The iCloud password problem
September 5, 2014  

Apparently this week’s celebrity nude photo scandal was made possible in part by weak passwords, and perhaps a lack of rate-limiting on password attempts on Apple’s iCloud service.

Apple has responded by saying that “they will alert users via email and push notifications when someone tries to change an account password, restore iCloud data to a new device, or when a device logs into an account for the first time.”

This caused thegrugq to snark,

New Apple plan to inform you after someone has stolen your data their big security “improvement”

INCORRECT. It’s good to notify people when something goes wrong, and the sooner, the better. No security is perfect and you have to have a plan for when it fails. It’s true that once your data is out there, it’s probably too late for that data, but dozens of people were hit by this. With alerts, Apple would have started paying attention early on and perhaps prevented many of these breaches. These events are infrequent, so they won’t lead to a blizzard of alerts that will be ignored by customers.

Alerts on significant events are a good way to make sure that any service is working as the customer expects. I like my bank to alert me on financial transactions, for example. (Many banks don’t, won’t, or can’t.)

Kaminsky says:

It’s time we start outright blocking passwords common enough that they can be online brute forced, and it’s time we admit we know what they are.

We’re not quite ready to start generating passwords for users, and post-password initiatives like Fido are still some of the hardest things we’re working on in all of computer engineering.

Also INCORRECT! Kaminsky’s viewpoint is the conventional wisdom, though, so I’ll spell out my argument here in heavy-handed, mansplainin’ style.

The best password is a random password

If you asked a cryptographer 40 years ago, “How should I pick a good password?”, they would have said, “Pick a password at random.” A random password is the best password. It’s provably the best password. Math says it’s the best password. It was true 40 years ago, it’s true now, it will be true in a thousand years. This is completely obvious to cryptographers and other security professionals.

People can’t remember random numbers

It’s also obvious that most people cannot remember large numbers of random bits, they don’t want to do it, and they should not be relied upon to do it.

If you think this is a good solution for you, think about some of the other people in your life.

Accept reality

Somehow, the collision of these two obvious facts has spawned decades of academic research on how to get people to pick strong (more random) but memorable (weak) passwords.

Sorry, mnemonics, spaced repetition learning, and other memory tricks are great, but almost no one will use them. Time to give up.

Apple can do it

Apple is in a unique position. They are a vertically-integrated monster of a company, with billions and billions of dollars in the bank. They design the hardware, down to the chip level. They write their operating systems. They write their apps and they write their services. All of that is proprietary and they can change it (and often do) at will.

All of Apple’s customers have Apple hardware, primarily smartphones. Very few of their customers access their services from non-Apple hardware. Non-Apple access to Apple services can be handled separately.

Crucially, Apple does not have to go through a standards process (e.g., the afore-mentioned FIDO). Those should be avoided like the Ebola virus.

What to do

Help customers use random passwords (or their equivalent).

For example, public key cryptography is about 40 years old; perhaps the time has come to use it. Generate a key pair on each device, register the public key with the service, use a public/private key authentication protocol, transparent to customers.

Or, generate a random password on each device and set up your software to use that to authenticate. In that case, use something like SRP so that the password never leaves the device—under no circumstance should you transmit the password to the server. If you don’t like SRP, crypto researchers have come up with plenty of other alternatives over the past four decades.

What about synchronization?

Don’t do it! There is no reason to synchronize a random password/key to the cloud or to a customer’s other devices. It should be device specific. Apple already knows about all of your devices, it can manage to handle multiple passwords/keys per account.

Bonus: when a device is stolen, revoke the password/key of just that device.

But I love passwords!

Notice that what I’m suggesting is in fact a kind of two-factor authentication. To access a service you have to access your phone, which requires a PIN (that is, a password) or fingerprint ID. So the PIN/fingerprint is one factor and the phone, with its stored random password/key, is the second.

Go ahead and support (more) passwords if you like. “abc123” plus hundreds of random bits is no less secure than hundreds of random bits alone.

Just don’t synchronize passwords into the cloud.

What about account recovery?

That’s a hard, unsolved problem. You should pay some security experts to fix that for you. 40-year-old knowledge is free; research and engineering, you have to pay for.