag?

Contrast that with lockers at the local gym. While it’s also unlikely that anyone will steal anything, you get a lock and key. You carry the key. If you forget your stuff or if you lose the key, the staff can open the locker for you (or get rid of your stuff after you leave it there, forgotten, for several months). If you do lose your key, the staff will probably ask you to identify what’s in the locker before they open it. Some places won’t be so nice, and stand by a “use at your own risk” policy. Managing gym locker contents is an exercise in security. Who has access? Who needs help getting into a locker?

The two seem pretty similar, but they actually serve very different purposes, and understanding the differences can provide critical insight into how an IT department can help (or hinder) the people whom it serves.

Kindergarten classrooms are a shared resource, with multiple constituents. Parents, teachers, and kids all collaborate to achieve the same goal: keep the kids’ stuff coming and going to the right places. Mistakes happen, but people eventually get their jackets returned to them, find lost umbrellas, or forget about a lost sandwich until a janitor finds it and throws it away.

Gym lockers are also a shared resource, with multiple constituents. But members, staff, and gym owners have different goals. Members bring an expectation of reasonable security for their stuff. Staff want minimal work to maintain that sense of security. Owners want the right balance of security and access such that members feel secure enough to leave their stuff while they work out, yet accessible enough that storing stuff isn’t a hassle, so that ultimately members continue to pay for using the gym.

Kindergarten classroom storage sees everyone collaborating toward the same goals. Gym locker storage sees everyone collaborating toward different goals. Everyone collaborates in both cases, but both cases serve different purposes, and this distinction mirrors the distinction between identity management and security.

A computer account works the same regardless of whether we log into our home desktop machine, our phone, our video game console, or our favorite social media account. A login identifies a particular user in the system. It doesn’t matter if we log in as Bob, SuperCool2093, or DingDongDang. The device or system sees our login, and pulls up any relevant settings and data accordingly. For a desktop computer, maybe we see our files. For a video game system, maybe we see the games we bought and the achievement points for that particular account. The act of “logging in” establishes an identity, much like a kid hanging up a coat on a hook under their name.

Some systems don’t care about identity. A library terminal for looking up books doesn’t need a login. The terminal just waits for someone to type in search terms. Most websites allow people to read them and navigate through them without requiring any kind of login. In that sense, everyone shares the same identity i.e. is “the public”.

Now, let’s ask a strange question. If Susie comes to kindergarten wearing Bob’s coat and bringing Bob’s lunch, and she puts Bob’s stuff in Bob’s spot when she arrives, what then? Well, Bob’s stuff ended up in the right place, but Bob wasn’t the one who brought them there.

The core of identity management resides with an account or login itself, not the identity of the person using them. This may sound strange, until we realize that people loan each other accounts and logins all of the time. The computer doesn’t care who uses a particular login, the credit card doesn’t care who makes purchases with it, and the car doesn’t care who sits behind the wheel. What matters in each case is that the particular parameters and preferences (files, account balances, seat positions) correctly associate with a particular identity.

Security intends to validate the identity of an account or entity, matching credentials to grant access to a particular set of data or access to a particular system. Do you have the encryption key to unlock this data? Does this credit card match with that particular financial account? Does your video game console’s login key match the key of the account stored online, in that particular 20-second window? You have the key, therefore the current contents of this gym locker are yours for the taking.

Neither identity management nor security “care” about the actual identity of a given person. Instead, identity management looks to provide context within a system, and security looks to provide (or restrict) access. Identity management answers the question, “Whose stuff is this,” and security answers the question, “Who gets access to this stuff”. Understanding the difference between identity management and security shows us how to (not) leverage passwords.

When we log in to a system, a prompt for a password essentially asks, “Do you want to continue your use of this system via this particular login identity and all of the context that goes with it?” A password doesn’t care who we are, any more than an account/login does. A password simply acts as an “are you sure” prompt, to confirm you really do want to use the system as defined by that account’s identity.

Making passwords “more secure” is as ridiculous as putting an obstacle course in front of kindergartners’ lockers. Who wants to go to all that trouble to hang up their coats and put away their lunches? That’s why the more draconian password policies end up encouraging people to put passwords on sticky notes under their keyboards, or rotate between three or four variations of the same password. When passwords get used for security, we encourage people to make crappy keys. Instead, turn the place into gym lockers, and give people more complex keys to use in more complex locks. RSA keys, ID cards, biometrics…different keys all have their flaws, but they do act as keys. Using a password as a key pits an individual’s ability to generate and retain complexity against a machine’s ability to break it, a losing proposition for most humans.

To be sure, using passwords isn’t “bad”. Most digital environments work like kindergarten classrooms, and don’t need much in the way of security, just identity management. People don’t generally mess with each other’s stuff other than to look at it. Security comes into play when the possibility of someone accessing and misusing either data or resources threatens our access and use. Only then do we add actual security on top of identity management.


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s