Slashdot Mirror

← Back to Stories (view on slashdot.org)

DARPA Wants To Kill the Password

Posted by samzenpus on from the at-least-zero-characters-long dept.

jfruh writes Many security experts agree that our current authentication system, in which end users are forced to remember (or, more often, write down) a dizzying array of passwords is broken. DARPA, the U.S. Defense Department research arm that developed the Internet, is trying to work past the problem by eliminating passwords altogether, replacing them with biometric and other cues, using off-the-shelf technology available today.

5 of 383 comments (clear)

  1. So...revoke the certificate by Overzeetop · · Score: 4, Informative

    Any biometric password should be based on a certificate, not a direct digital representation of the biometric.

    --
    Is it just my observation, or are there way too many stupid people in the world?
  2. Re: There we go again by AC-x · · Score: 3, Informative

    Dictionary attacks can be trivially defeated by rating limiting tries and after, say, 5 tries

    Unless they have a copy of the password hash

  3. Re: There we go again by ncc74656 · · Score: 3, Informative

    I've never understood why passwords can't be sentences, like "I'm going to take my dog, Spot, to the park today."

    They can be, but it would be incredibly stupid to use something like that. A dictionary attack would crack that password in seconds.

    Are you sure about that?

    --
    20 January 2017: the End of an Error.
  4. Re: There we go again by AC-x · · Score: 4, Informative

    You probably shouldn't try to write about things you don't know about or understand.

    1. The industry accepted way to store passwords securely in a database is with a one-way, salted cryptographic hash (using as CPU intensive algorithm as possible).

    2. Many organisations have had database intrusions where these password hashes have been stolen (eg. eBay, Linkedin, LivingSocial etc.)

    3. When this happens (i.e. "they have a copy of the password hash") passwords can be cracked offline. Strong passwords are safe (too hard to brute force), but weak passwords can be found using a dictionary attack.

    4. Once the password is found offline a hacker can log straight in to the victim's online account with a single password attempt.

  5. Re: There we go again by AC-x · · Score: 4, Informative

    Hey Desler I really don't get you, you (appear to) know what a salt is yet you don't understand that an attacker would be performing the attack on the hash offline, with their own hardware. Rate limiting their own hardware would be, as you put it, the height of idiocy.