Slashdot Mirror

← Back to Stories (view on slashdot.org)

Passwords Not Going Away Any Time Soon

Posted by Soulskill on from the 12345-letmein dept.

New submitter isoloisti writes "Hot on the heels of IBM's 'no more passwords' prediction, Wired has an article about provocative research saying that passwords are here to stay. Researchers from Microsoft and Carleton U. take a harsh view of research on authentication (PDF), saying, 'no progress has been made in the last twenty years.' They dismiss biometrics, PKI, OpenID, and single-signon: 'Not only have proposed alternatives failed, but we have learnt little from the failures.' Because the computer industry so thoroughly wrote off passwords about a decade ago, not enough serious research has gone into improving passwords and understanding how they get compromised in the real world. 'It is time to admit that passwords will be with us for some time, and moreover, that in many instances they are the best-fit among currently known solutions.'"

33 of 232 comments (clear)

  1. job security by tverbeek · · Score: 5, Funny

    Sounds like job security for those of us who reset passwords for a living.

    Drat.

    --
    http://alternatives.rzero.com/
    1. Re:job security by hawguy · · Score: 4, Insightful

      Sounds like job security for those of us who reset passwords for a living.

      Drat.

      Better to reset a password than find that your fingerprint scanners can be compromised by silly putty or your retinal scanners can be compromised by a picture painted on the back of a marble and instead of resetting a password, you're replacing hardware.

    2. Re:job security by kdemetter · · Score: 4, Insightful

      Biometrics are a form of identification , not authentication.
      It should always be used in conjunction with authentication, not to replace authentication.

      It's still very usefull , because it saves time : you don't have to fill in your login id : the systems knows who you claim to be, and just requires your password to confirm it.

      So it can replace the userid , but never the password.

      --
      Slipping shoelaces ?
    3. Re:job security by Joce640k · · Score: 4, Insightful

      Just think "Eyeballs on forks..." next time you believe biometrics solves anything.

      People leave a whole trail of biometrics behind them as they go through life - dropped hairs full of DNA, fingerprints on drinking glasses, etc. You can steal their biometrics just by following them around.

      Worse: If you steal their wallet they might notice it's missing but they won't notice you picking up a drinking glass after they leave a restaurant. You can steal their biometric identity without them ever knowing it.

      --
      No sig today...
  2. Unclassified Military by imamac · · Score: 3, Informative

    In the unclassified areas of the military passwords are almost gone (at least for me) by using PKI and our CAC cards.

  3. But of course... by Kenja · · Score: 3, Interesting

    All biometric systems do is substitute a text string for a string of values gathered from the users defining characteristics. Its the same thing in the end, and you will ALWAYS want a password backup to any biometric system as, despite popular understanding, your biometric signature can change. The best hand scanners for example mesure blood flow and 3D characteristics using holographic imaging. Getting a cold can cause your fingers to swell and throw off the scanners. Wearing a ring can change your 3D hand scan. Etc, etc.

    --

    "Have you ever thought about just turning off the TV, sitting down with your kids, and hitting them?"
    1. Re:But of course... by HockeyPuck · · Score: 4, Interesting

      Try breaking your wrist and having your hand/forearm in a cast...

      Exodus' solution was for me to use my left hand, upside down in the scanner and retake the initial scan since they only use right handed hand scanners.

    2. Re:But of course... by shadowrat · · Score: 4, Interesting

      not to mention, many of them can be hacked in simplistic or macabre ways. a coworker was touting his new phone's biometric authentication and how it recognized his face. He claimed it used some new algorithm that couldn't be fooled by a picture. The claim seemed accurate since a printed picture of him could not unlock the phone. However, the phone happily unlocked when shown a picture of his face on my phone.

      I don't know why it works. Maybe the identification of a real face is taking lighting into account or something and a self illuminated photo on an lcd throws it off. In any case it could still be defeated with his severed head. Now, a password might be given up under torture, but nobody is going to get it by killing you.

    3. Re:But of course... by Dan+East · · Score: 4, Insightful

      And what happens if your biometric signature is discovered? Obviously not from the biological side, but the digital side. After all, it's just a number. Of course it would require a more technical exploit at the software level to utilize, but the big downside is you can't change that signature like you can a password (you've only got so many finger prints, or retinas, or whatever).

      --
      Better known as 318230.
  4. Passwords make my brain hurt by na1led · · Score: 3, Insightful

    It's bad enough having to remember all my login names, but when sites don't like your password because it doesn't have Caps, or long enough, or a number in it. Forcing me to come up with a half dozen passswords to remember.

    --
    -- By all means let's be open-minded, but not so open-minded that our brains drop out.
  5. Re:Whatever happened to passphrases? by Millennium · · Score: 5, Insightful

    Yeah; I've got to say, the situation with passwords could be improved just by allowing more space for them. xkcd/diceware-style phrases just plain don't fit in most password fields, but they'd be easier to remember and more secure.

  6. Partial security by Anonymous Coward · · Score: 3, Insightful

    ...but still better than none.

    A proper security system is one that has tests for who you are, what you know, if you are under duress, and potentially if you should even be there that day.

    Such a security system is hard to make, in the simplest form it has a biometric component, two passwords (one for regular use, one to act like the proper password but alert security), and is hooked up with the scheduling system (not to lockout, but also alert security). This is reasonable for high stakes facilities, but sufficiently cumbersome that it gets in the way of getting things done for things like PC login and on-line transactions.

  7. Stop limiting password length by Pope · · Score: 5, Insightful

    Why does web site x have an 8 character length limit, alphanumeric only?

    Why does web site y have more allowable character types, but minimum of 5 chars, max of 18?

    Relevant XKCD: http://xkcd.com/936/

    Remember, you can't solve for the parts of a pw, only the whole thing in one go.

    --
    It doesn't mean much now, it's built for the future.
    1. Re:Stop limiting password length by MagicM · · Score: 5, Informative

      Steve Gibson from the Security Now podcast did a lot of work in this arena and found that the password "D0g....................." is harder to break than the password "PrXyc.N(n4k77#L!eVdAfp9". He makes this very clear in his password haystack reference guide and tester: "Once an exhaustive password search begins, the most important factor is password length!"

    2. Re:Stop limiting password length by hawguy · · Score: 4, Interesting

      Why does web site x have an 8 character length limit, alphanumeric only?

      Why does web site y have more allowable character types, but minimum of 5 chars, max of 18?

      And why won't they tell me what their password restrictions are until I've failed 3 times and need to reset my password? I use the same (or similar) password at all non-important sites (discussion forums, etc, not anything that involves a credit card, bank account, or personal email). If they'd just post their password requirements when I'm entering the password (or at least after the first time I mistype the password), I'd be able to remember what password I used.

      I can't believe hiding the password requirements makes life any harder for a hacker (who could just create a dummy account to see the password requirements).

    3. Re:Stop limiting password length by MagicM · · Score: 4, Insightful

      From the link:

      The example with "D0g....................." should not be taken literally because if everyone began padding their passwords with simple dots, attackers would soon start adding dots to their guesses to bypass the need for full searching through unknown padding. Instead, YOU should invent your own personal padding policy. You could put some padding in front, and/or interspersed through the phrase, and/or add some more to the end. You could put some characters at the beginning, padding in the middle, and more characters at the end. And also mix-up the padding characters by using simple memorable character pictures like "" or "[*]" or "^-^" . . . but do invent your own!

        If you make the result long and memorable, you'll have super-strong passwords that are also easy to use!

      The goal is to prevent brute-foce hacking of your password, and the way to do that is by lengthening it. If you pick some long padding and add that to all your passwords, brute-force hacking it becomes prohibitively hard.

  8. Securty. by fish_in_the_c · · Score: 4, Informative

    I have worked for years with security and authentication.
    there are three ways to establish trust. Something you have , something are , something you know.
    that will never change. and most any one of them can be compromised. thus it is better to build systems that use
    more then one.

    care keys ( something you have)
    thumb print ( something you are)
    password/ pass phrase/ etc. ( something you know) .

    all three together are more secure and more trust can be built by using multiple aspects but the easiest will be probably always be something you know.

    Think about it authentication before computers.

    Go to the bank ( hopefully the banker recognized you ( multiple bio metric) )
    do you have your checkbook / check card/ pass book?
    do you have a pin / password etc.

    it really won't ever get much better you can use more and more bio metrics but that won't stop fraud only make it more costly.

    --
    âoeTolerance applies only to persons, but never to truth. Intolerance applies only to truth, but never to persons.
    1. Re:Securty. by Anne_Nonymous · · Score: 5, Funny

      >> Something you have , something are , something you know.

      My brother-in-law's password oughta be assholeassholeasshole.

  9. Get it right the first time? by tepples · · Score: 5, Insightful

    Good luck typing any password as long as "correct horse battery staple" correctly on the first time on a handheld device's on-screen keyboard.

    1. Re:Get it right the first time? by Anne_Nonymous · · Score: 3, Funny

      connectwhore'sbantertable

      Yup, works fine.

  10. Re:Duh? by hedwards · · Score: 4, Insightful

    That was my thought, biometrics is an interesting trick, but if they manage to compromise the system you have limited options for changing it. Most people only have 10 fingers and 2 eyes and if somebody manages to compromise on of those you very quickly run low on options. And that doesn't even include what happens if you lose an eye or a finger or if one is just badly damaged to the point of being unreadable.

    I remember seeing a bit of a BBC program years back where the guy was using biometrics for a safe but couldn't get in. It turned out that because he was wearing contacts that the sensor didn't identify his eye and the safe wouldn't open until he took the contacts out.

  11. Re:Duh? by Joce640k · · Score: 3, Interesting

    Ummm...simple answer, Microsoft/IBM/rest of world:

    Start adding a "please generate a good password for me because I'm too ignorant to do it myself and I'll choose '123456' " button to your user interfaces.

    --
    No sig today...
  12. Timely Missive About a Credential Hack by djl4570 · · Score: 3, Informative
    http://www.theregister.co.uk/2012/01/13/sykipot_trojan_dod_smart_card_attack/

    A new strain of the Sykipot Trojan is been used to compromise the Department of Defense-sanctioned smart cards used to authorise network and building access at many US government agencies, according to security researchers. ... Chinese hackers have adapted the Sykipot Trojan to lift card credentials from compromised systems in order to access classified military networks, according to researchers at security tools firm AlienVault.

  13. Re:Whatever happened to passphrases? by Dr_Barnowl · · Score: 5, Informative

    The stupid part is that the limit on the password field is just a piece of UI.

    If they're doing it right, they're storing a hash of the password. The hashes are all the same size. You should be able to carry around a USB device that emulates a keyboard and types out the declaration of independence (without using enter) and use that as a password.

    Systems that limit the password to, say, 13 characters bug the crap out of me, because I often chose passwords that are longer.

    Systems that limit the password size because they are storing them as plaintext, should of course have their source printed out and ritually burned.

  14. Re:Whatever happened to passphrases? by Dr_Barnowl · · Score: 3, Interesting

    I just realized that my bank must be doing this (or at least using reversible encryption) because it uses the whole positional character schtick. Damn.

  15. Re:Whatever happened to passphrases? by StevenMaurer · · Score: 4, Insightful

    The problem in the real world with XKCD/diceware-style phrases, is that English words become keys. You don't have 44 bits of entropy. Rather, the vocabulary of the average American is the entropy.

    In the XKCD example, for instance, the true number of permutations you have to check to brute force a password is: Size of Average Person's Vocabulary (about 25,000 words) - from which "correct" "horse" "battery" "stable" is selected - raised to the 4th power, or 3.906 * 10^17 combinations. That's not a huge amount for a password cracking algorithm.

    Add in that many words are going to be used far more frequently than others, and it really isn't much different than the "misspell and stick in an odd character" method. And it's actually worse than sticking an odd character or two somewhere in the middle of your password.

  16. Re:Whatever happened to passphrases? by godIsaDJ · · Score: 3, Informative

    Actually that's not the way that works. They are using a Zero-Knowledge protocol.

  17. brute force in the Slepian-Wolf social network by epine · · Score: 3, Informative

    Brute force security needs to be evaluated under the assumption that a Russian botnet has compromised a large number of social networking sites, and gained three to five different clear-text passwords (of possibly no great importance) associated with the targeted user. They now also know--or strongly suspect--the identities of your financial institutions.

    Using commonalities of the exposed password set, the botnet bastards will attempt to model your personal password generation heuristic. Since they are not stupider than bricks, they might also assume that your bank password is similar, but fortified to the next level. Gaining some experience in cracking bank passwords, they'll soon have a model for that, too.

    My Thomas and Cover from 1991, which happens to be at hand, has chapters on "Jointly typical sequences", "Encoding of correlated sources", and "Source coding with side information". This last section makes reference to Slepian-Wolf encoding, which is kind of interesting. I hadn't spotted that before.

    On Slepian-Wolf compression, in memory of Jack Wolf

    Along with David Slepian, Wolf proved the Slepian-Wolf theorem: as long as certain conditions are met, files X and Y can be compressed to H(X,Y), even if the X server has no knowledge of file Y, and vice versa.

    This might not be precisely the right theory to apply to the breaking of password clusters, but the guy doing the math on that has probably read these papers.

    Way too little concern is placed on the independence of the passwords chosen, and this vulnerability increases rapidly with the proliferation of passwords used. I'm sure I have more than 100 passwords out in the wild, many held by hopelessly incompetent and untrusted internet discussion forums.

    Even a single compromised site can form a model of your password heuristic if you're duped into changing it often.

    It wouldn't surprise me that if everyone adopted the four word xkcd approach, that for many individuals, entropy per word is closer to seven or eight bits than eleven, where concrete nouns of five to eight letters predominate, and a further bias to concrete nouns that are visually active in the mind's eye, and 40% of all such passwords contain at least one animal word.

    That's where brute force would begin: assume at least one common animal word (four to five bits; since cat/dog don't make the cut, you'll be seeing a lot of parrot/leopard/zebra/unicorn).

    unicornprincesscastledragon

    I've cracked one already.

  18. Re:Duh? by Samantha+Wright · · Score: 3, Funny

    President Skroob: Did it work? Where's the king?
    Dark Helmet: It worked, sir. We have the combination.
    President Skroob: Great. Now we can take every last breath of fresh air from Planet Druidia. What's the combination?
    Colonel Sandurz: 1-2-3-4-5
    President Skroob: 1-2-3-4-5?
    Colonel Sandurz: Yes!
    President Skroob: That's amazing. I've got the same combination on my luggage.

    --
    Bio questions? Ask me to start a Q&A journal. Computer analogies available for most topics!
  19. Re:Whatever happened to passphrases? by TheLink · · Score: 4, Informative

    You don't have 44 bits of entropy. Rather, the vocabulary of the average American is the entropy.

    In the XKCD example, for instance, the true number of permutations you have to check to brute force a password is: Size of Average Person's Vocabulary (about 25,000 words) - from which "correct" "horse" "battery" "stable" is selected - raised to the 4th power, or 3.906 * 10^17 combinations. That's not a huge amount for a password cracking algorithm.

    2^44 is 1.7592186 * 10^13, which is SMALLER than 3.906 * 10^17. So if you assume a 25000 word vocab you have MORE than 44 bits of entropy with the passphrases approach. It may not be impossible to crack, but it's harder than the stupid "hard to remember by normal people" passwords. Which is the xkcd example's point, which I guess assumes a conservative 3000 common word vocabulary.

    --
  20. Re:Whatever happened to passphrases? by Cinder6 · · Score: 4, Informative

    My bank has a similar ridiculous restriction. 14 characters max, limited subset of symbols allowed. Because of this, my bank password is my least secure password, while it should be one of the strongest. I find it amusing that my WoW account is much more secure than my bank (greater password freedom + authenticator)--at least from an authentication standpoint.

    Mac users can use a program called 1Password to manage their passwords. It stores them in an encrypted file that you use a master password to unlock. And you can use browser extensions to have it automatically login to any site you've told it about, and it will generate passwords for you as well. It's the best solution I've found for having unique, strong passwords for every site or system you have a login for. Just make sure you choose a smart master password.

    (There's an iOS version, too, that syncs with the standalone app, so you have access to your passwords on the go.)

    Anyone know of something similar for other platforms? I'd like to get the rest of my family using stronger passwords than pet names or whatever they're using.

    --
    If you can't convince them, convict them.
  21. Re:Duh? by Anrego · · Score: 3, Insightful

    The big problem I see is revocation.

    Once biometric phishing shows up or a database gets popped, your prints are out there... and as was said, you can't exactly go out and get new ones.

    I've always been a fan of multifactor for stuff we want secure (banking mainly) .. yes you can copy someones fingerprint, steal someones keyfob, and snatch someones password .. but doing all three is tricky without them noticing.

    For stuff we care less about, passwords will probably be king for a long time, because anything more secure is also more of a pain ..

  22. Re:Duh? by sco08y · · Score: 3, Interesting

    Publishing a comic isn't going to make people choose better passwords.

    People have had well over a decade years to learn about choosing passwords but they're as ignorant as ever.

    The only way forward is to take the choice out of their hands. Use the XKCD method if you want, just don't let the users do it themselves.

    In many cases, you *can't* use the xkcd method because:
    a. the password field is too short
    b. the password checker rejects common words
    c. you can't see what you're typing when you enter the password

    The problem generally isn't the users' ignorance, it's the assholes writing the password system.