Slashdot Mirror

← Back to Stories (view on slashdot.org)

Passwords Not Going Away Any Time Soon

Posted by Soulskill on from the 12345-letmein dept.

New submitter isoloisti writes "Hot on the heels of IBM's 'no more passwords' prediction, Wired has an article about provocative research saying that passwords are here to stay. Researchers from Microsoft and Carleton U. take a harsh view of research on authentication (PDF), saying, 'no progress has been made in the last twenty years.' They dismiss biometrics, PKI, OpenID, and single-signon: 'Not only have proposed alternatives failed, but we have learnt little from the failures.' Because the computer industry so thoroughly wrote off passwords about a decade ago, not enough serious research has gone into improving passwords and understanding how they get compromised in the real world. 'It is time to admit that passwords will be with us for some time, and moreover, that in many instances they are the best-fit among currently known solutions.'"

20 of 232 comments (clear)

  1. job security by tverbeek · · Score: 5, Funny

    Sounds like job security for those of us who reset passwords for a living.

    Drat.

    --
    http://alternatives.rzero.com/
    1. Re:job security by hawguy · · Score: 4, Insightful

      Sounds like job security for those of us who reset passwords for a living.

      Drat.

      Better to reset a password than find that your fingerprint scanners can be compromised by silly putty or your retinal scanners can be compromised by a picture painted on the back of a marble and instead of resetting a password, you're replacing hardware.

    2. Re:job security by kdemetter · · Score: 4, Insightful

      Biometrics are a form of identification , not authentication.
      It should always be used in conjunction with authentication, not to replace authentication.

      It's still very usefull , because it saves time : you don't have to fill in your login id : the systems knows who you claim to be, and just requires your password to confirm it.

      So it can replace the userid , but never the password.

      --
      Slipping shoelaces ?
    3. Re:job security by Joce640k · · Score: 4, Insightful

      Just think "Eyeballs on forks..." next time you believe biometrics solves anything.

      People leave a whole trail of biometrics behind them as they go through life - dropped hairs full of DNA, fingerprints on drinking glasses, etc. You can steal their biometrics just by following them around.

      Worse: If you steal their wallet they might notice it's missing but they won't notice you picking up a drinking glass after they leave a restaurant. You can steal their biometric identity without them ever knowing it.

      --
      No sig today...
  2. Re:Whatever happened to passphrases? by Millennium · · Score: 5, Insightful

    Yeah; I've got to say, the situation with passwords could be improved just by allowing more space for them. xkcd/diceware-style phrases just plain don't fit in most password fields, but they'd be easier to remember and more secure.

  3. Stop limiting password length by Pope · · Score: 5, Insightful

    Why does web site x have an 8 character length limit, alphanumeric only?

    Why does web site y have more allowable character types, but minimum of 5 chars, max of 18?

    Relevant XKCD: http://xkcd.com/936/

    Remember, you can't solve for the parts of a pw, only the whole thing in one go.

    --
    It doesn't mean much now, it's built for the future.
    1. Re:Stop limiting password length by MagicM · · Score: 5, Informative

      Steve Gibson from the Security Now podcast did a lot of work in this arena and found that the password "D0g....................." is harder to break than the password "PrXyc.N(n4k77#L!eVdAfp9". He makes this very clear in his password haystack reference guide and tester: "Once an exhaustive password search begins, the most important factor is password length!"

    2. Re:Stop limiting password length by hawguy · · Score: 4, Interesting

      Why does web site x have an 8 character length limit, alphanumeric only?

      Why does web site y have more allowable character types, but minimum of 5 chars, max of 18?

      And why won't they tell me what their password restrictions are until I've failed 3 times and need to reset my password? I use the same (or similar) password at all non-important sites (discussion forums, etc, not anything that involves a credit card, bank account, or personal email). If they'd just post their password requirements when I'm entering the password (or at least after the first time I mistype the password), I'd be able to remember what password I used.

      I can't believe hiding the password requirements makes life any harder for a hacker (who could just create a dummy account to see the password requirements).

    3. Re:Stop limiting password length by MagicM · · Score: 4, Insightful

      From the link:

      The example with "D0g....................." should not be taken literally because if everyone began padding their passwords with simple dots, attackers would soon start adding dots to their guesses to bypass the need for full searching through unknown padding. Instead, YOU should invent your own personal padding policy. You could put some padding in front, and/or interspersed through the phrase, and/or add some more to the end. You could put some characters at the beginning, padding in the middle, and more characters at the end. And also mix-up the padding characters by using simple memorable character pictures like "" or "[*]" or "^-^" . . . but do invent your own!

        If you make the result long and memorable, you'll have super-strong passwords that are also easy to use!

      The goal is to prevent brute-foce hacking of your password, and the way to do that is by lengthening it. If you pick some long padding and add that to all your passwords, brute-force hacking it becomes prohibitively hard.

  4. Securty. by fish_in_the_c · · Score: 4, Informative

    I have worked for years with security and authentication.
    there are three ways to establish trust. Something you have , something are , something you know.
    that will never change. and most any one of them can be compromised. thus it is better to build systems that use
    more then one.

    care keys ( something you have)
    thumb print ( something you are)
    password/ pass phrase/ etc. ( something you know) .

    all three together are more secure and more trust can be built by using multiple aspects but the easiest will be probably always be something you know.

    Think about it authentication before computers.

    Go to the bank ( hopefully the banker recognized you ( multiple bio metric) )
    do you have your checkbook / check card/ pass book?
    do you have a pin / password etc.

    it really won't ever get much better you can use more and more bio metrics but that won't stop fraud only make it more costly.

    --
    âoeTolerance applies only to persons, but never to truth. Intolerance applies only to truth, but never to persons.
    1. Re:Securty. by Anne_Nonymous · · Score: 5, Funny

      >> Something you have , something are , something you know.

      My brother-in-law's password oughta be assholeassholeasshole.

  5. Get it right the first time? by tepples · · Score: 5, Insightful

    Good luck typing any password as long as "correct horse battery staple" correctly on the first time on a handheld device's on-screen keyboard.

  6. Re:Duh? by hedwards · · Score: 4, Insightful

    That was my thought, biometrics is an interesting trick, but if they manage to compromise the system you have limited options for changing it. Most people only have 10 fingers and 2 eyes and if somebody manages to compromise on of those you very quickly run low on options. And that doesn't even include what happens if you lose an eye or a finger or if one is just badly damaged to the point of being unreadable.

    I remember seeing a bit of a BBC program years back where the guy was using biometrics for a safe but couldn't get in. It turned out that because he was wearing contacts that the sensor didn't identify his eye and the safe wouldn't open until he took the contacts out.

  7. Re:But of course... by HockeyPuck · · Score: 4, Interesting

    Try breaking your wrist and having your hand/forearm in a cast...

    Exodus' solution was for me to use my left hand, upside down in the scanner and retake the initial scan since they only use right handed hand scanners.

  8. Re:But of course... by shadowrat · · Score: 4, Interesting

    not to mention, many of them can be hacked in simplistic or macabre ways. a coworker was touting his new phone's biometric authentication and how it recognized his face. He claimed it used some new algorithm that couldn't be fooled by a picture. The claim seemed accurate since a printed picture of him could not unlock the phone. However, the phone happily unlocked when shown a picture of his face on my phone.

    I don't know why it works. Maybe the identification of a real face is taking lighting into account or something and a self illuminated photo on an lcd throws it off. In any case it could still be defeated with his severed head. Now, a password might be given up under torture, but nobody is going to get it by killing you.

  9. Re:Whatever happened to passphrases? by Dr_Barnowl · · Score: 5, Informative

    The stupid part is that the limit on the password field is just a piece of UI.

    If they're doing it right, they're storing a hash of the password. The hashes are all the same size. You should be able to carry around a USB device that emulates a keyboard and types out the declaration of independence (without using enter) and use that as a password.

    Systems that limit the password to, say, 13 characters bug the crap out of me, because I often chose passwords that are longer.

    Systems that limit the password size because they are storing them as plaintext, should of course have their source printed out and ritually burned.

  10. Re:But of course... by Dan+East · · Score: 4, Insightful

    And what happens if your biometric signature is discovered? Obviously not from the biological side, but the digital side. After all, it's just a number. Of course it would require a more technical exploit at the software level to utilize, but the big downside is you can't change that signature like you can a password (you've only got so many finger prints, or retinas, or whatever).

    --
    Better known as 318230.
  11. Re:Whatever happened to passphrases? by StevenMaurer · · Score: 4, Insightful

    The problem in the real world with XKCD/diceware-style phrases, is that English words become keys. You don't have 44 bits of entropy. Rather, the vocabulary of the average American is the entropy.

    In the XKCD example, for instance, the true number of permutations you have to check to brute force a password is: Size of Average Person's Vocabulary (about 25,000 words) - from which "correct" "horse" "battery" "stable" is selected - raised to the 4th power, or 3.906 * 10^17 combinations. That's not a huge amount for a password cracking algorithm.

    Add in that many words are going to be used far more frequently than others, and it really isn't much different than the "misspell and stick in an odd character" method. And it's actually worse than sticking an odd character or two somewhere in the middle of your password.

  12. Re:Whatever happened to passphrases? by TheLink · · Score: 4, Informative

    You don't have 44 bits of entropy. Rather, the vocabulary of the average American is the entropy.

    In the XKCD example, for instance, the true number of permutations you have to check to brute force a password is: Size of Average Person's Vocabulary (about 25,000 words) - from which "correct" "horse" "battery" "stable" is selected - raised to the 4th power, or 3.906 * 10^17 combinations. That's not a huge amount for a password cracking algorithm.

    2^44 is 1.7592186 * 10^13, which is SMALLER than 3.906 * 10^17. So if you assume a 25000 word vocab you have MORE than 44 bits of entropy with the passphrases approach. It may not be impossible to crack, but it's harder than the stupid "hard to remember by normal people" passwords. Which is the xkcd example's point, which I guess assumes a conservative 3000 common word vocabulary.

    --
  13. Re:Whatever happened to passphrases? by Cinder6 · · Score: 4, Informative

    My bank has a similar ridiculous restriction. 14 characters max, limited subset of symbols allowed. Because of this, my bank password is my least secure password, while it should be one of the strongest. I find it amusing that my WoW account is much more secure than my bank (greater password freedom + authenticator)--at least from an authentication standpoint.

    Mac users can use a program called 1Password to manage their passwords. It stores them in an encrypted file that you use a master password to unlock. And you can use browser extensions to have it automatically login to any site you've told it about, and it will generate passwords for you as well. It's the best solution I've found for having unique, strong passwords for every site or system you have a login for. Just make sure you choose a smart master password.

    (There's an iOS version, too, that syncs with the standalone app, so you have access to your passwords on the go.)

    Anyone know of something similar for other platforms? I'd like to get the rest of my family using stronger passwords than pet names or whatever they're using.

    --
    If you can't convince them, convict them.