Passwords Not Going Away Any Time Soon

New submitter isoloisti writes "Hot on the heels of IBM's 'no more passwords' prediction, Wired has an article about provocative research saying that passwords are here to stay. Researchers from Microsoft and Carleton U. take a harsh view of research on authentication (PDF), saying, 'no progress has been made in the last twenty years.' They dismiss biometrics, PKI, OpenID, and single-signon: 'Not only have proposed alternatives failed, but we have learnt little from the failures.' Because the computer industry so thoroughly wrote off passwords about a decade ago, not enough serious research has gone into improving passwords and understanding how they get compromised in the real world. 'It is time to admit that passwords will be with us for some time, and moreover, that in many instances they are the best-fit among currently known solutions.'"

Passwords make my brain hurt

[na1led]

It's bad enough having to remember all my login names, but when sites don't like your password because it doesn't have Caps, or long enough, or a number in it. Forcing me to come up with a half dozen passswords to remember.

Re:Whatever happened to passphrases?

[Millennium]

Yeah; I've got to say, the situation with passwords could be improved just by allowing more space for them. xkcd/diceware-style phrases just plain don't fit in most password fields, but they'd be easier to remember and more secure.

Partial security

...but still better than none.

A proper security system is one that has tests for who you are, what you know, if you are under duress, and potentially if you should even be there that day.

Such a security system is hard to make, in the simplest form it has a biometric component, two passwords (one for regular use, one to act like the proper password but alert security), and is hooked up with the scheduling system (not to lockout, but also alert security). This is reasonable for high stakes facilities, but sufficiently cumbersome that it gets in the way of getting things done for things like PC login and on-line transactions.

Stop limiting password length

[Pope]

Why does web site x have an 8 character length limit, alphanumeric only?

Why does web site y have more allowable character types, but minimum of 5 chars, max of 18?

Relevant XKCD: http://xkcd.com/936/

Remember, you can't solve for the parts of a pw, only the whole thing in one go.

Re:Stop limiting password length

[MagicM]

From the link:

The example with "D0g....................." should not be taken literally because if everyone began padding their passwords with simple dots, attackers would soon start adding dots to their guesses to bypass the need for full searching through unknown padding. Instead, YOU should invent your own personal padding policy. You could put some padding in front, and/or interspersed through the phrase, and/or add some more to the end. You could put some characters at the beginning, padding in the middle, and more characters at the end. And also mix-up the padding characters by using simple memorable character pictures like "" or "[*]" or "^-^" . . . but do invent your own!

  If you make the result long and memorable, you'll have super-strong passwords that are also easy to use!

The goal is to prevent brute-foce hacking of your password, and the way to do that is by lengthening it. If you pick some long padding and add that to all your passwords, brute-force hacking it becomes prohibitively hard.

Get it right the first time?

[tepples]

Good luck typing any password as long as "correct horse battery staple" correctly on the first time on a handheld device's on-screen keyboard.

Re:job security

[hawguy]

Sounds like job security for those of us who reset passwords for a living.

Drat.

Better to reset a password than find that your fingerprint scanners can be compromised by silly putty or your retinal scanners can be compromised by a picture painted on the back of a marble and instead of resetting a password, you're replacing hardware.

Re:Duh?

[hedwards]

That was my thought, biometrics is an interesting trick, but if they manage to compromise the system you have limited options for changing it. Most people only have 10 fingers and 2 eyes and if somebody manages to compromise on of those you very quickly run low on options. And that doesn't even include what happens if you lose an eye or a finger or if one is just badly damaged to the point of being unreadable.

I remember seeing a bit of a BBC program years back where the guy was using biometrics for a safe but couldn't get in. It turned out that because he was wearing contacts that the sensor didn't identify his eye and the safe wouldn't open until he took the contacts out.

Re:But of course...

[Dan+East]

And what happens if your biometric signature is discovered? Obviously not from the biological side, but the digital side. After all, it's just a number. Of course it would require a more technical exploit at the software level to utilize, but the big downside is you can't change that signature like you can a password (you've only got so many finger prints, or retinas, or whatever).

Re:job security

[kdemetter]

Biometrics are a form of identification , not authentication.
It should always be used in conjunction with authentication, not to replace authentication.

It's still very usefull , because it saves time : you don't have to fill in your login id : the systems knows who you claim to be, and just requires your password to confirm it.

So it can replace the userid , but never the password.

10 passwords to much?

[Feyshtey]

Security built to accomodate laziness pretty much assures compromise.

Re:Whatever happened to passphrases?

[StevenMaurer]

The problem in the real world with XKCD/diceware-style phrases, is that English words become keys. You don't have 44 bits of entropy. Rather, the vocabulary of the average American is the entropy.

In the XKCD example, for instance, the true number of permutations you have to check to brute force a password is: Size of Average Person's Vocabulary (about 25,000 words) - from which "correct" "horse" "battery" "stable" is selected - raised to the 4th power, or 3.906 * 10^17 combinations. That's not a huge amount for a password cracking algorithm.

Add in that many words are going to be used far more frequently than others, and it really isn't much different than the "misspell and stick in an odd character" method. And it's actually worse than sticking an odd character or two somewhere in the middle of your password.

Re:job security

[Joce640k]

Just think "Eyeballs on forks..." next time you believe biometrics solves anything.

People leave a whole trail of biometrics behind them as they go through life - dropped hairs full of DNA, fingerprints on drinking glasses, etc. You can steal their biometrics just by following them around.

Worse: If you steal their wallet they might notice it's missing but they won't notice you picking up a drinking glass after they leave a restaurant. You can steal their biometric identity without them ever knowing it.

Re:Duh?

[Anrego]

The big problem I see is revocation.

Once biometric phishing shows up or a database gets popped, your prints are out there... and as was said, you can't exactly go out and get new ones.

I've always been a fan of multifactor for stuff we want secure (banking mainly) .. yes you can copy someones fingerprint, steal someones keyfob, and snatch someones password .. but doing all three is tricky without them noticing.

For stuff we care less about, passwords will probably be king for a long time, because anything more secure is also more of a pain ..