William Cheswick Helped Invent Internet Security. He'd Like to Say He's Sorry.

It's a hot afternoon in July on the AT&T Labs campus in Florham Park, N.J., and William Cheswick, on staff as a principal researcher, has been asked to open the summer lecture series on any topic of his choosing. Cheswick is a polymath, an inventor, and a hacker, but he is best known as a network-security god; he wrote the book, literally, on firewalls, coined the term "proxy server," figured out how to map the Internet. The auditorium is filled with graduate students and career researchers with terminal degrees, eager to hear whatever Cheswick dispenses. Upstairs, in and around his office, lie all manner of breakthrough ideas—for strapping wireless Internet boxes onto airplanes, not for the passengers aboard but the people in flyover country beneath; for arranging thumbnails of every frame of famous movies into gigantic 54-inch-by-5-foot murals, fit for a modern art museum; for unraveling the backup Internet architecture of Iran. But Cheswick doesn't want to talk about that. Today, in front of all these bright minds, Cheswick wants to talk about something truly radical. He wants them to change their passwords.

As I wrote in last week's issue of NEWSWEEK, there is a growing consensus among Internet security experts that the way we secure our stuff online is a shambles, and that innovation in the space is long overdue. Professors at Carnegie Mellon University and elsewhere in academia are leading the way, but─how to put this diplomatically?─the field is known more for magnetic tape than magnetic personalities. That's where Cheswick comes in. The eccentric researcher is often asked to speak at conferences around the world, and two years ago, he decided to use his soapbox to advance the passwords cause, as only he can. (There's video of his talk online, and you can also download the slides.)

In Florham Park in July, sweating into his model railroad club T shirt and jean shorts, Cheswick opens his lecture by racing through the password requirements of various Web sites and computer systems.

  • One mandates that passwords must be at least seven characters, no more than 50, and include letters and numbers but not spaces or quotation marks.
  • Another system requires passwords to be exactly six characters.
  • A third requires a pass phrase of four words, separated by spaces, with at least one of them five characters or longer, totaling between 11 and 50 characters, and forbids quotation marks, something called "ASCII newline characters," and any three consecutive identical characters.
  • A fourth system, a government agency, bars dictionary words, dictionary words in reverse, phone numbers, any nine consecutive numerals, nouns with a two-digit year string attached, and the name of any person, pet, child, or fictional character.

Remember, Cheswick notes, nearly hyperventilating: you're supposed to use a different password for each site. And change them frequently. And never reuse one that you've used before. Without writing any of them down.

"Who," Cheswick blusters, "is responsible for this eye-of-newt, witches'-brew password fascism?!"

The geniuses in the audience titter, because as Cheswick happily discloses, he is, a little. The book he co-wrote in 1994, Firewalls and Internet Security: Repelling the Wily Hacker, informed the first big generation of Web-site creation, and its guidance on passwords is likely confounding your life today. You can read more about the surprising flaws of complex password rules, biometrics, and "challenge questions" in my NEWSWEEK piece. Cheswick has long known that passwords as we know them are mostly junk─in recognition of this, he tells me, the password on his personal laptop is but a single character─so he uses his lecture to get the audience thinking creatively about how to improve the system. None of his suggestions are nearly ready for prime time; they're merely meant for inspiration. They are, in his parlance, "Some Whacko Ches Ideas":

  • Passmaps. Users pick a geographic location special to them─like a small lake in the Adirondacks. Zooming way in on Google Maps, the user copies the latitude and longitude. This creates a long password, difficult to guess, that the user doesn't have to memorize. Mine might be 40.730487,-73.984431.
  • Passgraphs. This one's not exactly user friendly for anyone who hated math class. It requires you to zoom in on a particular point in a Mandelbrot set and use those coordinates as your password─basically, the same idea as passmaps above, but it doesn't require any interaction with a map service owned by Google or Microsoft.
  • Passwords transmitted in plain sight. Baseball players, Cheswick notes, use passwords all the time: they take elaborate signs from base coaches in full view of their opponents, fans, and TV viewers. They look complicated, but hey, if dimwitted jocks can use them, there must be an underlying simplicity that anyone can master, and that would obviate the danger of bad stuff like malware and keyloggers.

After Cheswick's talk, a fellow researcher bounds up to him in the hallway outside his office. He'd been thinking about images: has anyone ever attempted an authentication scheme where the user enters a login, and then must zap and submit a cell-phone photo of something detectable─say, a smiling face, or something orange, or a rectangle─within the next few minutes?

"Oh God," says Cheswick, knowing an original idea when he hears one. "Ohhh, God."

"I smell a patent!" the researcher, Dave Korman, chirps.

"I smell two patents!" says Cheswick.

Passimages. Don't expect them─or any of the exact ideas above─on your Webmail page soon. But with Cheswick stoking the creative fires of the industry, something better is on the way.