Passwords Not Going Away Any Time Soon

New submitter isoloisti writes "Hot on the heels of IBM's 'no more passwords' prediction, Wired has an article about provocative research saying that passwords are here to stay. Researchers from Microsoft and Carleton U. take a harsh view of research on authentication (PDF), saying, 'no progress has been made in the last twenty years.' They dismiss biometrics, PKI, OpenID, and single-signon: 'Not only have proposed alternatives failed, but we have learnt little from the failures.' Because the computer industry so thoroughly wrote off passwords about a decade ago, not enough serious research has gone into improving passwords and understanding how they get compromised in the real world. 'It is time to admit that passwords will be with us for some time, and moreover, that in many instances they are the best-fit among currently known solutions.'"

Re:Whatever happened to passphrases?

[Millennium]

Yeah; I've got to say, the situation with passwords could be improved just by allowing more space for them. xkcd/diceware-style phrases just plain don't fit in most password fields, but they'd be easier to remember and more secure.

Stop limiting password length

[Pope]

Why does web site x have an 8 character length limit, alphanumeric only?

Why does web site y have more allowable character types, but minimum of 5 chars, max of 18?

Relevant XKCD: http://xkcd.com/936/

Remember, you can't solve for the parts of a pw, only the whole thing in one go.

Re:Stop limiting password length

[MagicM]

From the link:

The example with "D0g....................." should not be taken literally because if everyone began padding their passwords with simple dots, attackers would soon start adding dots to their guesses to bypass the need for full searching through unknown padding. Instead, YOU should invent your own personal padding policy. You could put some padding in front, and/or interspersed through the phrase, and/or add some more to the end. You could put some characters at the beginning, padding in the middle, and more characters at the end. And also mix-up the padding characters by using simple memorable character pictures like "" or "[*]" or "^-^" . . . but do invent your own!

  If you make the result long and memorable, you'll have super-strong passwords that are also easy to use!

The goal is to prevent brute-foce hacking of your password, and the way to do that is by lengthening it. If you pick some long padding and add that to all your passwords, brute-force hacking it becomes prohibitively hard.

Get it right the first time?

[tepples]

Good luck typing any password as long as "correct horse battery staple" correctly on the first time on a handheld device's on-screen keyboard.

Re:job security

[hawguy]

Sounds like job security for those of us who reset passwords for a living.

Drat.

Better to reset a password than find that your fingerprint scanners can be compromised by silly putty or your retinal scanners can be compromised by a picture painted on the back of a marble and instead of resetting a password, you're replacing hardware.

Re:Duh?

[hedwards]

That was my thought, biometrics is an interesting trick, but if they manage to compromise the system you have limited options for changing it. Most people only have 10 fingers and 2 eyes and if somebody manages to compromise on of those you very quickly run low on options. And that doesn't even include what happens if you lose an eye or a finger or if one is just badly damaged to the point of being unreadable.

I remember seeing a bit of a BBC program years back where the guy was using biometrics for a safe but couldn't get in. It turned out that because he was wearing contacts that the sensor didn't identify his eye and the safe wouldn't open until he took the contacts out.

Re:But of course...

[Dan+East]

And what happens if your biometric signature is discovered? Obviously not from the biological side, but the digital side. After all, it's just a number. Of course it would require a more technical exploit at the software level to utilize, but the big downside is you can't change that signature like you can a password (you've only got so many finger prints, or retinas, or whatever).

Re:job security

[kdemetter]

Biometrics are a form of identification , not authentication.
It should always be used in conjunction with authentication, not to replace authentication.

It's still very usefull , because it saves time : you don't have to fill in your login id : the systems knows who you claim to be, and just requires your password to confirm it.

So it can replace the userid , but never the password.

Re:Whatever happened to passphrases?

[StevenMaurer]

The problem in the real world with XKCD/diceware-style phrases, is that English words become keys. You don't have 44 bits of entropy. Rather, the vocabulary of the average American is the entropy.

In the XKCD example, for instance, the true number of permutations you have to check to brute force a password is: Size of Average Person's Vocabulary (about 25,000 words) - from which "correct" "horse" "battery" "stable" is selected - raised to the 4th power, or 3.906 * 10^17 combinations. That's not a huge amount for a password cracking algorithm.

Add in that many words are going to be used far more frequently than others, and it really isn't much different than the "misspell and stick in an odd character" method. And it's actually worse than sticking an odd character or two somewhere in the middle of your password.

Re:job security

[Joce640k]

Just think "Eyeballs on forks..." next time you believe biometrics solves anything.

People leave a whole trail of biometrics behind them as they go through life - dropped hairs full of DNA, fingerprints on drinking glasses, etc. You can steal their biometrics just by following them around.

Worse: If you steal their wallet they might notice it's missing but they won't notice you picking up a drinking glass after they leave a restaurant. You can steal their biometric identity without them ever knowing it.