The document discusses the vulnerabilities of conventional password systems and proposes an alternative called the "Expanded Password System". It notes that passwords like "Iloveyou" and "1234" can easily be hacked. Current proposals to replace passwords, like biometrics or password managers, still rely on passwords and have their own flaws. The Expanded Password System turns low-entropy passwords into strong authentication, easing management burdens while deterring attacks and supporting existing schemes. It is being developed as an open standard and could provide a simple solution to password problems.

1. Cyber Predicament
by Text-Only Password Systems
Abstract
It is obvious that we can no longer continue to rely on the
conventional form of password systems. Nor can the conventional
forms of deploying biometrics, ID-federations and multi-factor
authentications that have relied on the conventional password, as
a fallback means, a master-password and one of the factors
respectively. However, we do not have to despair. There exists an
incredibly simple solution to it, though little known to the public
as yet.
Password Predicament
You are probably aware of the huge data breach that a student
brought about in Germany. A NYT report on 8/Jan (*1) reads "A
20-year-old German student took advantage of passwords as
weak as “ Iloveyou” and “1234” to hack into online accounts of
hundreds of lawmakers and personalities whose political stances
he disliked, officials revealed Tuesday, shaking Berlin’s political
establishment and raising questions about data security in
Europe’s leadingeconomy."
If attacking the targets with the passwords such as "Iloveyou”
and “1234” is like taking candy from a baby for a student, it
must be like taking candy from a sleeping baby for organized
criminals. What happened in Germany could no doubt have
happened everywhereelse.

2. Half-baked Propositions
We now anticipate that a number of security professionals will be
yet more ardentlyurging people to
1. eliminate the use of passwords altogether, probably without
mentioning that we would be thrown into a 1984-like dystopia
when identity authentication happens without our knowledge or
againstour will.
2. take up biometrics instead of passwords, probably without
mentioning that the biometrics has to be deployed together with a
password in a security-ruining'multi-entrance' method (*2).
3. adopt a password-manager, probably without mentioning that
it comes with a risk of creating a single point of failure like
putting all the eggs in a single basket and that a high-entropy
password is indispensable as the master-password.
4. consider a multi-factor authentication, probably without
mentioning that the password would be the last resort when
something-to-possess is broken, left behind, lost copied and
stolen.
5. throw away easy-to-remember passwords while neither writing
down the passwords on a memo nor re-using the same passwords
across many accounts, in other words, do what humans are
unable to do.
And, tech/biz media will be busy with yet more loudly spreading
all those wrongor inaccurate perceptions and suggestions.
However, the real picture is actually so plain and clear; the
current password predicament is caused by the conventional
password systems that do not allow people to use anything but
numbers/characters.

3. Expansion of Password System
There exists an incredibly simple solution to it. The existence of
this solution is little known to the public as yet, though, largely
because it does not offer big incentives to the people who have
been advocating, endorsing and promoting the above (1) to (5)
propositions.
It is called ‘Expanded Password System’ and an OASIS project is
progressing for the standardization in view of such desirable
features as follows.
- It is not only stress-free for users but fun to use, as opposed to
the dread and overhead that come today with creating,
memorizingand storing passwords
- It turns a low-entropy password into high-entropy
authenticationdata
- It eases the burden of managing the relationship between
accounts and passwords
- It deters phishingattacks
- It can be deployed under any type of circumstance, including
combat
- It supports existing schemes,such as:
- Biometrics which require passwords as a fallback means
- Two/multi-factor authentications that require passwords as
one of the factors

4. - Federations such as password managers and single-sign-on
services that require passwords as the master-password
- Simple pictorial/emoji-passwords and patterns-on-grid can
be deployed on this platform.
- It is relevant whenever text passwords and pin numbers are in
use
- And, nothing would be lost for people who want to keep using
text passwords
- Last but not least, it continues to rely on free will.
The proposition of Expanded Password System is in the ‘Draft
Proposal’ stage at OASIS Open Projects (*3). Should you be
concerned about the current status of identity assurance, you
might be interested to keep an eye on it and help us where
possible.

5. Footnote
*1 German Man Confesses to Hacking Politicians’ Data, Officials
Say
https://www.nytimes.com/2019/01/08/world/europe/germany-hack
ing-arrest.html
*2 Horrific Distinction between ‘Multi-Layer’ and ‘Multi-Entrance’
Deployments
https://www.linkedin.com/pulse/horrific-distinction-between-mult
i-layer-deployments-hitoshi-kokumai
*3 Draft Charter
https://docs.google.com/document/d/1lHFWGMmFHN4xwm9q6aj
Q1vZtFFaKNNgHJKHMnvcNS0s/edit#