Who owns your password?
I was part of a rather interesting discussion the other day about passwords. Most services today require a strong password, one that is 16+characters long has upper and lower case characters, numbers, special characters, basically something you will be sure to forget 5 seconds after to you made it.
A password is a ‘factor’ of authentication. It ‘proves’ who you are to a machine. Password authentication is inherently broken because if someone ‘hacks’ your password they can impersonate you, and the machine does not know the difference that is why it is best when possible to use ‘multi-factor’ authentication.
Never-the-less, most services will tell you to never write your password down, to keep it only in your head and especially do not share it with others. Some services go so far as to say you are violation of there terms of service if it is discovered you shared or stored your password in any way.
It has always frustrated me that ‘software’ seems to be the exception to every rule. If I buy a car. I own the car, I can do what I want with it. If I want to shoot it into space — So be it — Its my car.
But you never really ‘own’ software. You simply purchase the license to use it. I suppose it could be argued it is similar to music/movies — technically you don’t own them either, but that’s a different story.
So if I truly own my password, I should be able to do whatever I want, store it in a secure system like KeePassXC, write it down, or even give it to other people right? It’s my password after all isn’t it? But I don’t ‘own’ the service that the password accesses, I simply pay for the “right” to use it.
And if it’s not my password, if say it belongs to the company that employees me .. then am I responsible for what happens to it? I don’t own the laptop my work purchases for me, they paid for it, therefore they can to determine the rules for how it can and cannot be used. The company issued me the laptop, it did not ‘issue’ me a password.
There is an important reason for this and it is called ‘plausible deniability’. Now I am a computer geek I am not a lawyer, but basically if it can be shown someone else can access to my password (ie: it was ‘issued’ to me by a company) and my account is used for illegal activities, then I have ‘plausible deniability’ to any crime committed. Why? — because I can deny the existence that the person represented by that username/password combination is actually me! (Note: this does not work if you give away your password freely — only if someone else ‘issues’ it to you and stores it outside of your control). I can claim that anyone could have logged in and impersonated me because I was unable to create my own password for the service. This is why you must pick your own password, and when you reset your password, no one, not even the admin(s) can know what it is. (ie: the admin now has plausible deniability for your account)
So we are left with a dilemma. Either I own my password (like a car) and I can do whatever I want with it, no matter how insanely stupid!, or the service provider who dictates the rules of what I can and cannot do ‘owns’ my password. In which case it is their password, not mine, in which I have to follow their rules, but as an extra bonus I have plausible deniability to anything that happens to it. You can’t have your cake and eat it too!
What do you think?
