Artist Statement

AuthENDication is a meditation on the arbitrary nature of password expiration policies, taken to its logical—and absurd—conclusion.

The 90-Day Liturgy

Every 90 days, millions of workers perform the same ritual: they append a number to their password, or swap a letter for a symbol, or rotate through a memorized sequence. This ceremony has been mandated by security policies since the 1980s, originating from an era when password cracking was measured in months, not milliseconds.

The 90-day rotation has no mathematical basis. It exists because someone, somewhere, decided it "felt right." NIST has since reversed course, recommending against mandatory rotation in their 2017 guidelines. Yet the ritual persists, zombie-like, in countless enterprise policies.

"Password expiration requirements do more harm than good, because these requirements make users select weaker passwords to begin with, then transformed in ways that are easy to guess." — NIST SP 800-63B (2017)

The Crack Time Paradox

AuthENDication asks a simple question: if we're going to expire passwords, why not base expiration on actual security math? The answer reveals the absurdity of the entire endeavor.

A password like "Summer2024!" has an estimated crack time of roughly 47 minutes against a GPU cluster. Under AuthENDication's logic, this password should expire in 28 seconds (1% of crack time as a "safety margin"). Meanwhile, a password like "correct-horse-battery-staple" could theoretically last years—longer than most employment tenures.

The calculation exposes what security practitioners have always known: password strength varies by orders of magnitude, yet we treat all passwords as if they decay at the same rate, like radioactive isotopes with a 90-day half-life.

The Mortality Dashboard

The dashboard presents your password's "health" as a countdown to death. This visualization makes visceral what is usually abstract: the slow (or rapid) approach of theoretical compromise. It shows attack progress bars filling in real-time, as if adversaries began cracking at the moment of password creation.

Of course, this is nonsense. Real attackers don't start cracking the moment you create a password—they start when they steal your hash. The countdown assumes the worst case while ignoring the reality that most passwords are compromised through phishing, not brute force.

But that's the point. Security theater often assumes the worst case for users (mandatory rotation, complexity requirements, CAPTCHAs) while ignoring the actual threat landscape.

The Security Margin

AuthENDication uses 1% of estimated crack time as the password lifespan. This "security margin" is as arbitrary as 90 days, but at least it scales with password strength. It highlights the uncomfortable truth that any margin is arbitrary—we're making probabilistic bets about attacker capabilities, hash exposure, and computational resources.

The 1% margin is intentionally aggressive, causing weak passwords to expire almost instantly. This creates a feedback loop that the traditional 90-day policy lacks: if you want to stop changing your password constantly, you must create a stronger one. The system finally has an incentive structure that aligns with actual security.

Stored in the Clear

AuthENDication stores passwords (well, their analysis) in localStorage, visible to anyone who opens DevTools. This is intentionally insecure, but it mirrors a truth about many systems: the gap between "encrypted" and "secure" is vast.

Your password hash is displayed on the dashboard. In a proper system, this would be unconscionable. Here, it's educational: the hash reveals nothing about your password to a human observer, but everything to a cracking rig. Security through obscurity fails the moment the obscurity is removed.

The Death Modal

When your password expires, the session doesn't quietly redirect to a login page. It dies dramatically: a skull appears, the screen goes dark, and you're presented with statistics about your password's brief life.

This theater serves a purpose. Real session expiration is silent and frustrating—you lose your work, your context, your flow. AuthENDication makes the expiration memorable, forcing you to confront the policy's impact rather than treat it as background noise.

What This Is Not

AuthENDication is not a recommendation. Tying password expiration to crack time is not actually a good idea—it's just a different kind of bad idea, one that exposes the flaws in the original bad idea.

Good authentication doesn't rely on password rotation at all. It uses multi-factor authentication, passwordless flows, hardware tokens, and breach monitoring. It treats the password as one factor among many, not as a rotating secret that somehow becomes more secure through the act of changing.

The Invitation

Create an account. Watch your password's health decline. Feel the mounting anxiety as the percentage drops. Then ask yourself: does the 90-day rotation at your workplace make you feel the same way? Or does it just feel like paperwork?

Security should be felt, not filed. AuthENDication makes password expiration feel like something—even if that something is absurd. Perhaps that's the first step toward demanding better.