Slashdot Mirror
Passwords Not Going Away Any Time Soon
New submitter isoloisti writes "Hot on the heels of IBM's 'no more passwords' prediction, Wired has an article about provocative research saying that passwords are here to stay. Researchers from Microsoft and Carleton U. take a harsh view of research on authentication (PDF), saying, 'no progress has been made in the last twenty years.' They dismiss biometrics, PKI, OpenID, and single-signon: 'Not only have proposed alternatives failed, but we have learnt little from the failures.' Because the computer industry so thoroughly wrote off passwords about a decade ago, not enough serious research has gone into improving passwords and understanding how they get compromised in the real world. 'It is time to admit that passwords will be with us for some time, and moreover, that in many instances they are the best-fit among currently known solutions.'"
Sounds like job security for those of us who reset passwords for a living.
Drat.
http://alternatives.rzero.com/
In the unclassified areas of the military passwords are almost gone (at least for me) by using PKI and our CAC cards.
All biometric systems do is substitute a text string for a string of values gathered from the users defining characteristics. Its the same thing in the end, and you will ALWAYS want a password backup to any biometric system as, despite popular understanding, your biometric signature can change. The best hand scanners for example mesure blood flow and 3D characteristics using holographic imaging. Getting a cold can cause your fingers to swell and throw off the scanners. Wearing a ring can change your 3D hand scan. Etc, etc.
"Have you ever thought about just turning off the TV, sitting down with your kids, and hitting them?"
It's bad enough having to remember all my login names, but when sites don't like your password because it doesn't have Caps, or long enough, or a number in it. Forcing me to come up with a half dozen passswords to remember.
-- By all means let's be open-minded, but not so open-minded that our brains drop out.
Yeah; I've got to say, the situation with passwords could be improved just by allowing more space for them. xkcd/diceware-style phrases just plain don't fit in most password fields, but they'd be easier to remember and more secure.
...but still better than none.
A proper security system is one that has tests for who you are, what you know, if you are under duress, and potentially if you should even be there that day.
Such a security system is hard to make, in the simplest form it has a biometric component, two passwords (one for regular use, one to act like the proper password but alert security), and is hooked up with the scheduling system (not to lockout, but also alert security). This is reasonable for high stakes facilities, but sufficiently cumbersome that it gets in the way of getting things done for things like PC login and on-line transactions.
Why does web site x have an 8 character length limit, alphanumeric only?
Why does web site y have more allowable character types, but minimum of 5 chars, max of 18?
Relevant XKCD: http://xkcd.com/936/
Remember, you can't solve for the parts of a pw, only the whole thing in one go.
It doesn't mean much now, it's built for the future.
Wikipedia's article about the CAC makes it out to be some sort of smart card, the same form factor commonly used along with a PIN for debit card payment in some countries. The CAC doesn't really remove passwords at all; a PIN is still needed.
Seems like a conflict of interest to me: "Oh, passwords are here to stay!" seems to be FUD designed to discourage people from innovating so that MIcrosoft can find the patent first (because it'll eventually supplant their password system and the IP birds will come home to roost).
-
I have worked for years with security and authentication.
there are three ways to establish trust. Something you have , something are , something you know.
that will never change. and most any one of them can be compromised. thus it is better to build systems that use
more then one.
care keys ( something you have)
thumb print ( something you are)
password/ pass phrase/ etc. ( something you know) .
all three together are more secure and more trust can be built by using multiple aspects but the easiest will be probably always be something you know.
Think about it authentication before computers.
Go to the bank ( hopefully the banker recognized you ( multiple bio metric) )
do you have your checkbook / check card/ pass book?
do you have a pin / password etc.
it really won't ever get much better you can use more and more bio metrics but that won't stop fraud only make it more costly.
âoeTolerance applies only to persons, but never to truth. Intolerance applies only to truth, but never to persons.
Good luck typing any password as long as "correct horse battery staple" correctly on the first time on a handheld device's on-screen keyboard.
That was my thought, biometrics is an interesting trick, but if they manage to compromise the system you have limited options for changing it. Most people only have 10 fingers and 2 eyes and if somebody manages to compromise on of those you very quickly run low on options. And that doesn't even include what happens if you lose an eye or a finger or if one is just badly damaged to the point of being unreadable.
I remember seeing a bit of a BBC program years back where the guy was using biometrics for a safe but couldn't get in. It turned out that because he was wearing contacts that the sensor didn't identify his eye and the safe wouldn't open until he took the contacts out.
As more and more of my "online" activities take place on the iphone instead of the computer, password management has become much easier. Other than bank accounts, all log in info is kept by the phone and I never have to log in to anything: counting on the password lock of the phone itself to keep my stuff private should someone pick up my phone. But someone could overcome my 4-digit pass key or observe it (I know my wife's because everytime she has trouble with her phone she asks me for help and so I witness her unlock it). What would really be better is if devices had bio-based locking features so that only their assigned users could open them. One big padlock for the house, so to speak, so that we can safely leave all the contents unlocked and easier to use.
Ummm...simple answer, Microsoft/IBM/rest of world:
Start adding a "please generate a good password for me because I'm too ignorant to do it myself and I'll choose '123456' " button to your user interfaces.
No sig today...
A new strain of the Sykipot Trojan is been used to compromise the Department of Defense-sanctioned smart cards used to authorise network and building access at many US government agencies, according to security researchers. ...
Chinese hackers have adapted the Sykipot Trojan to lift card credentials from compromised systems in order to access classified military networks, according to researchers at security tools firm AlienVault.
The stupid part is that the limit on the password field is just a piece of UI.
If they're doing it right, they're storing a hash of the password. The hashes are all the same size. You should be able to carry around a USB device that emulates a keyboard and types out the declaration of independence (without using enter) and use that as a password.
Systems that limit the password to, say, 13 characters bug the crap out of me, because I often chose passwords that are longer.
Systems that limit the password size because they are storing them as plaintext, should of course have their source printed out and ritually burned.
When will developers allow spaces in passwords? If they were allowed it would be much easier to use a phrase as a password.
I just realized that my bank must be doing this (or at least using reversible encryption) because it uses the whole positional character schtick. Damn.
They are passwords. It is just that they are longer, and have less entropy per character. And our minds work better with them.
But, besides that, they are just passwords.
Rethinking email
Security built to accomodate laziness pretty much assures compromise.
"But we have to pass the bill so that you can find out what is in it,..." - Nancy Pelosi
The problem in the real world with XKCD/diceware-style phrases, is that English words become keys. You don't have 44 bits of entropy. Rather, the vocabulary of the average American is the entropy.
In the XKCD example, for instance, the true number of permutations you have to check to brute force a password is: Size of Average Person's Vocabulary (about 25,000 words) - from which "correct" "horse" "battery" "stable" is selected - raised to the 4th power, or 3.906 * 10^17 combinations. That's not a huge amount for a password cracking algorithm.
Add in that many words are going to be used far more frequently than others, and it really isn't much different than the "misspell and stick in an odd character" method. And it's actually worse than sticking an odd character or two somewhere in the middle of your password.
The problem is the most common password for techie site is "horse battery staple correct".
sed -e 's/Chuck Norris/Rajnikant/g' joke > fact
And yet, here we are almost 15 years later still using usernames and passwords. Oh, well. Was a fun project. :)
True story -- when the project launched we had a big event, with everybody gathered around the box to turn their keys. Then they all took their key and scattered off to wherever, what with the whole "must keep the keys off site and multiple locations" thing. What nobody realized is that the network center (we did our own hosting) had already posted plans for a scheduled power outage that weekend, and nobody'd connected these particular thoughts. So they cycled power in the room to do whatever it is that they did, and the box didn't come back online. Somebody contacted me. I told them to round everybody up to come back and turn their keys again. :)
www.HearMySoulSpeak.com
Actually that's not the way that works. They are using a Zero-Knowledge protocol.
Brute force security needs to be evaluated under the assumption that a Russian botnet has compromised a large number of social networking sites, and gained three to five different clear-text passwords (of possibly no great importance) associated with the targeted user. They now also know--or strongly suspect--the identities of your financial institutions.
Using commonalities of the exposed password set, the botnet bastards will attempt to model your personal password generation heuristic. Since they are not stupider than bricks, they might also assume that your bank password is similar, but fortified to the next level. Gaining some experience in cracking bank passwords, they'll soon have a model for that, too.
My Thomas and Cover from 1991, which happens to be at hand, has chapters on "Jointly typical sequences", "Encoding of correlated sources", and "Source coding with side information". This last section makes reference to Slepian-Wolf encoding, which is kind of interesting. I hadn't spotted that before.
On Slepian-Wolf compression, in memory of Jack Wolf
This might not be precisely the right theory to apply to the breaking of password clusters, but the guy doing the math on that has probably read these papers.
Way too little concern is placed on the independence of the passwords chosen, and this vulnerability increases rapidly with the proliferation of passwords used. I'm sure I have more than 100 passwords out in the wild, many held by hopelessly incompetent and untrusted internet discussion forums.
Even a single compromised site can form a model of your password heuristic if you're duped into changing it often.
It wouldn't surprise me that if everyone adopted the four word xkcd approach, that for many individuals, entropy per word is closer to seven or eight bits than eleven, where concrete nouns of five to eight letters predominate, and a further bias to concrete nouns that are visually active in the mind's eye, and 40% of all such passwords contain at least one animal word.
That's where brute force would begin: assume at least one common animal word (four to five bits; since cat/dog don't make the cut, you'll be seeing a lot of parrot/leopard/zebra/unicorn).
unicornprincesscastledragon
I've cracked one already.
President Skroob: Did it work? Where's the king?
Dark Helmet: It worked, sir. We have the combination.
President Skroob: Great. Now we can take every last breath of fresh air from Planet Druidia. What's the combination?
Colonel Sandurz: 1-2-3-4-5
President Skroob: 1-2-3-4-5?
Colonel Sandurz: Yes!
President Skroob: That's amazing. I've got the same combination on my luggage.
Bio questions? Ask me to start a Q&A journal. Computer analogies available for most topics!
You don't have 44 bits of entropy. Rather, the vocabulary of the average American is the entropy.
In the XKCD example, for instance, the true number of permutations you have to check to brute force a password is: Size of Average Person's Vocabulary (about 25,000 words) - from which "correct" "horse" "battery" "stable" is selected - raised to the 4th power, or 3.906 * 10^17 combinations. That's not a huge amount for a password cracking algorithm.
2^44 is 1.7592186 * 10^13, which is SMALLER than 3.906 * 10^17. So if you assume a 25000 word vocab you have MORE than 44 bits of entropy with the passphrases approach. It may not be impossible to crack, but it's harder than the stupid "hard to remember by normal people" passwords. Which is the xkcd example's point, which I guess assumes a conservative 3000 common word vocabulary.
My bank has a similar ridiculous restriction. 14 characters max, limited subset of symbols allowed. Because of this, my bank password is my least secure password, while it should be one of the strongest. I find it amusing that my WoW account is much more secure than my bank (greater password freedom + authenticator)--at least from an authentication standpoint.
Mac users can use a program called 1Password to manage their passwords. It stores them in an encrypted file that you use a master password to unlock. And you can use browser extensions to have it automatically login to any site you've told it about, and it will generate passwords for you as well. It's the best solution I've found for having unique, strong passwords for every site or system you have a login for. Just make sure you choose a smart master password.
(There's an iOS version, too, that syncs with the standalone app, so you have access to your passwords on the go.)
Anyone know of something similar for other platforms? I'd like to get the rest of my family using stronger passwords than pet names or whatever they're using.
If you can't convince them, convict them.
Last Pass for those of us in Android land. :-)
Systems that limit the password to, say, 13 characters bug the crap out of me, because I often chose passwords that are longer.
IME the great majority of password limitations arise because of a very particular set of circumstances:
1. A system is set up. For whatever reason, it doesn't let you have passwords with more than 13 characters.
2. The head of IT reads an article concerning this system. This article notes that because of the way passwords are stored, the most secure password contains 8-13 characters. Before long, a policy is dictated stating that passwords must contain 8-13 characters for security reasons.
3. A new system is brought in that integrates with the system in 1. This new system has issues with punctuation characters in passwords - it won't authenticate if your password contains any punctuation. So the policy gets an update. New passwords are purely alphanumeric, no punctuation.
4. The head of IT moves on.
5. The authentication is moved away from the system set up in (1); the new system doesn't have the 8-13 character issue. But the policy stays in place - nobody actually knows why it was brought in but it specifically says "for security reasons" so there must have been a good reason.
6. The system in (3) is retired. None of the remaining systems suffer from the punctuation issue.
7. Repeat steps 2-6 until you have a list of policies that effectively mean the dictionary of potential passwords that humans are likely to choose has about 100 combinations.
OR:
http://xkcd.com/936/
that doesn't quite address his concern on how the bank knows the value at a specific position in his password that should be stored in a one way hash where you need the whole password to verify the hash.
'...if only "Jumping to a Conclusion" was an event in the Olympics.'
The big problem I see is revocation.
Once biometric phishing shows up or a database gets popped, your prints are out there... and as was said, you can't exactly go out and get new ones.
I've always been a fan of multifactor for stuff we want secure (banking mainly) .. yes you can copy someones fingerprint, steal someones keyfob, and snatch someones password .. but doing all three is tricky without them noticing.
For stuff we care less about, passwords will probably be king for a long time, because anything more secure is also more of a pain ..
Publishing a comic isn't going to make people choose better passwords.
People have had well over a decade years to learn about choosing passwords but they're as ignorant as ever.
The only way forward is to take the choice out of their hands. Use the XKCD method if you want, just don't let the users do it themselves.
In many cases, you *can't* use the xkcd method because:
a. the password field is too short
b. the password checker rejects common words
c. you can't see what you're typing when you enter the password
The problem generally isn't the users' ignorance, it's the assholes writing the password system.