Rethinking Computer Passwords

Ancient Egyptians purportedly used crocodile dung as a contraceptive. The Greeks practiced pederasty. And Abraham Lincoln is older than the doorknob. Which is all meant to say this: sometimes, the common practices of the past are simply absurd by modern standards. It therefore goes to reason that today’s common axioms will be absurd, barbaric, cruel, and perhaps even bafflingly stupid to our descendants. How often, if ever, do we stop to really challenge the dogmas and practices of everyday life?

Today, the information from two websites on computer passwords will be used as the basis for an examination of computer passwords and their future.[1],[2] These aren’t academic sources, and like Gödel, I’m not concerned with the factual veracity of my axioms. Instead, I will proceed as if they are true, simply for the exercise of arriving to a new conclusion.

In short, a computer password like “Password” is currently translated by the host website into something of a unique code, comprised of numerous binary characters. The simple example from one site is this, “ADD = 1 + 4 + 4 = 9.”[3] This process, grossly simplified here, is apparently called a hash. Slightly more complexly:

  1. You tell them you want your password to be marbles
  2. Instead of storing marbles, they hash it and store something like 3832c** instead.
  3. Next time you want to sign in, you say “my password is balloons!”
  4. They hash balloons and get d0eea, which is totally not the same as what they already have stored (3832c). REJECTED!
  5. You try again with marbles – they hash it, get 3832c, and since it’s the same as what they stored already you’re good to go. SUCCESS!
  6. Hackers hack the database, get your email address and 3832c, which they totally can’t use to log in to your Facebook account. BUMMER FOR THEM![4]

As any curious reader could surmise, then process has significant variables, including techniques called salts, which made the hacking of information exponentially more difficult (or logarithmically more difficult?). Regardless, I suspect this is why, when “hackers” invade the sanctus sanctorum of the DNC, or Target, or wherever, they can steal CC information, email addresses, SS numbers … but never (rarely?) passwords. This is because the system hacked stores the passwords as encrypted information, linked to a specific email address, and useless when taken out of context.

 

All of this is well and good, but it seems to me not only a missed opportunity, but a serious flaw. Encryption can always be out-thought, from what I understand, and anything that “exists” can be stolen, somehow. (My citation is the Soderbergh Ocean’s 11). Instead of encrypting, trans-mutating, and distorting passwords that *do* exist in the system – why not use passwords that *do not* exist?

Think of it like this: in the current system, when a user enters his login information (usually his email address), it links to a (encrypted, blah blah blah) password. If the email address and password match what is on file, then, like a key, the door is opened and the user gains access. Somewhere, the password exists in some form and must match that which exists in order to grant access.

Now, imagine this conception instead. An email address or user ID is entered, bringing the user to an impenetrable Rubik’s cube of a wall, an encrypted barrier through which no entry is permissible. All email addresses lead to a unique wall (unique to each site, that is), made of millions (billions? trillions?) of random matrices, each of which defies any reason or logic. It would be un-hackable, because there is no logic to it (and most hashing requires some sort of calculated guess as to the nature of the user’s password).

Okay, so this is quite stupid and useless so far. Let’s look at an example for, say, Amazon.com. Each Amazon account is identified by the email address used, correct? So I enter my email address, email@address.com, and instead of seeing if my password matches one stores in its servers, I am brought to a digital Great Wall of China, impassible to everyone due to its absurd complexity.

However, when I created my account, I was also asked to create a password. This passcode is a simple series of letters or numbers (eg: Password) that, when created, makes a *one time* hole in the billions of characters that comprise the internet wall. That is to say, when I create my account any my password, the act of creating that password slightly but fundamentally re-writes the revolving, morphing, matrix of code that a hacker could not pass or deduce.

Then, conceptually, instead of my password being a key that lets me through, the password is the fingerprint which, when aligned perfectly with the revolving matrix, allows light to pass through. No metaphorical door is swung open because of an entered passcode that is verified by a stored passcode; instead, the passcode exists only as a subtraction from a veritable morass and avalanche of digital noise and fortifications.

Additionally, of course, we add on things like the amount of time the passcode entry takes. For instance, if an intruder was to hack and try hundreds of billions of combinations, even a supercomputer would take a few minutes. But a user’s fingers have a certain rhythm – the passcode must be entered with the same rhythm and speed, constancy and tonality, as when it was originally created.

[1] https://www.wordfence.com/learn/how-passwords-work-and-cracking-passwords/

[2] https://brooklynbrainery.com/blog/how-passwords-work-in-90-seconds

[3] Ibid.

[4] Ibid.