Slashdot Mirror
Passwords Not Going Away Any Time Soon
New submitter isoloisti writes "Hot on the heels of IBM's 'no more passwords' prediction, Wired has an article about provocative research saying that passwords are here to stay. Researchers from Microsoft and Carleton U. take a harsh view of research on authentication (PDF), saying, 'no progress has been made in the last twenty years.' They dismiss biometrics, PKI, OpenID, and single-signon: 'Not only have proposed alternatives failed, but we have learnt little from the failures.' Because the computer industry so thoroughly wrote off passwords about a decade ago, not enough serious research has gone into improving passwords and understanding how they get compromised in the real world. 'It is time to admit that passwords will be with us for some time, and moreover, that in many instances they are the best-fit among currently known solutions.'"
Umm.. No shit?
Sounds like job security for those of us who reset passwords for a living.
Drat.
http://alternatives.rzero.com/
I thought that was the next big thing.
"If any question why we died, Tell them because our fathers lied."
In the unclassified areas of the military passwords are almost gone (at least for me) by using PKI and our CAC cards.
All biometric systems do is substitute a text string for a string of values gathered from the users defining characteristics. Its the same thing in the end, and you will ALWAYS want a password backup to any biometric system as, despite popular understanding, your biometric signature can change. The best hand scanners for example mesure blood flow and 3D characteristics using holographic imaging. Getting a cold can cause your fingers to swell and throw off the scanners. Wearing a ring can change your 3D hand scan. Etc, etc.
"Have you ever thought about just turning off the TV, sitting down with your kids, and hitting them?"
It's bad enough having to remember all my login names, but when sites don't like your password because it doesn't have Caps, or long enough, or a number in it. Forcing me to come up with a half dozen passswords to remember.
-- By all means let's be open-minded, but not so open-minded that our brains drop out.
...but still better than none.
A proper security system is one that has tests for who you are, what you know, if you are under duress, and potentially if you should even be there that day.
Such a security system is hard to make, in the simplest form it has a biometric component, two passwords (one for regular use, one to act like the proper password but alert security), and is hooked up with the scheduling system (not to lockout, but also alert security). This is reasonable for high stakes facilities, but sufficiently cumbersome that it gets in the way of getting things done for things like PC login and on-line transactions.
Why does web site x have an 8 character length limit, alphanumeric only?
Why does web site y have more allowable character types, but minimum of 5 chars, max of 18?
Relevant XKCD: http://xkcd.com/936/
Remember, you can't solve for the parts of a pw, only the whole thing in one go.
It doesn't mean much now, it's built for the future.
Wikipedia's article about the CAC makes it out to be some sort of smart card, the same form factor commonly used along with a PIN for debit card payment in some countries. The CAC doesn't really remove passwords at all; a PIN is still needed.
Seems like a conflict of interest to me: "Oh, passwords are here to stay!" seems to be FUD designed to discourage people from innovating so that MIcrosoft can find the patent first (because it'll eventually supplant their password system and the IP birds will come home to roost).
-
I have worked for years with security and authentication.
there are three ways to establish trust. Something you have , something are , something you know.
that will never change. and most any one of them can be compromised. thus it is better to build systems that use
more then one.
care keys ( something you have)
thumb print ( something you are)
password/ pass phrase/ etc. ( something you know) .
all three together are more secure and more trust can be built by using multiple aspects but the easiest will be probably always be something you know.
Think about it authentication before computers.
Go to the bank ( hopefully the banker recognized you ( multiple bio metric) )
do you have your checkbook / check card/ pass book?
do you have a pin / password etc.
it really won't ever get much better you can use more and more bio metrics but that won't stop fraud only make it more costly.
âoeTolerance applies only to persons, but never to truth. Intolerance applies only to truth, but never to persons.
Good luck typing any password as long as "correct horse battery staple" correctly on the first time on a handheld device's on-screen keyboard.
As more and more of my "online" activities take place on the iphone instead of the computer, password management has become much easier. Other than bank accounts, all log in info is kept by the phone and I never have to log in to anything: counting on the password lock of the phone itself to keep my stuff private should someone pick up my phone. But someone could overcome my 4-digit pass key or observe it (I know my wife's because everytime she has trouble with her phone she asks me for help and so I witness her unlock it). What would really be better is if devices had bio-based locking features so that only their assigned users could open them. One big padlock for the house, so to speak, so that we can safely leave all the contents unlocked and easier to use.
I recommend keepass to my friends. I advise them to use unique and random passwords for every account. I only know two passwords. My login, and my keepass passwords. That makes the password problem much more manageable.
Regards,
Jason C. Wells
my roomate's step-aunt makes $80 hourly on the computer. She has been without a job for 9 months but last month her pay was $7829 just working on the computer for a few hours. Go to this web site and read more...CashSharp.com
There's particular relevance to this subject today in relation to the news (via Eurogamer) of a potential weakness in the password system protecting Xbox Live accounts.
If MS can't refute this one quickly, I suspect it's going to get quite serious. Potentially "Playstation Network hack" serious.
A new strain of the Sykipot Trojan is been used to compromise the Department of Defense-sanctioned smart cards used to authorise network and building access at many US government agencies, according to security researchers. ...
Chinese hackers have adapted the Sykipot Trojan to lift card credentials from compromised systems in order to access classified military networks, according to researchers at security tools firm AlienVault.
If wired claims it, it's wrong. No exceptions.
Something bad is coming when people are suddenly anxious to tell the truth.
Cause in the future, who knows? I might decide to remove the locks from my house...
I enjoy my many barriers of common entry.
My property is managed by my identity and that's me, If i'm (here), it's because i belong (here).
Nowadays information is unlike everything around seemingly, in overabundance,
And in high density, damning even, only considering what one can find on Facebook and the likes.
Privacy? This is the USA!
Even if we still use passwords, a lot of things had changed in the last 20 years, not so much in technology, but in culture. A lot could had been obvious or not back then, but now there is more awareness regarding requiring longer passwords, having harder to guess/bruteforce but easier to remember ones, giving alternate approachs like two-factor authentication, etc. Is like comparing the first cars with modern hybrid or electric ones, still are "cars", the basic scheme is still there, there are no flying cars everywhere now as predicted 30 years ago, but still a lot had improved.
Question. If there was some kind of online group, mailing list or forum dedicated to brainstorming alternatives to password authentication, would you participate? I wanted to create one for a while, but I'm not 100% sure how to promote such thing to get people of different backgrounds into that discussion.
I guess NIST is nobody.... (For those outside the US, NIST: National Inst on Stds & Tech, official US gov't agency.)
mark
This is the kind of arrant bullshit that just begs to be disrupted to death. Smartphones were shit and the companies that were complacent with that state got murdered by Apple. Digital music distribution was shit - same thing. Authentication is in an absolutely dire state, and ripe to be disrupted in the same way, as soon as a company with a bit of vision and a pair of balls takes charge. Apple, Google? Fuck knows, but it's going to happen, count on it. "Shitty" is not a stable, long term state in technology - even Windows has been shamed into becoming halfway-useable.
"Be nice, veer left, and never stop thinking" Iain Banks - Walking On Glass
Security built to accomodate laziness pretty much assures compromise.
"But we have to pass the bill so that you can find out what is in it,..." - Nancy Pelosi
In my opinion, passwords are pretty much here to stay for the foreseeable future. The thing that I see changing is making the password a single item in an authentication scheme. Most of the major websites have two factor authentication methods available (think Google, Facebook, Paypal, etc.) and most of the banks that I use have methods of dealing with unknown devices connecting, via a series of questions, an email link, or a code sent to me out-of-band. We are certainly moving in a direction where the password is simply a single piece of information of many needed to authentication. Obviously, the sensitivity of the information will determine what kind of security is needed, but five years ago two factor authentication was only used in the most secure situations and now it is available on the most popular web sites.
And yet, here we are almost 15 years later still using usernames and passwords. Oh, well. Was a fun project. :)
True story -- when the project launched we had a big event, with everybody gathered around the box to turn their keys. Then they all took their key and scattered off to wherever, what with the whole "must keep the keys off site and multiple locations" thing. What nobody realized is that the network center (we did our own hosting) had already posted plans for a scheduled power outage that weekend, and nobody'd connected these particular thoughts. So they cycled power in the room to do whatever it is that they did, and the box didn't come back online. Somebody contacted me. I told them to round everybody up to come back and turn their keys again. :)
www.HearMySoulSpeak.com
Brute force security needs to be evaluated under the assumption that a Russian botnet has compromised a large number of social networking sites, and gained three to five different clear-text passwords (of possibly no great importance) associated with the targeted user. They now also know--or strongly suspect--the identities of your financial institutions.
Using commonalities of the exposed password set, the botnet bastards will attempt to model your personal password generation heuristic. Since they are not stupider than bricks, they might also assume that your bank password is similar, but fortified to the next level. Gaining some experience in cracking bank passwords, they'll soon have a model for that, too.
My Thomas and Cover from 1991, which happens to be at hand, has chapters on "Jointly typical sequences", "Encoding of correlated sources", and "Source coding with side information". This last section makes reference to Slepian-Wolf encoding, which is kind of interesting. I hadn't spotted that before.
On Slepian-Wolf compression, in memory of Jack Wolf
This might not be precisely the right theory to apply to the breaking of password clusters, but the guy doing the math on that has probably read these papers.
Way too little concern is placed on the independence of the passwords chosen, and this vulnerability increases rapidly with the proliferation of passwords used. I'm sure I have more than 100 passwords out in the wild, many held by hopelessly incompetent and untrusted internet discussion forums.
Even a single compromised site can form a model of your password heuristic if you're duped into changing it often.
It wouldn't surprise me that if everyone adopted the four word xkcd approach, that for many individuals, entropy per word is closer to seven or eight bits than eleven, where concrete nouns of five to eight letters predominate, and a further bias to concrete nouns that are visually active in the mind's eye, and 40% of all such passwords contain at least one animal word.
That's where brute force would begin: assume at least one common animal word (four to five bits; since cat/dog don't make the cut, you'll be seeing a lot of parrot/leopard/zebra/unicorn).
unicornprincesscastledragon
I've cracked one already.
Where I work we have to change our passwords every 6 weeks. Microsoft even encourages draconian practices like this. Even though research shows that enforcing changing of passwords frequently leads to people using bad passwords, and quite frequently writing them down and leaving the written down copy at their computer.
What really frustrates me is that our IT knows this, they wave it off as everyone uses bad passwords anyways. I try to use good passwords, but coming up with a new one every 6 weeks is difficult.
That isn't to say that having a forced password change every blue moon is a bad idea, but more than twice a year for most people is too much. For quite a few companies twice a year might be too much.
As with previous posters, I love how some sites only allow alphanumeric passwords, where others require special characters and you have the different minimums and maximums. Really drives me nuts how some sites have a maximum of 8 characters.
Microsoft, Apple, Google, Amazon what's the difference? All steal money from devs and control with walled gardens.
Does anyone remember or even use Lynx anymore? These were the days in 1982 and I first had a Unix SLIP Serial Line Interface Protocol. That's right and dare I say it that was UN-31337 nothing was digital. it was only developers who illegally worked for GCHQ (deep packect inspection) British Telecom phorming. Well this is why we do not like the black boxen of all windows installations.
AMEN!
All cows eat grass!
Don't sell your stock in the Post-It note company after all.
The problem with that is, that they can be stolen, or copied without the user's knowledge.
It's pretty damn hard to get a password without the user being aware of typing it. ^^
But hey, the more errors the terrorists (US military [Yes, I went there. Deal with it.]) make, them better for the free world.
FailDesk: http://faildesk.net/2012/01/12/passwords-are-like/
Ant(Dude) @ Quality Foraged Links (AQFL.net) & The Ant Farm (antfarm.ma.cx / antfarm.home.dhs.org).
In the good old days I am quite sure there were a lot fewer and less sophisticated botnets, spillages of personal information and bank accounts being drained over the internet. If the threat from "unknown people online" was a lot lower then the threat from people around you were correspondingly the only real thing to care about, hence how the rule that you must never write down your password was etched into the marrow of civilization.
Now people are virtually all behaving according to that rule, however subject to the their mental capacity. That means for example that they can only remember one password, so they reuse the same on every site. That makes them again subject to reusable personal data or just "robot hacks" (try a list of x million emails and passwords on y number of sites).
I'm not saying that the threat from "people around people" have become any smaller, but it's possible that the threat from online sources have become relatively greater. In that case writing down passwords should be reassessed. Having just a sticky note with a key word like "Google - Paul" can remind people of the password "TAKEagoodsong!SONG!" which nobody in real life can guess and is far safer than any string of 8 random characters.
User security ALWAYS boils down to 1 question: How do I know you are who you claim you are?
Passwords are the ONLY way to handle this.
Biometrics are fuzzy at best, and in the end, it's just a biometric scanner sending a piece of information (password) to the authenticating host.
Hardware dongles, keyfobs, or whatever else you call them are the same fucking thing. It's just another piece of information fed into the authenticating host.
Security "experts" like to claim that these things are not "something you know", but are "something you have". But that's utter horse shit. It's just something that is difficult to know without having something else. And it's something that is EASY to know when you have it, even if you aren't the person who is supposed to know it.
All of digital security, ever, boils down to a key sharing problem.
You have to give someone a key when you first decide to trust them.
Passwords are the most secure thing in the world in theory, because they're stored only in your brain.
Passwords are much less secure in practice because people forget them, right them down, fall victim to phising attacks and keyloggers, etc. and authenticators tend to do stupid shit like get hacked, keep shit around in plaintext with little or no salting, etc.
The only thing that needs to change about passwords is the mentality of users. Users need to realize that the trust has to be a two-way street. If you don't trust a site completely, you must assume they will spread your shit out or actively try to attack you.
USERS must take it upon themselves to:
Never use the same password in multiple places (this includes encrypting other passwords with a password).
Never write a password down.
Never use stupid passwords based on words.
Figure out how to deal with an OH SHIT moment where you've lost a password. Unfortunately, this violates the other requirement.
By how you always run when APK pwns U, lol -> http://it.slashdot.org/comments.pl?sid=2603836&cid=38661950
Feel free to use as simple a password as your system allows. No one will guess it.
But how can you know that Swype entered the correct English word if the password entry field covers it up with asterisks or other similar glyphs?
What is the chance that someone is going to come along and want to brute force my password?
Woohoo - you can write a tweet from my twitter account, or update my facebook status. Or comment on whirlpool under my name. OR go through my lecture notes for uni - and my uni demand quite a lot of restrictions on our passwords! Is it worth worrying about security that much? In the grand scheme of things, not really.
All my email accounts are linked to my phone so if someone picks up my phone, they can go through my emails anyways. Or my Facebook. Or my Twitter. Doesn't it then render having passwords on anything that can be saved to your mobile phone useless? I also don't use a password on my laptop because it has auto-login. Too much hassle having to put in a password every time I shut the lid and open it again, as I move from lecture theatre to lecture theatre.
I use a basic common password on sites I don't really care about, because if someone finds my password, what can they really do? Less harm than what malicious software could do. Some websites are just over the top with restrictions for passwords, and I don't like the idea of memorizing a hundred billion passwords.
I would much rather just have as minimal passwords as possible, and when I do have a password, it is for something important like my banking details. But even then, everything that runs through the bank has to be authenticated with a net-code from my phone. And as for sites that have credit card details, I refuse to let any website save my credit card details, as much as possible.
Oh, come on. you know it. Are you ready for Winchell-Mahoney Time?
If you disagree with me on social issues, then it's pretty clear that you are a narrow-minded bigot.
Choose your password http://dazzlepod.com/uniqpass/
Passwords have been with us from the beginning of time in various forms.
It does not eliminate all passwords, but it reduces the number of passwords one needs to remember. Given how many random websites and forums require a username/password these days, 99% of people have only 1 or 2 passwords spread across hundreds of sites - making passwords quite useless when one of those servers is compromised.
Also, what happens when tomorrow's revolutionary new authentication method is invented? If all sites used OpenID, the change-over would be seamless - those who want to use the new method can do so, and the change only needs to take place in one location.
In short, I am surprised they dismissed OpenID so easily.
AccountKiller
#!/usr/bin/perl -wT
my @charset = ('A'..'Z','a'..'z',0..9,qw(+
my $length = 64;
my $iterations = 5;
print join('', (@charset)[map rand $_, (scalar @charset) x $length]) . "\n" for 1
I use this to generate impossible to remember passwords for all the sites and computers I access and router keys and stuff. I use a single passphrase to encrypt all of them and this works well in firefox by default (set a master password). I find it is possible for anyone to memorize a passphrase of 10 completely random digits in 2 weeks to a month (I have 4 in my head now). In that time, have the passphrase written down for reference and after that destroy it. Store a copy of all passwords externally on USB and make sure these are all protected using encryption protocols recognized by NSA for top secret documents. Never trust encrypting ur secrets with application based "encrypt" buttons... as these are usually made to be insecure so the company can protect their own butts. I am referring to fake encryption like when u click "OTR" in google chat or try to "encrypt" while using Skype.
Someone can't steal your money just by looking at it.