What's a password?

A primer on passwords, their application, issues, and how to do them right by going back to first principles.

If we played Word Association and I said password, what would be your next thought?
Confidence? Trust? Safety? Serenity? Reassurance?

Anxiety? Frustration? Incorrect? Reset? That one word you use to secure every account because, who cares?

What’s going on with passwords? Why are they everywhere, and why are they such a pain?

You shall not pass

Before we try to answer any of these questions, let’s go back to the basics for some context.

On the internet, a website cannot see your face or recognize you in any traditional way. If a site holds something that is there for use by you alone, whether that’s a bank or a twitter account, the site needs some way of knowing who you are.

In digital security, the process of determining who you are is broken down into two key ingredients: identification and authentication.

Identification involves you telling the site who you are.
Usually you do this by giving the site your e-mail address, a login name or number.

Identification by itself is not enough. It turns out humans are capable of lying about their claims, and the site needs to know that you truly are who you say you are. Authentication therefore is your offering of proof for your claim.

Authentication involves some information the site can verify and can only come from you.
Usually you do this by giving the site a password.

There are many different ways authentication can happen in an online world, but unfortunately most of these require special software which hasn’t been universally adopted by websites.

Passwords are an extremely popular method of authentication primarily because they are very simple to implement for websites and most people can understand the basics quite easily. Unfortunately, they also largely shift the burden of security onto the individual, a predicament most websites aren’t particularly troubled by.

At its core, a password is effectively a secret that is known exclusively by you and the website.

Since theoretically none other than yourself are able to provide this secret, the site believes you when you offer it up in proof of your identity.

The promise that wasn’t

I don’t know which is the robot and which is real! Quick! Say something only my husband would know!

The concept of a password seems sound: a secret known only by the other party and yourself serves as a great tool for proof of authenticity.

In practice, however, we are acutely aware of how we’ve stretched the concept far beyond its limitations.

  • We share our secrets with friends and family,
  • We re-use our secrets across many sites,
  • We keep our secrets on paper or somewhere they can be easily found,
  • We use secrets that aren’t really secret,
  • We use secrets and then we forget them ourselves,
  • We have way too many secrets to keep track of,
  • We hand our secrets over to a company that we have no control over,
  • We get locked out completely when we lose our secrets.

Why does this happen? What has gone wrong?

What’s happened is that we’ve been forced to disregard the basic requirement:

The secret is known exclusively by you and the other party.

We feel that we cannot realistically do what websites ask of us and still hold religiously to this principle, so we have allowed apps and companies to convince us that it’s normal and okay to make sacrifices.

If we’re going to find a solution and return to verifiable authenticity, we need to discover how password use in our modern lives can go wrong and propose a solution that manages to avoid each of those pitfalls.

There’s too many of them!

Well, they banned password re-use. What do you expect me to do?

Having the secret is quite crucial when you’re in the position of needing to use it as proof. In an online world where we need to engage with hundereds of unique entities and prove our identity to each of them, this knowing becomes an untennable predicament. It’s unrealistic for us to remember secrets in the hundereds, keep them all straight and distinct from each other, and be ready to offer them up at a moment’s notice.

The inevitable result is that we reach for short-cuts. We write down our passwords so we have a reference. We reuse our passwords so we reduce the amount of secrets we need to remember. We simplify our secrets or come up with “clever” derivation techniques such as spelling the site’s name backwards.

Afraid of losing our passwords, we save them in databases that we can’t read or send them to online clouds we have no authority over.

In a clumsy balancing act, we either attempt to save the ability to “know” our passwords by sacrificing their “exclusivity”, or the other way around.

Can you guess?

- What’s the secret password? - I don’t know. - Correct. Come on in.

Their new line of sneakers is out! The online store just opened and the news is out. It’s a race to the basket and through the online checkout. Confirm!

Name! Email! Password?

Who has time for passwords? Who has patience for passwords?
What on earth should I even use for yet another new password?
It’s those kicks I want!

Secrets are fine as a concept, but where should they come from? You don’t want to offer up actual private secrets to arbitrary entities such as website owners. How should I come up with a new secret word that is also sufficiently exclusive that others won’t be able to guess it if they tried?

A good secret is a science, and you might not be surprized that humans aren’t particularly great at it out of the box. The science tells us that the best secret is one that is entirely random within its domain. How random is your bank card’s PIN code?

If you gave someone who really wanted to get in a full day to guess at it, would they? How exclusive is your password really?

Incorrect password.

Valley Of Forgotten Passwords

If there’s anything more frustrating than needing to come up with a new password, it’s trying to come up with your old password.

So what do we do? Reset password. But we don’t make that same mistake again, of course. Make it “letmein!”, of course.

Then write it down, save it in your Notes app and sync it to your browser’s online password cloud. Not stubbing our toe on that corner again.

Whose secret is it now, though? Certainly not yours.

With all of your passwords in the hands of a corporate entity, an entity that you do not have a contract with, exists outside of the bounds of your government’s jurisdiction, whose datacenters are anywhere on the planet and with employees you have no reason to trust, how much control do you really have over your own online individuality?

First principles

Well, that was a bit of a downer. It sounds like passwords are quite the chore – and of course, this is exactly the experience that we’ve all been having and coping with.

Is there a way to escape this nightmare? Let’s summarize a wishlist:

  • I don’t want to have to remember a ton of things
  • I don’t want anyone else having control over my passwords
  • I don’t want to be dependent on anyone for access to my own passwords
  • I don’t want to risk getting locked out of my passwords
  • I don’t want passwords an authority or criminal could seize or lay siege to
  • I don’t want anyone able to find, steal or discover my secrets
  • I don’t want to have to do mental gymnastics to get to my secrets
  • I don’t want to have to do any work when creating a new account
  • I don’t want to worry about ever forgetting or losing my passwords again
  • I want passwords that are scientifically good passwords
  • I want passwords that are practically impossible to guess
  • I want passwords that my relatives can inherit should anything happen to me
  • I want passwords known exclusively by myself and the site I use them for
  • Bonus: I want passwords ready for the apocalypse

That sounds like a perfectly reasonable wishlist, wouldn’t you agree?

Take a moment to test it against the password solutions that you already know of. I’ll wait.

Statelessness

The Internet is rife with “solutions” to our password problems. Pretty much every major Californian giant has the solution on offer, supposedly. And yet, here we are, still frustrated. Why?

That wishlist of ours may seem unreasonable from the perspective of what we’ve been forced to settle with. We couldn’t think of any way to realistically tick off all of those boxes. Whatever program or life-hack we fall back to, we end up having to sacrifice some needs just to tick off others. Why?

Spectre was developed with the intention of being uncompromising and the only way to do that is to go back. Back to the very root, the very beginning. The definition of passwords.

The secret is known exclusively by you and the other party.

One core principle has been at the root of solving this problem without compromise: statelessness.

Statelessness means the absence of state – a stateless solution is a solution that works without ever saving anything anywhere.

With Spectre, your passwords are the output of an algorithm, a bit of math performed by the computer, for you, just when you need the password. When you’re done, the password is erased and disappears.
Until you need it again — just run the formula and out comes the same password, just for you.

Spectre is a calculator; 7 * 14 = 98. AC
Try again; 7 * 14? Yup, it’s still 98.

All the things?

Everything

Spectre was built intentionally to be different. It has been securing people’s lives since 2011. Its algorithm has cryptographical hardening at several stages, and we’ll dive into the details of its security characteristics in a future post.

But, what really matters is our wishlist.
So let’s take an honest look:

I don’t want to have to remember a ton of things
Spectre asks you to remember one single Spectre secret. Oh, and, your name.
I don’t want anyone else having control over my passwords
Your passwords exist nowhere. They are pure math. A spectre, you might say.
Control requires your Spectre secret. Tell no-one and you maintain sole control.
I don’t want to be dependent on anyone for access to my own passwords
Spectre is Free Software, its mathematical algorithm public and its code Open Source. You don’t need us, you don’t need backups, you don’t need the cloud. You need your personal Spectre secret and you need the algorithm.
Trust us, or don’t. Get someone you trust to verify the math and code for you.
I don’t want to risk getting locked out of my passwords
Since the bare minimum for getting any password is your Spectre secret and the algorithm, everything else may fail, but you can still derive your passwords.
I don’t want passwords an authority or criminal could seize or lay siege to
Seizing or sieging something requires that it exists in a certain place. Spectre’s passwords don’t exist - they are mathematical derivations. Don’t give store or up your personal Spectre secret and no-one can access what comes from it.
I don’t want anyone able to find, steal or discover my secrets
Since Spectre doesn’t save or send your passwords anywhere, there’s really nothing to steal or find. Don’t tell anyone your Spectre secret, done.
I don’t want to have to do mental gymnastics to get to my secrets
The algorithm may be a math formula, but we’ll take care of the solving.
Just tell us the site you want a password for, and we’ve got your password.
I don’t want to have to do any work when creating a new account
Same deal – tell us the name of a site, we’ve got your password. Simple and done.
I don’t want to worry about ever forgetting or losing my passwords again
It’s math. The solution doesn’t disappear just because you forgot it.
Even if you were to lose everything you have and hold: get a Spectre app, enter your full name and Spectre secret. All your passwords are there, instantly, no backups, no Internet, just math.
But, uh – don’t forget your Spectre secret. Without it, you may just be the clone.
I want passwords that are scientifically good passwords
Spectre’s passwords are cryptographically generated from uniform one-way hashing algorithms encoded into password policies designed to find the perfect balance between maximum entropy and maximum usability.
I want passwords that are practically impossible to guess
There are two types of guessable passwords: prior knowledge and low entropy.
Spectre’s passwords are immune to prior knowledge bases guesses since there is no trace of personal information on you in them.
Spectre’s passwords are high entropy, making them maximally hardened against random guesses.
I want passwords that my relatives can inherit should anything happen to me
Pass your personal Spectre secret on in your last will and testament.
I want passwords known exclusively by myself and the site I use them for
Exactly.
Bonus: I want passwords ready for the apocalypse
Hold that thought.

But, what if…

It’s a fair question.
What if a dictatorial government ceased power and forced the police to search our homes? Confiscated our electronics, subpoenaed security companies to surrender our credentials? What if you were kidnapped and your belongings taken from you? What if you lost everything you had in a natural disaster?

What if your country collapsed into chaos, Spectre was dissolved, an apocalypse raged and all you needed to unite the world was to find a Starlink dish and patch into reddit, the only site left operational, run invite-only by a cabal of rebels?

Spectre has you covered. Maybe keep a paper copy of our algorithm handy.