Slashdot Mirror
Passwords Not Going Away Any Time Soon
New submitter isoloisti writes "Hot on the heels of IBM's 'no more passwords' prediction, Wired has an article about provocative research saying that passwords are here to stay. Researchers from Microsoft and Carleton U. take a harsh view of research on authentication (PDF), saying, 'no progress has been made in the last twenty years.' They dismiss biometrics, PKI, OpenID, and single-signon: 'Not only have proposed alternatives failed, but we have learnt little from the failures.' Because the computer industry so thoroughly wrote off passwords about a decade ago, not enough serious research has gone into improving passwords and understanding how they get compromised in the real world. 'It is time to admit that passwords will be with us for some time, and moreover, that in many instances they are the best-fit among currently known solutions.'"
Sounds like job security for those of us who reset passwords for a living.
Drat.
http://alternatives.rzero.com/
I thought that was the next big thing.
"If any question why we died, Tell them because our fathers lied."
In the unclassified areas of the military passwords are almost gone (at least for me) by using PKI and our CAC cards.
All biometric systems do is substitute a text string for a string of values gathered from the users defining characteristics. Its the same thing in the end, and you will ALWAYS want a password backup to any biometric system as, despite popular understanding, your biometric signature can change. The best hand scanners for example mesure blood flow and 3D characteristics using holographic imaging. Getting a cold can cause your fingers to swell and throw off the scanners. Wearing a ring can change your 3D hand scan. Etc, etc.
"Have you ever thought about just turning off the TV, sitting down with your kids, and hitting them?"
It's bad enough having to remember all my login names, but when sites don't like your password because it doesn't have Caps, or long enough, or a number in it. Forcing me to come up with a half dozen passswords to remember.
-- By all means let's be open-minded, but not so open-minded that our brains drop out.
...but still better than none.
A proper security system is one that has tests for who you are, what you know, if you are under duress, and potentially if you should even be there that day.
Such a security system is hard to make, in the simplest form it has a biometric component, two passwords (one for regular use, one to act like the proper password but alert security), and is hooked up with the scheduling system (not to lockout, but also alert security). This is reasonable for high stakes facilities, but sufficiently cumbersome that it gets in the way of getting things done for things like PC login and on-line transactions.
Why does web site x have an 8 character length limit, alphanumeric only?
Why does web site y have more allowable character types, but minimum of 5 chars, max of 18?
Relevant XKCD: http://xkcd.com/936/
Remember, you can't solve for the parts of a pw, only the whole thing in one go.
It doesn't mean much now, it's built for the future.
Wikipedia's article about the CAC makes it out to be some sort of smart card, the same form factor commonly used along with a PIN for debit card payment in some countries. The CAC doesn't really remove passwords at all; a PIN is still needed.
Seems like a conflict of interest to me: "Oh, passwords are here to stay!" seems to be FUD designed to discourage people from innovating so that MIcrosoft can find the patent first (because it'll eventually supplant their password system and the IP birds will come home to roost).
-
I have worked for years with security and authentication.
there are three ways to establish trust. Something you have , something are , something you know.
that will never change. and most any one of them can be compromised. thus it is better to build systems that use
more then one.
care keys ( something you have)
thumb print ( something you are)
password/ pass phrase/ etc. ( something you know) .
all three together are more secure and more trust can be built by using multiple aspects but the easiest will be probably always be something you know.
Think about it authentication before computers.
Go to the bank ( hopefully the banker recognized you ( multiple bio metric) )
do you have your checkbook / check card/ pass book?
do you have a pin / password etc.
it really won't ever get much better you can use more and more bio metrics but that won't stop fraud only make it more costly.
âoeTolerance applies only to persons, but never to truth. Intolerance applies only to truth, but never to persons.
Good luck typing any password as long as "correct horse battery staple" correctly on the first time on a handheld device's on-screen keyboard.
That was my thought, biometrics is an interesting trick, but if they manage to compromise the system you have limited options for changing it. Most people only have 10 fingers and 2 eyes and if somebody manages to compromise on of those you very quickly run low on options. And that doesn't even include what happens if you lose an eye or a finger or if one is just badly damaged to the point of being unreadable.
I remember seeing a bit of a BBC program years back where the guy was using biometrics for a safe but couldn't get in. It turned out that because he was wearing contacts that the sensor didn't identify his eye and the safe wouldn't open until he took the contacts out.
As more and more of my "online" activities take place on the iphone instead of the computer, password management has become much easier. Other than bank accounts, all log in info is kept by the phone and I never have to log in to anything: counting on the password lock of the phone itself to keep my stuff private should someone pick up my phone. But someone could overcome my 4-digit pass key or observe it (I know my wife's because everytime she has trouble with her phone she asks me for help and so I witness her unlock it). What would really be better is if devices had bio-based locking features so that only their assigned users could open them. One big padlock for the house, so to speak, so that we can safely leave all the contents unlocked and easier to use.
I recommend keepass to my friends. I advise them to use unique and random passwords for every account. I only know two passwords. My login, and my keepass passwords. That makes the password problem much more manageable.
Regards,
Jason C. Wells
There's particular relevance to this subject today in relation to the news (via Eurogamer) of a potential weakness in the password system protecting Xbox Live accounts.
If MS can't refute this one quickly, I suspect it's going to get quite serious. Potentially "Playstation Network hack" serious.
Ummm...simple answer, Microsoft/IBM/rest of world:
Start adding a "please generate a good password for me because I'm too ignorant to do it myself and I'll choose '123456' " button to your user interfaces.
No sig today...
A new strain of the Sykipot Trojan is been used to compromise the Department of Defense-sanctioned smart cards used to authorise network and building access at many US government agencies, according to security researchers. ...
Chinese hackers have adapted the Sykipot Trojan to lift card credentials from compromised systems in order to access classified military networks, according to researchers at security tools firm AlienVault.
Cause in the future, who knows? I might decide to remove the locks from my house...
I enjoy my many barriers of common entry.
My property is managed by my identity and that's me, If i'm (here), it's because i belong (here).
Nowadays information is unlike everything around seemingly, in overabundance,
And in high density, damning even, only considering what one can find on Facebook and the likes.
Privacy? This is the USA!
Even if we still use passwords, a lot of things had changed in the last 20 years, not so much in technology, but in culture. A lot could had been obvious or not back then, but now there is more awareness regarding requiring longer passwords, having harder to guess/bruteforce but easier to remember ones, giving alternate approachs like two-factor authentication, etc. Is like comparing the first cars with modern hybrid or electric ones, still are "cars", the basic scheme is still there, there are no flying cars everywhere now as predicted 30 years ago, but still a lot had improved.
10 fingers is still 10 more than the number of passwords most people can remember. If course, you'd need all ten fingers registered or else the users that be would constantly forget which finger they used.
Question. If there was some kind of online group, mailing list or forum dedicated to brainstorming alternatives to password authentication, would you participate? I wanted to create one for a while, but I'm not 100% sure how to promote such thing to get people of different backgrounds into that discussion.
How did you know my password is 123456?
Time to change it. qwerty should be a good new password.
If I were God, wouldn't I protect my churches from acts of me?
Must be a big demand for granny camgirls...
"When information is power, privacy is freedom" - Jah-Wren Ryel
I guess NIST is nobody.... (For those outside the US, NIST: National Inst on Stds & Tech, official US gov't agency.)
mark
This is the kind of arrant bullshit that just begs to be disrupted to death. Smartphones were shit and the companies that were complacent with that state got murdered by Apple. Digital music distribution was shit - same thing. Authentication is in an absolutely dire state, and ripe to be disrupted in the same way, as soon as a company with a bit of vision and a pair of balls takes charge. Apple, Google? Fuck knows, but it's going to happen, count on it. "Shitty" is not a stable, long term state in technology - even Windows has been shamed into becoming halfway-useable.
"Be nice, veer left, and never stop thinking" Iain Banks - Walking On Glass
Security built to accomodate laziness pretty much assures compromise.
"But we have to pass the bill so that you can find out what is in it,..." - Nancy Pelosi
In my opinion, passwords are pretty much here to stay for the foreseeable future. The thing that I see changing is making the password a single item in an authentication scheme. Most of the major websites have two factor authentication methods available (think Google, Facebook, Paypal, etc.) and most of the banks that I use have methods of dealing with unknown devices connecting, via a series of questions, an email link, or a code sent to me out-of-band. We are certainly moving in a direction where the password is simply a single piece of information of many needed to authentication. Obviously, the sensitivity of the information will determine what kind of security is needed, but five years ago two factor authentication was only used in the most secure situations and now it is available on the most popular web sites.
And yet, here we are almost 15 years later still using usernames and passwords. Oh, well. Was a fun project. :)
True story -- when the project launched we had a big event, with everybody gathered around the box to turn their keys. Then they all took their key and scattered off to wherever, what with the whole "must keep the keys off site and multiple locations" thing. What nobody realized is that the network center (we did our own hosting) had already posted plans for a scheduled power outage that weekend, and nobody'd connected these particular thoughts. So they cycled power in the room to do whatever it is that they did, and the box didn't come back online. Somebody contacted me. I told them to round everybody up to come back and turn their keys again. :)
www.HearMySoulSpeak.com
Brute force security needs to be evaluated under the assumption that a Russian botnet has compromised a large number of social networking sites, and gained three to five different clear-text passwords (of possibly no great importance) associated with the targeted user. They now also know--or strongly suspect--the identities of your financial institutions.
Using commonalities of the exposed password set, the botnet bastards will attempt to model your personal password generation heuristic. Since they are not stupider than bricks, they might also assume that your bank password is similar, but fortified to the next level. Gaining some experience in cracking bank passwords, they'll soon have a model for that, too.
My Thomas and Cover from 1991, which happens to be at hand, has chapters on "Jointly typical sequences", "Encoding of correlated sources", and "Source coding with side information". This last section makes reference to Slepian-Wolf encoding, which is kind of interesting. I hadn't spotted that before.
On Slepian-Wolf compression, in memory of Jack Wolf
This might not be precisely the right theory to apply to the breaking of password clusters, but the guy doing the math on that has probably read these papers.
Way too little concern is placed on the independence of the passwords chosen, and this vulnerability increases rapidly with the proliferation of passwords used. I'm sure I have more than 100 passwords out in the wild, many held by hopelessly incompetent and untrusted internet discussion forums.
Even a single compromised site can form a model of your password heuristic if you're duped into changing it often.
It wouldn't surprise me that if everyone adopted the four word xkcd approach, that for many individuals, entropy per word is closer to seven or eight bits than eleven, where concrete nouns of five to eight letters predominate, and a further bias to concrete nouns that are visually active in the mind's eye, and 40% of all such passwords contain at least one animal word.
That's where brute force would begin: assume at least one common animal word (four to five bits; since cat/dog don't make the cut, you'll be seeing a lot of parrot/leopard/zebra/unicorn).
unicornprincesscastledragon
I've cracked one already.
Where I work we have to change our passwords every 6 weeks. Microsoft even encourages draconian practices like this. Even though research shows that enforcing changing of passwords frequently leads to people using bad passwords, and quite frequently writing them down and leaving the written down copy at their computer.
What really frustrates me is that our IT knows this, they wave it off as everyone uses bad passwords anyways. I try to use good passwords, but coming up with a new one every 6 weeks is difficult.
That isn't to say that having a forced password change every blue moon is a bad idea, but more than twice a year for most people is too much. For quite a few companies twice a year might be too much.
As with previous posters, I love how some sites only allow alphanumeric passwords, where others require special characters and you have the different minimums and maximums. Really drives me nuts how some sites have a maximum of 8 characters.
Microsoft, Apple, Google, Amazon what's the difference? All steal money from devs and control with walled gardens.
Does anyone remember or even use Lynx anymore? These were the days in 1982 and I first had a Unix SLIP Serial Line Interface Protocol. That's right and dare I say it that was UN-31337 nothing was digital. it was only developers who illegally worked for GCHQ (deep packect inspection) British Telecom phorming. Well this is why we do not like the black boxen of all windows installations.
AMEN!
All cows eat grass!
President Skroob: Did it work? Where's the king?
Dark Helmet: It worked, sir. We have the combination.
President Skroob: Great. Now we can take every last breath of fresh air from Planet Druidia. What's the combination?
Colonel Sandurz: 1-2-3-4-5
President Skroob: 1-2-3-4-5?
Colonel Sandurz: Yes!
President Skroob: That's amazing. I've got the same combination on my luggage.
Bio questions? Ask me to start a Q&A journal. Computer analogies available for most topics!
Observe, as actually making the joke magically garners mysterious karma points ... from beyond!
Bio questions? Ask me to start a Q&A journal. Computer analogies available for most topics!
Which is why things like KeePass and Lastpass exist. Plus if you add a site specific OTP to the authentication system that goes a long way towards securing things.
Also, it's not just a matter of 10 passwords, it means that you can only have 10 ever. I suppose you could move to toes, but even that only buys you an additional 10, and on average person has slightly less than 20 digits total.
Don't sell your stock in the Post-It note company after all.
OR:
http://xkcd.com/936/
That was my first thought too.
If I were God, wouldn't I protect my churches from acts of me?
The big problem I see is revocation.
Once biometric phishing shows up or a database gets popped, your prints are out there... and as was said, you can't exactly go out and get new ones.
I've always been a fan of multifactor for stuff we want secure (banking mainly) .. yes you can copy someones fingerprint, steal someones keyfob, and snatch someones password .. but doing all three is tricky without them noticing.
For stuff we care less about, passwords will probably be king for a long time, because anything more secure is also more of a pain ..
The problem with that is, that they can be stolen, or copied without the user's knowledge.
It's pretty damn hard to get a password without the user being aware of typing it. ^^
But hey, the more errors the terrorists (US military [Yes, I went there. Deal with it.]) make, them better for the free world.
FailDesk: http://faildesk.net/2012/01/12/passwords-are-like/
Ant(Dude) @ Quality Foraged Links (AQFL.net) & The Ant Farm (antfarm.ma.cx / antfarm.home.dhs.org).
No.
Never.
In the good old days I am quite sure there were a lot fewer and less sophisticated botnets, spillages of personal information and bank accounts being drained over the internet. If the threat from "unknown people online" was a lot lower then the threat from people around you were correspondingly the only real thing to care about, hence how the rule that you must never write down your password was etched into the marrow of civilization.
Now people are virtually all behaving according to that rule, however subject to the their mental capacity. That means for example that they can only remember one password, so they reuse the same on every site. That makes them again subject to reusable personal data or just "robot hacks" (try a list of x million emails and passwords on y number of sites).
I'm not saying that the threat from "people around people" have become any smaller, but it's possible that the threat from online sources have become relatively greater. In that case writing down passwords should be reassessed. Having just a sticky note with a key word like "Google - Paul" can remind people of the password "TAKEagoodsong!SONG!" which nobody in real life can guess and is far safer than any string of 8 random characters.
Most of the humor in this punchline comes from the fact that Dark Helmet had just said that the combination was the kind that "an idiot has on his luggage".
Publishing a comic isn't going to make people choose better passwords.
People have had well over a decade years to learn about choosing passwords but they're as ignorant as ever.
The only way forward is to take the choice out of their hands. Use the XKCD method if you want, just don't let the users do it themselves.
No sig today...
A lot of people just don't think of passwords in an effective manner though; most people I know still subscribe to the 'Complex [to a human] and therefore difficult to remember is best' line of thought. Me, I just ended up switching to a line from a song that's 25-characters long and incorporates proper capitalization and punctuation. Easy to remember and pretty difficult to brute force!
"please generate a good password for me and I'll write it down because I won't be able to remember it."
FTFY
make imaginary.friends COUNT=100 VISIBLE=false
User security ALWAYS boils down to 1 question: How do I know you are who you claim you are?
Passwords are the ONLY way to handle this.
Biometrics are fuzzy at best, and in the end, it's just a biometric scanner sending a piece of information (password) to the authenticating host.
Hardware dongles, keyfobs, or whatever else you call them are the same fucking thing. It's just another piece of information fed into the authenticating host.
Security "experts" like to claim that these things are not "something you know", but are "something you have". But that's utter horse shit. It's just something that is difficult to know without having something else. And it's something that is EASY to know when you have it, even if you aren't the person who is supposed to know it.
All of digital security, ever, boils down to a key sharing problem.
You have to give someone a key when you first decide to trust them.
Passwords are the most secure thing in the world in theory, because they're stored only in your brain.
Passwords are much less secure in practice because people forget them, right them down, fall victim to phising attacks and keyloggers, etc. and authenticators tend to do stupid shit like get hacked, keep shit around in plaintext with little or no salting, etc.
The only thing that needs to change about passwords is the mentality of users. Users need to realize that the trust has to be a two-way street. If you don't trust a site completely, you must assume they will spread your shit out or actively try to attack you.
USERS must take it upon themselves to:
Never use the same password in multiple places (this includes encrypting other passwords with a password).
Never write a password down.
Never use stupid passwords based on words.
Figure out how to deal with an OH SHIT moment where you've lost a password. Unfortunately, this violates the other requirement.
By how you always run when APK pwns U, lol -> http://it.slashdot.org/comments.pl?sid=2603836&cid=38661950
Good idea. Until you run across sites that require your password to be exactly 8 digits.
Yes, you heard me right. Digits.
"I'm not sure I like the fugnutish tone you used in your post!" -RogL (608926)-
Good idea. Until you run across sites that require your password to be exactly 8 digits.
Yes, you heard me right. Digits.
Exactly! You know what is even more crazy? My old bank's online password login was restricted to 6 letters or numbers (no more, no less, and certainly no symbols), and each letter corresponded to at least two other letters and a number, all case insensitive. You want to know why? Because they wanted people to keep their phone passwords and their online passwords the same! So if your password is 'BrUTal', you can also handily brute-force it with the numeric '278825'. Wow. Just wow.
To be fair, I hear they did add some second-layer location verification questions later on (probably because they were getting murdered by script kiddies and grandma hax0rs). Like "we haven't seen you log in from this location before, can you please answer this security question for us?" then you got one of some couple 'password recovery' type questions that you had to answer before logging in. I dunno, I blew that joint a long time past, pretty much as soon as I tried to go online with them...
Publishing a comic isn't going to make people choose better passwords.
People have had well over a decade years to learn about choosing passwords but they're as ignorant as ever.
The only way forward is to take the choice out of their hands. Use the XKCD method if you want, just don't let the users do it themselves.
In many cases, you *can't* use the xkcd method because:
a. the password field is too short
b. the password checker rejects common words
c. you can't see what you're typing when you enter the password
The problem generally isn't the users' ignorance, it's the assholes writing the password system.
Feel free to use as simple a password as your system allows. No one will guess it.
But how can you know that Swype entered the correct English word if the password entry field covers it up with asterisks or other similar glyphs?
How is this wrong? Even Bruce Schneier advocates this method. [1] Protecting little peices of paper is something everyone is already ingrained to do (think money), but remembering long strings of random numbers, characters and punctuation is not.
[1] http://www.schneier.com/blog/archives/2005/06/write_down_your.html
What is the chance that someone is going to come along and want to brute force my password?
Woohoo - you can write a tweet from my twitter account, or update my facebook status. Or comment on whirlpool under my name. OR go through my lecture notes for uni - and my uni demand quite a lot of restrictions on our passwords! Is it worth worrying about security that much? In the grand scheme of things, not really.
All my email accounts are linked to my phone so if someone picks up my phone, they can go through my emails anyways. Or my Facebook. Or my Twitter. Doesn't it then render having passwords on anything that can be saved to your mobile phone useless? I also don't use a password on my laptop because it has auto-login. Too much hassle having to put in a password every time I shut the lid and open it again, as I move from lecture theatre to lecture theatre.
I use a basic common password on sites I don't really care about, because if someone finds my password, what can they really do? Less harm than what malicious software could do. Some websites are just over the top with restrictions for passwords, and I don't like the idea of memorizing a hundred billion passwords.
I would much rather just have as minimal passwords as possible, and when I do have a password, it is for something important like my banking details. But even then, everything that runs through the bank has to be authenticated with a net-code from my phone. And as for sites that have credit card details, I refuse to let any website save my credit card details, as much as possible.
Oh, come on. you know it. Are you ready for Winchell-Mahoney Time?
If you disagree with me on social issues, then it's pretty clear that you are a narrow-minded bigot.
I did it, and then i lost the piece of paper. As i kept it in my wallet, i assume i lost it while paying. maybe some cashier got it ... maybe i even paid something with it ;).
But there were no clues where the passwords are for, and i changed them as soon as possible, so it was no problem.
I didn't say it was wrong, however, there are 3 flaws with the advice to write down your password:
1. It based upon the premise that many/most systems are implemented using the currently in-vogue policies of complex, hard to remember passwords, and that you should/must use different passwords for each system. Both Schneier and the MS researcher (Jesper Johansson) whose comments at a conference inspired Schneier's blog post mention those limitations as the basis for writing them down.
2. Both of those posts are very light on the topic of actually securing the written down passwords. Something which some other security experts have stressed, but which is frequently overlooked.
3. People who do write down their passwords are not good at securing them.
Unless you give complete instructions, including tips on protecting the written down password, then writing down passwords is not materially more secure than choosing easy to guess passwords. A far better recommendation is to use a password manager such as 1Password, KeePass or LastPass with a long, but easy for THAT user to remember pass-phrase.
TL;DR: Writing down passwords is a recommendation about how to cope in a world of bad password policies, and it's an incomplete recommendation because users will leave their written passwords in easily found locations. A far better recommendation is to use a password manager such as 1Password, KeePass or LastPass with a long, but easy for THAT user to remember pass-phrase. Long term, we need sane password/pass-phrase policies.
make imaginary.friends COUNT=100 VISIBLE=false
Choose your password http://dazzlepod.com/uniqpass/
Passwords have been with us from the beginning of time in various forms.
It does not eliminate all passwords, but it reduces the number of passwords one needs to remember. Given how many random websites and forums require a username/password these days, 99% of people have only 1 or 2 passwords spread across hundreds of sites - making passwords quite useless when one of those servers is compromised.
Also, what happens when tomorrow's revolutionary new authentication method is invented? If all sites used OpenID, the change-over would be seamless - those who want to use the new method can do so, and the change only needs to take place in one location.
In short, I am surprised they dismissed OpenID so easily.
AccountKiller
#!/usr/bin/perl -wT
my @charset = ('A'..'Z','a'..'z',0..9,qw(+
my $length = 64;
my $iterations = 5;
print join('', (@charset)[map rand $_, (scalar @charset) x $length]) . "\n" for 1
I use this to generate impossible to remember passwords for all the sites and computers I access and router keys and stuff. I use a single passphrase to encrypt all of them and this works well in firefox by default (set a master password). I find it is possible for anyone to memorize a passphrase of 10 completely random digits in 2 weeks to a month (I have 4 in my head now). In that time, have the passphrase written down for reference and after that destroy it. Store a copy of all passwords externally on USB and make sure these are all protected using encryption protocols recognized by NSA for top secret documents. Never trust encrypting ur secrets with application based "encrypt" buttons... as these are usually made to be insecure so the company can protect their own butts. I am referring to fake encryption like when u click "OTR" in google chat or try to "encrypt" while using Skype.
It's pretty bad that I have to read the password requirements carefully and usually then view the HTML source to find out what the maxlen of the field is because the password requirements didn't define that.
Someone can't steal your money just by looking at it.