1 Purpose

PinBox intends to help people manage passwords. An introduction to the fundamental issues addressed by PinBox is provided herein along with a more comprehensive description of password characteristics.

1.1 Introduction

Passwords (sometimes called a personal identification number, or PIN) are those secret values that you have to create in order to use many of the services provided on the World Wide Web (WWW), as well as, a variety of other applications performed on your computer. Of course keeping them secret (i.e., known only to you) is what strong security is all about. As a result you very faithfully adhere to the principles of proper protection by conforming to the following rules:

• You never write them down, they are stored in your mind only.

• You never use real words that might be found in some kind of dictionary.

• They contain some number of non-language characters such as numeric digits and special characters.

• They contain a sufficient number of characters to make trial and error (i.e., brute force) attacks time consuming and expensive even for attackers capable of utilizing a bunch of fast computers.

• And of course, you change them periodically.

It seems reasonable to believe that the above might be practical for a limited number of such values. However, these rules are a bit unpractical for many people using modern information technology. For example, how many services that require you to logon to a website using a password have you registered to use? Typical logon mechanisms force you to create independent accounts with each website provider. Website providers tend to behave as if users are their captives. In that, users only need to use one website which of course is theirs. While this might be desirable from the provider’s point of view it doesn’t fit very well with reality for most people. A consequence of this phenomenon is that, in order to protect themselves, users are expected to store a rather large number of values in their mind. Furthermore, these values must be properly associated with other information pertaining to the logon scenario for all of the applicable websites.

The basic premise for PinBox is that it just isn’t practical for people to clutter up their mind trying to precisely store and retrieve logon information for all of the various entities with which they must deal in this manner. Rather, there exists a need for safely storing these secrets in a manner that they can be easily retrieved and used when needed. This criteria suggests requirements such as the following:

• Other users must NOT be able to retrieve the secret information from the storage media.

• Passwords should not be commingled with other information (e.g. address books) used for a different purpose. To do so would have the effect of unnecessarily exposing them.

• The storage media needs to be portable –

  • It must be practical to carry the media wherever it might be needed.

  • It must be practical to easily use the media on different computers.

PinBox addresses these requirements by providing the following:

• All user supplied data is stored in an encrypted database.

• The database contains only information related to the use of passwords.

• The database is designed to reside on removable media (e.g., USB flash memory drive).

• All necessary software is stored on the removable media so as to be usable on any computer that supports the media.

• Sign-on data can be selected and used to perform a robotic sign-on.

• Software installation on individual computers is NOT done.

PinBox uses terminology that is closely related to the notion of logon accounts maintained by service providers operating on networks. However, passwords with the same properties described above are also used for other purposes. For example, many software products have features that allow passwords to be used for protecting files. Many people, who have files deserving of such protection, are likely to forego the use of these features because they lack an effective means of managing passwords. PinBox can be used to maintain such passwords. For further advice on this refer to the User's Guide.

1.2 About Passwords

Passwords are pretty much meaningless by themselves. They have to be associated with something in order to be useful. The most common association involves combining them with an identifier. This is most typically the identification of a person (i.e., user) but could also include other kinds of objects such as files. The combination of the identifier and the password is then used to determine the authenticity of a request to use a service or object. In order for the service provider to use this information to determine the authenticity of service requests it is necessary to perform some kind of registration operation as a precondition for using the service. The term account is often used to refer to the result derived from the registration operation. Therefore, when referring to passwords, the following terms are especially relevant:

• User – A person who is identified by a distinct (i.e., unique) name within the authority of a registrar.

• Registrar – An entity that enrolls users for the purpose of creating an account relationship.

• Password – A secret value known only by the user that is then used to verify the authenticity of the user.

• Account – Relationship represented by the combination of a registrar and corresponding user. A password is also assigned for each account.

PinBox provides the means for maintaining these relationships using modern database technology combined with an interactive graphical user interface.

1.2.1 Users

The notion of a system abstraction that describes end users has slightly different ramifications depending on whether you view it from the perspective of the person or the service provider.

From the viewpoint of a person it is often most desirable to have a single name by which you are known to any/all service providers. Furthermore, you’d prefer the name to be short and easy to pronounce. It is also good if the spelling is easy to deduce from the pronunciation.

On the other hand, a service provider begins with the basic requirement to assign names to users that uniquely identify them in relation to all of their other users. A secondary objective is to minimize the cost of registering new users.

With the above in mind it is expected that people will use the same user identification on multiple accounts. However, because service providers typically operate independently any particular name may already be assigned to another person. Therefore, everyone is pretty likely to be known by multiple names. However, they will probably try to minimize proliferation, which means they will have relatively fewer names when compared to the number of registrars.

1.2.2 Registrars

As it turns out, typical mechanisms used on the WWW are often very casual (i.e., imprecise) in their approach to identifying registrars as well as service providers for that matter. This shortcoming is a bit curious when considering that the purpose of logon is to provide security. Unlike email services, the logon procedures used by most websites completely ignore the identity of the registrar. They seem to rely on (i.e., trust) that their users have found their way to the correct website. Unfortunately, it is incredibly simple for mischievous parties to provide a service that masquerades as that of a legitimate provider. Given the variety of navigational techniques used to steer people to a website this lack of formality presents a serious security exposure that affects most WWW websites. Fortunately, it is difficult to fake the actual delivery of the most critical services. Logon of course is the exception because it is easy to fake. Therefore, all WWW users are advised to positively confirm the legitimacy of websites to which they’ve successfully logged on. This can be done by confirming that an accessed website can provide information that is only known by the legitimate service. You need to be suspicious of any situation where you successfully logon but are unable to obtain information that can only be provided by the legitimate service provider. Of course, it is true that the whole idea of logon is to establish legitimacy before allowing use of the service. While this is possible, it is almost never done on the WWW.

Irrespective of the weaknesses in typical logon procedures it is necessary for people to keep track of their accounts. To do so means having a way to identify the registrar. Unfortunately, the lack of formality used on the WWW forces people to develop an informal method of their own. A suggestion that seems as good as any is to associate registrars with domain names when dealing with websites.

1.2.3 Passwords

Passwords are secret values associated with accounts that are used for the purpose of verifying the authenticity or legitimacy of service requests. This is often done using a logon procedure. To serve the intended purpose of providing security, passwords need to be protected from disclosure to others. However, in practice it is relevant to question how much security is needed and who is being protected by the security. A simple fact is that many websites demand the use of a logon password for things that don’t require any security. In fact, it is often done in cases where people would prefer, and in fact do choose, to remain anonymous by refusing to provide genuine information concerning their personal identity. Another unfortunate phenomenon is that many service providers have come to believe that enforcing rules on the formulation and maintenance of passwords has the affect of mandating stronger security. This belief is quite shortsighted. It fails to recognize the burden imposed on people who have to deal with many services enforcing different rules. The affect is much more likely to provoke users to compromise the basic principles of password protection mentioned previously. In many situations, it also fails to consider who is being protected. In those situations where it is the user who needs to be protected it is quite unreasonable for a service provider to interfere with their ability to do it according to their personal preference.

Given that the need for security ranges considerably for different accounts there is no one-size-fits-all approach to the matter of password formulation and maintenance. This means that passwords may or may not be shared between different accounts under different circumstances. Therefore, the formulation of a password should properly be viewed as being independent from the association with an account. The assignment of a password to an account should consider a variety of factors, such as the following:

• What strength of security is appropriate for the account?

• How often is the password going to be used?

• What rules are enforced on the password (e.g., for expiration and/or formulation)?

It must also be recognized that changing passwords (i.e., assigning a different value) is something, which typically happens on a per account basis. In that, assigning a different password for one account does not affect other accounts.

1.2.4 Accounts

As used herein an account refers to the enrollment of a user by a registrar. This combination of user and registrar must be unique. In that, the notion of multiple accounts with the same combination of these names is invalid. Be aware that while the combination of user and registrar define an account with respect to PinBox, the unique value assigned to designate the registrar is assigned by you and is typically not used anywhere else. Its only purpose is to allow you to keep track of the entities with whom you have such relationships. On the other hand the userID is typically used, for the purpose of authenticating the party requesting access, during preliminary processing activities such as logon protocols.

A really bad idea that many service providers have adopted is the use of an email address for identifying their users. This amounts to reusing another registrar’s account (as defined above) for their own. This bad idea gets even worse when the service provider attempts to rely on the user identification for communicating with the owner of the account. Consider that email addresses (i.e., accounts) are not permanent. The idea that people should coordinate the change of an email account with an indefinite number of other accounts is extremely impractical if not impossible. Furthermore, while it should be considered bad practice there is nothing that prevents a cancelled (discontinued) email address from being subsequently assigned to another person. This introduces the possibility that the user identification for your account actually belongs to another person. This all becomes quite troubling when you are confronted with the need to recover your secret password by requesting the service provider to send it to an email address that is no longer yours and could possibly have been assigned to another person.