Slashdot Mirror

← Back to Stories (view on slashdot.org)

Passwords Not Going Away Any Time Soon

Posted by Soulskill on from the 12345-letmein dept.

New submitter isoloisti writes "Hot on the heels of IBM's 'no more passwords' prediction, Wired has an article about provocative research saying that passwords are here to stay. Researchers from Microsoft and Carleton U. take a harsh view of research on authentication (PDF), saying, 'no progress has been made in the last twenty years.' They dismiss biometrics, PKI, OpenID, and single-signon: 'Not only have proposed alternatives failed, but we have learnt little from the failures.' Because the computer industry so thoroughly wrote off passwords about a decade ago, not enough serious research has gone into improving passwords and understanding how they get compromised in the real world. 'It is time to admit that passwords will be with us for some time, and moreover, that in many instances they are the best-fit among currently known solutions.'"

7 of 232 comments (clear)

  1. job security by tverbeek · · Score: 5, Funny

    Sounds like job security for those of us who reset passwords for a living.

    Drat.

    --
    http://alternatives.rzero.com/
  2. Re:Whatever happened to passphrases? by Millennium · · Score: 5, Insightful

    Yeah; I've got to say, the situation with passwords could be improved just by allowing more space for them. xkcd/diceware-style phrases just plain don't fit in most password fields, but they'd be easier to remember and more secure.

  3. Stop limiting password length by Pope · · Score: 5, Insightful

    Why does web site x have an 8 character length limit, alphanumeric only?

    Why does web site y have more allowable character types, but minimum of 5 chars, max of 18?

    Relevant XKCD: http://xkcd.com/936/

    Remember, you can't solve for the parts of a pw, only the whole thing in one go.

    --
    It doesn't mean much now, it's built for the future.
    1. Re:Stop limiting password length by MagicM · · Score: 5, Informative

      Steve Gibson from the Security Now podcast did a lot of work in this arena and found that the password "D0g....................." is harder to break than the password "PrXyc.N(n4k77#L!eVdAfp9". He makes this very clear in his password haystack reference guide and tester: "Once an exhaustive password search begins, the most important factor is password length!"

  4. Get it right the first time? by tepples · · Score: 5, Insightful

    Good luck typing any password as long as "correct horse battery staple" correctly on the first time on a handheld device's on-screen keyboard.

  5. Re:Whatever happened to passphrases? by Dr_Barnowl · · Score: 5, Informative

    The stupid part is that the limit on the password field is just a piece of UI.

    If they're doing it right, they're storing a hash of the password. The hashes are all the same size. You should be able to carry around a USB device that emulates a keyboard and types out the declaration of independence (without using enter) and use that as a password.

    Systems that limit the password to, say, 13 characters bug the crap out of me, because I often chose passwords that are longer.

    Systems that limit the password size because they are storing them as plaintext, should of course have their source printed out and ritually burned.

  6. Re:Securty. by Anne_Nonymous · · Score: 5, Funny

    >> Something you have , something are , something you know.

    My brother-in-law's password oughta be assholeassholeasshole.