Slashdot Mirror

← Back to Stories (view on slashdot.org)

Passwords Not Going Away Any Time Soon

Posted by Soulskill on from the 12345-letmein dept.

New submitter isoloisti writes "Hot on the heels of IBM's 'no more passwords' prediction, Wired has an article about provocative research saying that passwords are here to stay. Researchers from Microsoft and Carleton U. take a harsh view of research on authentication (PDF), saying, 'no progress has been made in the last twenty years.' They dismiss biometrics, PKI, OpenID, and single-signon: 'Not only have proposed alternatives failed, but we have learnt little from the failures.' Because the computer industry so thoroughly wrote off passwords about a decade ago, not enough serious research has gone into improving passwords and understanding how they get compromised in the real world. 'It is time to admit that passwords will be with us for some time, and moreover, that in many instances they are the best-fit among currently known solutions.'"

5 of 232 comments (clear)

  1. Securty. by fish_in_the_c · · Score: 4, Informative

    I have worked for years with security and authentication.
    there are three ways to establish trust. Something you have , something are , something you know.
    that will never change. and most any one of them can be compromised. thus it is better to build systems that use
    more then one.

    care keys ( something you have)
    thumb print ( something you are)
    password/ pass phrase/ etc. ( something you know) .

    all three together are more secure and more trust can be built by using multiple aspects but the easiest will be probably always be something you know.

    Think about it authentication before computers.

    Go to the bank ( hopefully the banker recognized you ( multiple bio metric) )
    do you have your checkbook / check card/ pass book?
    do you have a pin / password etc.

    it really won't ever get much better you can use more and more bio metrics but that won't stop fraud only make it more costly.

    --
    âoeTolerance applies only to persons, but never to truth. Intolerance applies only to truth, but never to persons.
  2. Re:Stop limiting password length by MagicM · · Score: 5, Informative

    Steve Gibson from the Security Now podcast did a lot of work in this arena and found that the password "D0g....................." is harder to break than the password "PrXyc.N(n4k77#L!eVdAfp9". He makes this very clear in his password haystack reference guide and tester: "Once an exhaustive password search begins, the most important factor is password length!"

  3. Re:Whatever happened to passphrases? by Dr_Barnowl · · Score: 5, Informative

    The stupid part is that the limit on the password field is just a piece of UI.

    If they're doing it right, they're storing a hash of the password. The hashes are all the same size. You should be able to carry around a USB device that emulates a keyboard and types out the declaration of independence (without using enter) and use that as a password.

    Systems that limit the password to, say, 13 characters bug the crap out of me, because I often chose passwords that are longer.

    Systems that limit the password size because they are storing them as plaintext, should of course have their source printed out and ritually burned.

  4. Re:Whatever happened to passphrases? by TheLink · · Score: 4, Informative

    You don't have 44 bits of entropy. Rather, the vocabulary of the average American is the entropy.

    In the XKCD example, for instance, the true number of permutations you have to check to brute force a password is: Size of Average Person's Vocabulary (about 25,000 words) - from which "correct" "horse" "battery" "stable" is selected - raised to the 4th power, or 3.906 * 10^17 combinations. That's not a huge amount for a password cracking algorithm.

    2^44 is 1.7592186 * 10^13, which is SMALLER than 3.906 * 10^17. So if you assume a 25000 word vocab you have MORE than 44 bits of entropy with the passphrases approach. It may not be impossible to crack, but it's harder than the stupid "hard to remember by normal people" passwords. Which is the xkcd example's point, which I guess assumes a conservative 3000 common word vocabulary.

    --
  5. Re:Whatever happened to passphrases? by Cinder6 · · Score: 4, Informative

    My bank has a similar ridiculous restriction. 14 characters max, limited subset of symbols allowed. Because of this, my bank password is my least secure password, while it should be one of the strongest. I find it amusing that my WoW account is much more secure than my bank (greater password freedom + authenticator)--at least from an authentication standpoint.

    Mac users can use a program called 1Password to manage their passwords. It stores them in an encrypted file that you use a master password to unlock. And you can use browser extensions to have it automatically login to any site you've told it about, and it will generate passwords for you as well. It's the best solution I've found for having unique, strong passwords for every site or system you have a login for. Just make sure you choose a smart master password.

    (There's an iOS version, too, that syncs with the standalone app, so you have access to your passwords on the go.)

    Anyone know of something similar for other platforms? I'd like to get the rest of my family using stronger passwords than pet names or whatever they're using.

    --
    If you can't convince them, convict them.