Beta

Slashdot: News for Nerds

×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Passwords Not Going Away Any Time Soon

Soulskill posted more than 2 years ago | from the 12345-letmein dept.

Microsoft 232

New submitter isoloisti writes "Hot on the heels of IBM's 'no more passwords' prediction, Wired has an article about provocative research saying that passwords are here to stay. Researchers from Microsoft and Carleton U. take a harsh view of research on authentication (PDF), saying, 'no progress has been made in the last twenty years.' They dismiss biometrics, PKI, OpenID, and single-signon: 'Not only have proposed alternatives failed, but we have learnt little from the failures.' Because the computer industry so thoroughly wrote off passwords about a decade ago, not enough serious research has gone into improving passwords and understanding how they get compromised in the real world. 'It is time to admit that passwords will be with us for some time, and moreover, that in many instances they are the best-fit among currently known solutions.'"

cancel ×

232 comments

Duh? (-1)

Anonymous Coward | more than 2 years ago | (#38688150)

Umm.. No shit?

Re:Duh? (4, Insightful)

hedwards (940851) | more than 2 years ago | (#38688392)

That was my thought, biometrics is an interesting trick, but if they manage to compromise the system you have limited options for changing it. Most people only have 10 fingers and 2 eyes and if somebody manages to compromise on of those you very quickly run low on options. And that doesn't even include what happens if you lose an eye or a finger or if one is just badly damaged to the point of being unreadable.

I remember seeing a bit of a BBC program years back where the guy was using biometrics for a safe but couldn't get in. It turned out that because he was wearing contacts that the sensor didn't identify his eye and the safe wouldn't open until he took the contacts out.

Re:Duh? (1)

SJHillman (1966756) | more than 2 years ago | (#38688684)

10 fingers is still 10 more than the number of passwords most people can remember. If course, you'd need all ten fingers registered or else the users that be would constantly forget which finger they used.

10 passwords to much? (2, Insightful)

Feyshtey (1523799) | more than 2 years ago | (#38688950)

Security built to accomodate laziness pretty much assures compromise.

Re:Duh? (3, Interesting)

Joce640k (829181) | more than 2 years ago | (#38688540)

Ummm...simple answer, Microsoft/IBM/rest of world:

Start adding a "please generate a good password for me because I'm too ignorant to do it myself and I'll choose '123456' " button to your user interfaces.

Re:Duh? (1)

Capt.DrumkenBum (1173011) | more than 2 years ago | (#38688792)

How did you know my password is 123456?
Time to change it. qwerty should be a good new password.

Re:Duh? (-1)

Anonymous Coward | more than 2 years ago | (#38689318)

<insert dumb as fuck joke about my luggage here because I have no real sense of humor>

(Stupid HTML parsing in the comments, let me use greater than and less than without fucking writing them out, this is 2012)

Re:Duh? (1)

Samantha Wright (1324923) | more than 2 years ago | (#38689578)

Observe, as actually making the joke magically garners mysterious karma points ... from beyond!

Re:Duh? (3, Funny)

Samantha Wright (1324923) | more than 2 years ago | (#38689552)

President Skroob: Did it work? Where's the king?
Dark Helmet: It worked, sir. We have the combination.
President Skroob: Great. Now we can take every last breath of fresh air from Planet Druidia. What's the combination?
Colonel Sandurz: 1-2-3-4-5
President Skroob: 1-2-3-4-5?
Colonel Sandurz: Yes!
President Skroob: That's amazing. I've got the same combination on my luggage.

job security (5, Funny)

tverbeek (457094) | more than 2 years ago | (#38688158)

Sounds like job security for those of us who reset passwords for a living.

Drat.

Re:job security (0)

Anonymous Coward | more than 2 years ago | (#38688356)

Sounds like job security for those of us who reset passwords for a living.

Drat.

Those are the key words: passwords won't go away until someone comes up with some sort of new [cheap] 'thingie' that can be reset whenever the user wants (it most also not be just a physical token, because it can still be stolen easily). You can't easily reset your fingerprints, retina etc. So when the bad guy finds a way of using your fingerprints (or other biometrics), there won't be anything that you will be able to do right away (except asking for your account to be locked) and hoping the bad guy is caught.

Re:job security (4, Insightful)

kdemetter (965669) | more than 2 years ago | (#38688640)

Biometrics are a form of identification , not authentication.
It should always be used in conjunction with authentication, not to replace authentication.

It's still very usefull , because it saves time : you don't have to fill in your login id : the systems knows who you claim to be, and just requires your password to confirm it.

So it can replace the userid , but never the password.

Re:job security (2)

fish_in_the_c (577259) | more than 2 years ago | (#38688864)

This seems like a false dichotomy
all of these are just ways of establishing a trusted relationship.
ex: consider a system that requires passwords to be unique but after given a password uses it to decrepit a set of bio-metric templates and then authenticates the identity of the person using those bio metrics.

in the end it is all about HOW strong and how expensive your security needs to be.
If we could build a computer that was more accurate then your best friend at identifying you using multiple bio metrics ( voice, face, body, smell , DNA) would that be good enough?

The system could still be made more secure , very cheaply by requiring you have a badge and know a pin.

Bio metrics , are possibly the most natural way of establishing trust , but they are also the most expensive way.

The have the added disadvantage that once compromised , they are very difficult to change.

Re:job security (2)

kdemetter (965669) | more than 2 years ago | (#38689244)

I never said you need biometrics for identification, it's a choice.
A badge requiring a pin is a very good example of identification and authentication used correctly.

An advantage of biometrics could be that you don't have to worry about losing your badge. You always have your eyes and fingers with you ?
Offcourse, there should always be a fallback where you can type your username, incase something goes wrong ( biometrics can fail to detect you , and a badge can malfunction ).

Re:job security (4, Insightful)

hawguy (1600213) | more than 2 years ago | (#38688364)

Sounds like job security for those of us who reset passwords for a living.

Drat.

Better to reset a password than find that your fingerprint scanners can be compromised by silly putty or your retinal scanners can be compromised by a picture painted on the back of a marble and instead of resetting a password, you're replacing hardware.

Re:job security (0)

Anonymous Coward | more than 2 years ago | (#38688838)

How to compromise the small slit style fingerprint scanners?
I have a hard enough time remembering what part of my fingers were scanned and can't use more than half my fingers anymore because of that.
Anyways, you'd need physical access to try the scan so you'd be able to boot up Konboot and hit "other credentials"

Long live Kon! King of the Valley of the Gods!

Whatever happened to passphrases? (1)

koan (80826) | more than 2 years ago | (#38688160)

I thought that was the next big thing.

Re:Whatever happened to passphrases? (5, Insightful)

Millennium (2451) | more than 2 years ago | (#38688226)

Yeah; I've got to say, the situation with passwords could be improved just by allowing more space for them. xkcd/diceware-style [xkcd.com] phrases just plain don't fit in most password fields, but they'd be easier to remember and more secure.

Re:Whatever happened to passphrases? (1)

Kenja (541830) | more than 2 years ago | (#38688426)

Would be easy enough to throw together a bit of code that took a long pass phrase and mathematically convert it into a 8-12 character pseudo random password. Then when you forget the password, just run the pass phrase through the code again to regenerate it.

Re:Whatever happened to passphrases? (0)

Anonymous Coward | more than 2 years ago | (#38689158)

run the pass phrase through 50k or 100k iterations of pbkdf, use the binary result as a PRNG seed for a function that randomly selects from an array of acceptable characters.

Re:Whatever happened to passphrases? (0)

Anonymous Coward | more than 2 years ago | (#38688468)

My bank for their online site, only allow 6 letters and 2 numbers in the pass

Re:Whatever happened to passphrases? (0)

Anonymous Coward | more than 2 years ago | (#38689088)

Yeah, some of the rules sites have a rubbish. For your bank, do you use: 1curtit2?

Re:Whatever happened to passphrases? (5, Informative)

Dr_Barnowl (709838) | more than 2 years ago | (#38688616)

The stupid part is that the limit on the password field is just a piece of UI.

If they're doing it right, they're storing a hash of the password. The hashes are all the same size. You should be able to carry around a USB device that emulates a keyboard and types out the declaration of independence (without using enter) and use that as a password.

Systems that limit the password to, say, 13 characters bug the crap out of me, because I often chose passwords that are longer.

Systems that limit the password size because they are storing them as plaintext, should of course have their source printed out and ritually burned.

Re:Whatever happened to passphrases? (3, Interesting)

Dr_Barnowl (709838) | more than 2 years ago | (#38688708)

I just realized that my bank must be doing this (or at least using reversible encryption) because it uses the whole positional character schtick. Damn.

Re:Whatever happened to passphrases? (3, Informative)

godIsaDJ (644331) | more than 2 years ago | (#38689302)

Actually that's not the way that works. They are using a Zero-Knowledge [wikipedia.org] protocol.

Re:Whatever happened to passphrases? (2)

ISoldat53 (977164) | more than 2 years ago | (#38688620)

When will developers allow spaces in passwords? If they were allowed it would be much easier to use a phrase as a password.

Re:Whatever happened to passphrases? (4, Insightful)

StevenMaurer (115071) | more than 2 years ago | (#38689008)

The problem in the real world with XKCD/diceware-style phrases, is that English words become keys. You don't have 44 bits of entropy. Rather, the vocabulary of the average American is the entropy.

In the XKCD example, for instance, the true number of permutations you have to check to brute force a password is: Size of Average Person's Vocabulary (about 25,000 words) - from which "correct" "horse" "battery" "stable" is selected - raised to the 4th power, or 3.906 * 10^17 combinations. That's not a huge amount for a password cracking algorithm.

Add in that many words are going to be used far more frequently than others, and it really isn't much different than the "misspell and stick in an odd character" method. And it's actually worse than sticking an odd character or two somewhere in the middle of your password.

Re:Whatever happened to passphrases? (4, Informative)

TheLink (130905) | more than 2 years ago | (#38689626)

You don't have 44 bits of entropy. Rather, the vocabulary of the average American is the entropy.

In the XKCD example, for instance, the true number of permutations you have to check to brute force a password is: Size of Average Person's Vocabulary (about 25,000 words) - from which "correct" "horse" "battery" "stable" is selected - raised to the 4th power, or 3.906 * 10^17 combinations. That's not a huge amount for a password cracking algorithm.

2^44 is 1.7592186 * 10^13, which is SMALLER than 3.906 * 10^17. So if you assume a 25000 word vocab you have MORE than 44 bits of entropy with the passphrases approach. It may not be impossible to crack, but it's harder than the stupid "hard to remember by normal people" passwords. Which is the xkcd example's point, which I guess assumes a conservative 3000 common word vocabulary.

Re:Whatever happened to passphrases? (1)

Anonymous Coward | more than 2 years ago | (#38689638)

25000^4 is already as strong as 62^10, ie 10 alphanumeric characters. Not extremely secure, but more secure than most Joe Sixpack passwords.

Re:Whatever happened to passphrases? (2)

140Mandak262Jamuna (970587) | more than 2 years ago | (#38689238)

The problem is the most common password for techie site is "horse battery staple correct".

Re:Whatever happened to passphrases? (2)

marcosdumay (620877) | more than 2 years ago | (#38688876)

They are passwords. It is just that they are longer, and have less entropy per character. And our minds work better with them.

But, besides that, they are just passwords.

Re:Whatever happened to passphrases? (0)

Anonymous Coward | more than 2 years ago | (#38689000)

Some people use passphrases. [schneierfacts.com]

Re:Whatever happened to passphrases? (0)

Anonymous Coward | more than 2 years ago | (#38689014)

A pass phrase is just a really long password. Just because you're delimiting words within the password using spaces really doesn't make it particularly special. It's still just one big long string of character data, and you can still include numbers, special characters, and cases sensitivity within these very long passwords.

tl;dr Passphrases are not a new concept.

Re:Whatever happened to passphrases? (1)

jellomizer (103300) | more than 2 years ago | (#38689704)

Correct Horse Battery Staple.
<a href="http://xkcd.com/936/">http://xkcd.com/936/</a>
I remembered the password, I had to Google the link.

Unclassified Military (3, Informative)

imamac (1083405) | more than 2 years ago | (#38688168)

In the unclassified areas of the military passwords are almost gone (at least for me) by using PKI and our CAC cards.

CAC still uses passwords (2)

tepples (727027) | more than 2 years ago | (#38688256)

Wikipedia's article about the CAC [wikipedia.org] makes it out to be some sort of smart card, the same form factor commonly used along with a PIN for debit card payment in some countries. The CAC doesn't really remove passwords at all; a PIN is still needed.

Re:CAC still uses passwords (1)

imamac (1083405) | more than 2 years ago | (#38688290)

True, it still needs a PIN. But that CAC works for every DoD website. As opposed to remembering hundreds of login/password combinations.

Re:CAC still uses passwords (0)

Anonymous Coward | more than 2 years ago | (#38688384)

So all we need to do is use the Govern'ment to handle all authentication. Because... if we can't trust Uncle Sam, who can we trust?

Re:CAC still uses passwords (2)

imamac (1083405) | more than 2 years ago | (#38688454)

Of course not. But if you get multiple trusted organizations to to issue PKI certificates to load on to a smart card and every person to buy a smart card and reader for their computer and then get every website to add in the functionality...problem solved. Somebody make it happen.

Re:CAC still uses passwords (0)

Anonymous Coward | more than 2 years ago | (#38688594)

I'm not sure, but wouldn't that suffer from the same issue as password reuse? It works for DoD because all accessible sites are trusted. I would be concerned if a private site, for instance, allowed access via CAC cards. That would be a huge vulnerability, if they fooled anyone into using it.

Re:CAC still uses passwords (1)

imamac (1083405) | more than 2 years ago | (#38688712)

I certainly would not use a DoD CAC on any non DoD site. Maybe I haven't thought this out well enough, but I would think there would be a way to civilianize this to work on the internet in general. (i.e. the websites would use the trusted issuers to verify the identity certificates and would not have access to actually view the certificate.) But, I'm not an expert on the topic.

Re:CAC still uses passwords (0)

Anonymous Coward | more than 2 years ago | (#38688860)

Not if the site only had the public key part of the certificate. If it worked by them requiring you sign some random string with your private key, then they authenticate it against your public, they never know what your private key is. The only problem here, is that they have to authenticate that you are who you say you are, and that your public key wasn't being changed with a MITM attack; but that's still present in password schemes.

Re:CAC still uses passwords (1)

Dr_Barnowl (709838) | more than 2 years ago | (#38688636)

Estonia managed it (for government purposes).

Re:CAC still uses passwords (1)

s.petry (762400) | more than 2 years ago | (#38689504)

True, it still needs a PIN. But that CAC works for every DoD website. As opposed to remembering hundreds of login/password combinations.

That has nothing to do with CAC, but rather how the authentication is propagated between sites. LDAP is the norm, multi-master with TLS connections between hosts and no, it's not crAptive Directory.

Cards would allow auth with either a PIN or a complete password, depending on the client set up. Most legacy systems would only be able to get your log in name from the card if they could use the card at all. Many times, you are only accessing a console with the card.

Long story short, Passwords are not going away. Legacy systems will be around for a long long time, and that is the biggest driver to keep them.

Re:CAC still uses passwords (0)

Anonymous Coward | more than 2 years ago | (#38688694)

But what is ALSO needed is the CAC card, or the digital certificates on the card. Now someone wishing to compromise the account can't simply know/guess your account name, and compromise the password.

Re:CAC still uses passwords (1)

tepples (727027) | more than 2 years ago | (#38689540)

Which means every computer you use will need a reader for the card. Outside the DOD, and especially at home, that won't happen any time soon.

Re:Unclassified Military (0)

Anonymous Coward | more than 2 years ago | (#38688564)

Since no on else said I will say it "sounds like a bunch of CAC to me"

But of course... (3, Interesting)

Kenja (541830) | more than 2 years ago | (#38688208)

All biometric systems do is substitute a text string for a string of values gathered from the users defining characteristics. Its the same thing in the end, and you will ALWAYS want a password backup to any biometric system as, despite popular understanding, your biometric signature can change. The best hand scanners for example mesure blood flow and 3D characteristics using holographic imaging. Getting a cold can cause your fingers to swell and throw off the scanners. Wearing a ring can change your 3D hand scan. Etc, etc.

Re:But of course... (4, Interesting)

HockeyPuck (141947) | more than 2 years ago | (#38688442)

Try breaking your wrist and having your hand/forearm in a cast...

Exodus' solution was for me to use my left hand, upside down in the scanner and retake the initial scan since they only use right handed hand scanners.

Re:But of course... (4, Interesting)

shadowrat (1069614) | more than 2 years ago | (#38688520)

not to mention, many of them can be hacked in simplistic or macabre ways. a coworker was touting his new phone's biometric authentication and how it recognized his face. He claimed it used some new algorithm that couldn't be fooled by a picture. The claim seemed accurate since a printed picture of him could not unlock the phone. However, the phone happily unlocked when shown a picture of his face on my phone.

I don't know why it works. Maybe the identification of a real face is taking lighting into account or something and a self illuminated photo on an lcd throws it off. In any case it could still be defeated with his severed head. Now, a password might be given up under torture, but nobody is going to get it by killing you.

Re:But of course... (2)

Nixoloco (675549) | more than 2 years ago | (#38689346)

In any case it could still be defeated with his severed head.

That is macabre. I would think just tying him up and holding the phone up to his face would work just as well, or putting a gun to the back of his head, or if you must kill him I don't think removing the head is actually necessary. But hey, different strokes for different folks ;)

Re:But of course... (4, Insightful)

Dan East (318230) | more than 2 years ago | (#38688638)

And what happens if your biometric signature is discovered? Obviously not from the biological side, but the digital side. After all, it's just a number. Of course it would require a more technical exploit at the software level to utilize, but the big downside is you can't change that signature like you can a password (you've only got so many finger prints, or retinas, or whatever).

Re:But of course... (0)

Anonymous Coward | more than 2 years ago | (#38688676)

I have Raynaud's disease. Yeah, if they go to hand scanners, they'd better provide warm water at the scanner or else those hand scanners are going to cause me a lot of access problems.

Passwords make my brain hurt (3, Insightful)

na1led (1030470) | more than 2 years ago | (#38688210)

It's bad enough having to remember all my login names, but when sites don't like your password because it doesn't have Caps, or long enough, or a number in it. Forcing me to come up with a half dozen passswords to remember.

Re:Passwords make my brain hurt (1)

John Hasler (414242) | more than 2 years ago | (#38689514)

Forcing me to come up with a half dozen passswords to remember.

Only a fool uses a single password for multiple sites. Write the damn things down as Bruce Schneier tells you.

As for your brain hurting, that's exercise. No pain, no gain.

Partial security (3, Insightful)

Anonymous Coward | more than 2 years ago | (#38688244)

...but still better than none.

A proper security system is one that has tests for who you are, what you know, if you are under duress, and potentially if you should even be there that day.

Such a security system is hard to make, in the simplest form it has a biometric component, two passwords (one for regular use, one to act like the proper password but alert security), and is hooked up with the scheduling system (not to lockout, but also alert security). This is reasonable for high stakes facilities, but sufficiently cumbersome that it gets in the way of getting things done for things like PC login and on-line transactions.

Stop limiting password length (5, Insightful)

Pope (17780) | more than 2 years ago | (#38688250)

Why does web site x have an 8 character length limit, alphanumeric only?

Why does web site y have more allowable character types, but minimum of 5 chars, max of 18?

Relevant XKCD: http://xkcd.com/936/ [xkcd.com]

Remember, you can't solve for the parts of a pw, only the whole thing in one go.

Get it right the first time? (5, Insightful)

tepples (727027) | more than 2 years ago | (#38688288)

Good luck typing any password as long as "correct horse battery staple" correctly on the first time on a handheld device's on-screen keyboard.

Re:Get it right the first time? (3, Funny)

Anne_Nonymous (313852) | more than 2 years ago | (#38688352)

connectwhore'sbantertable

Yup, works fine.

Re:Get it right the first time? (1)

hawguy (1600213) | more than 2 years ago | (#38688464)

Good luck typing any password as long as "correct horse battery staple" correctly on the first time on a handheld device's on-screen keyboard.

I have a much easier time typing long alphabetic passwords than I do alpha+numeric+symbol passwords.

And how did you know my password was "correcthorsebatterystaple"!? I followed the XKCD comic *exactly* to generate a secure password, it should have taken you 550 years to guess it.

Re:Get it right the first time? (1)

PPH (736903) | more than 2 years ago | (#38688740)

The example given in XKCD http://xkcd.com/936/ [xkcd.com] appears to be calculating entropy [wikipedia.org] based on the vocabulary space of the English language, not the character space of a random string of N symbols*. Therefore, the strength they calculate would not be diminished by applying a spell checker to your password input. A few small misspellings would be tolerated.

In other words, your password would be that strong even if your input was misspelled but then auto-corrected. I could live with that.

*Using the Wikipedia formula, for 44 bits of entropy, and a message length of 28, I get N = 2.97. This is much lower than the N = 26 for case-insensitive, random Latin alphabet string.

Re:Get it right the first time? (0)

Anonymous Coward | more than 2 years ago | (#38688974)

And if that's still too easy, try it without hands and eyes!

Re:Stop limiting password length (0)

Anonymous Coward | more than 2 years ago | (#38688354)

If, by some other means, you have determined a password's length, you'll have a lot more luck cracking it if it's 3 characters rather than 30.

Re:Stop limiting password length (5, Informative)

MagicM (85041) | more than 2 years ago | (#38688382)

Steve Gibson from the Security Now podcast did a lot of work in this arena and found that the password "D0g....................." is harder to break than the password "PrXyc.N(n4k77#L!eVdAfp9". He makes this very clear in his password haystack reference guide and tester [grc.com] : "Once an exhaustive password search begins, the most important factor is password length!"

Re:Stop limiting password length (0)

Anonymous Coward | more than 2 years ago | (#38688726)

Of course, if they prioritize long strings of repeated character (which is a thing that is done), that long string of periods doesn't look so good anymore.

Re:Stop limiting password length (4, Insightful)

MagicM (85041) | more than 2 years ago | (#38689152)

From the link:

The example with "D0g....................." should not be taken literally because if everyone began padding their passwords with simple dots, attackers would soon start adding dots to their guesses to bypass the need for full searching through unknown padding. Instead, YOU should invent your own personal padding policy. You could put some padding in front, and/or interspersed through the phrase, and/or add some more to the end. You could put some characters at the beginning, padding in the middle, and more characters at the end. And also mix-up the padding characters by using simple memorable character pictures like "" or "[*]" or "^-^" . . . but do invent your own!

  If you make the result long and memorable, you'll have super-strong passwords that are also easy to use!

The goal is to prevent brute-foce hacking of your password, and the way to do that is by lengthening it. If you pick some long padding and add that to all your passwords, brute-force hacking it becomes prohibitively hard.

Re:Stop limiting password length (1)

Arrepiadd (688829) | more than 2 years ago | (#38689548)

Of course if that's the root password for the company's server and you type that close to someone else it won't be that difficult for them to find out.

If your attacks only come from someone who knows nothing about the password, that theory works fine. If they saw you typing a three letter word and then put a bunch of dots after "PrXyc.N(n4k77#L!eVdAfp9" seems "slightly" better.

Re:Stop limiting password length (4, Interesting)

hawguy (1600213) | more than 2 years ago | (#38688546)

Why does web site x have an 8 character length limit, alphanumeric only?

Why does web site y have more allowable character types, but minimum of 5 chars, max of 18?

And why won't they tell me what their password restrictions are until I've failed 3 times and need to reset my password? I use the same (or similar) password at all non-important sites (discussion forums, etc, not anything that involves a credit card, bank account, or personal email). If they'd just post their password requirements when I'm entering the password (or at least after the first time I mistype the password), I'd be able to remember what password I used.

I can't believe hiding the password requirements makes life any harder for a hacker (who could just create a dummy account to see the password requirements).

Re:Stop limiting password length (1)

Pope (17780) | more than 2 years ago | (#38689024)

And why won't they tell me what their password restrictions are until I've failed 3 times and need to reset my password?

Bad design, pure and simple.

Re:Stop limiting password length (0)

Anonymous Coward | more than 2 years ago | (#38689434)

Ah, yes, this is the stupid site that only gives me 6 characters for the password. Well, I'll reset my password, back to exactly what it was before since reminding me that their rules are stupid is all I needed to know to remember the password.

Re:Stop limiting password length (0)

Anonymous Coward | more than 2 years ago | (#38688576)

Sadly that isn't true in many cases. Look no further than the NT password scheme which can be cracked in halves.

This is also quite often used in hardware attacks. There is someone through either leaked information, or modification that allows partial verification. I believe this is one of the methods that was due to break the Xbox 360.

Re:Stop limiting password length (0)

Anonymous Coward | more than 2 years ago | (#38689576)

No, thats what happen when programers create the security instead of security people. This is the same as having security as an afterthought.

Re:Stop limiting password length (2)

Dan East (318230) | more than 2 years ago | (#38688780)

Everything is migrating towards mobile devices, or at a minimum, some degree of accessibility from mobile devices. Longer, more complex passwords are even less conducive for use / convenience on mobile devices than computers with full keyboards. So I believe people are going to trend in the exact opposite direction - shorter passwords because they are easier to enter on mobile devices.

Hmmm... (2)

Dripdry (1062282) | more than 2 years ago | (#38688266)

Seems like a conflict of interest to me: "Oh, passwords are here to stay!" seems to be FUD designed to discourage people from innovating so that MIcrosoft can find the patent first (because it'll eventually supplant their password system and the IP birds will come home to roost).

Re:Hmmm... (1, Interesting)

GameboyRMH (1153867) | more than 2 years ago | (#38688510)

No, passwords (or passphrases, just a long password really) will always be there because information that is only stored in your memory is the most secure.

Biometrics are quite easy to force out of you, when the reader is even secure (see face & iris scanners being fooled by pics, fingerprint scanners being fooled by scanned or molded fingerprints). No such thing as a duress password with biometrics.

Keyfobs can enhance the security of a password, but by itself is *less* secure than a password, because they can be physically stolen. Same reason you should use passphrases on your SSH keyfiles.

And everything else is variations on the same theme, biometrics or stealable tokens of authenticity, that all suffer the same flaws. They can enhance the security of passwords, but by themselves are inferior.

Securty. (4, Informative)

fish_in_the_c (577259) | more than 2 years ago | (#38688276)

I have worked for years with security and authentication.
there are three ways to establish trust. Something you have , something are , something you know.
that will never change. and most any one of them can be compromised. thus it is better to build systems that use
more then one.

care keys ( something you have)
thumb print ( something you are)
password/ pass phrase/ etc. ( something you know) .

all three together are more secure and more trust can be built by using multiple aspects but the easiest will be probably always be something you know.

Think about it authentication before computers.

Go to the bank ( hopefully the banker recognized you ( multiple bio metric) )
do you have your checkbook / check card/ pass book?
do you have a pin / password etc.

it really won't ever get much better you can use more and more bio metrics but that won't stop fraud only make it more costly.

Re:Securty. (5, Funny)

Anne_Nonymous (313852) | more than 2 years ago | (#38688674)

>> Something you have , something are , something you know.

My brother-in-law's password oughta be assholeassholeasshole.

Re:Securty. (1)

PolygamousRanchKid (1290638) | more than 2 years ago | (#38688818)

Still, some users will always find a way to muck things up.

"Nothing can be made foolproof, because fools are so ingenious."

care keys ( something you have)

You'll lose it.

thumb print ( something you are)

Like, dead. "We have his key, but his thumb is decomposed, so we can't open it anymore."

password/ pass phrase/ etc. ( something you know)

You'll forget it.

You want to have a truly secure system? Get rid of any humans in the system.

Re:Securty. (2)

Laur (673497) | more than 2 years ago | (#38689610)

there are three ways to establish trust. Something you have , something are , something you know.

This is incorrect, there are only two. "Something you are" (fingerprints, retinas, etc.) is really just another kind of "something you have". The only differences between biometrics and something like a physical key or access card is that biometrics are horribly insecure (how many objects have you left your fingerprints on today?) and nearly impossible to replace if they get compromised.

Device security (2)

dinodriver (577264) | more than 2 years ago | (#38688406)

As more and more of my "online" activities take place on the iphone instead of the computer, password management has become much easier. Other than bank accounts, all log in info is kept by the phone and I never have to log in to anything: counting on the password lock of the phone itself to keep my stuff private should someone pick up my phone. But someone could overcome my 4-digit pass key or observe it (I know my wife's because everytime she has trouble with her phone she asks me for help and so I witness her unlock it). What would really be better is if devices had bio-based locking features so that only their assigned users could open them. One big padlock for the house, so to speak, so that we can safely leave all the contents unlocked and easier to use.

Re:Device security (0)

Anonymous Coward | more than 2 years ago | (#38689120)

4-digit pass key

Why not pick a longer one? That'd at least make it more secure: 4 digits is not very many at all, even to protect against key-it-in-by-hand attacks from a semi-determined attacker. I'd say go for 6 digits or so; it's still not too hard to remember, but is way more secure than 4.

Re:Device security (0)

Anonymous Coward | more than 2 years ago | (#38689698)

a 4 digit pass key is not strong at all with unlimited trys. If you limit the number of times a wrong password or pin can be entered before it is locked (for good) then it's not so bad. Take a pin on a token it can be 4 numbers if you lock it out for good after 4-5 bad attempts. This is still not as good as using a longer key / adding alpha characters but not as bad as unlimited attempts.

Keepass (0)

Anonymous Coward | more than 2 years ago | (#38688474)

I recommend keepass to my friends. I advise them to use unique and random passwords for every account. I only know two passwords. My login, and my keepass passwords. That makes the password problem much more manageable.

Regards,
Jason C. Wells

I disagree (-1, Offtopic)

BrianErvin (2552524) | more than 2 years ago | (#38688478)

my roomate's step-aunt makes $80 hourly on the computer. She has been without a job for 9 months but last month her pay was $7829 just working on the computer for a few hours. Go to this web site and read more...CashSharp.com

Re:I disagree (1)

GameboyRMH (1153867) | more than 2 years ago | (#38688822)

Must be a big demand for granny camgirls...

Particularly relevant... (1)

RogueyWon (735973) | more than 2 years ago | (#38688488)

There's particular relevance to this subject today in relation to the news (via Eurogamer [eurogamer.net] ) of a potential weakness in the password system protecting Xbox Live accounts.

If MS can't refute this one quickly, I suspect it's going to get quite serious. Potentially "Playstation Network hack" serious.

Timely Missive About a Credential Hack (3, Informative)

djl4570 (801529) | more than 2 years ago | (#38688574)

http://www.theregister.co.uk/2012/01/13/sykipot_trojan_dod_smart_card_attack/ [theregister.co.uk]

A new strain of the Sykipot Trojan is been used to compromise the Department of Defense-sanctioned smart cards used to authorise network and building access at many US government agencies, according to security researchers. ... Chinese hackers have adapted the Sykipot Trojan to lift card credentials from compromised systems in order to access classified military networks, according to researchers at security tools firm AlienVault.

Case closed (-1, Flamebait)

Magada (741361) | more than 2 years ago | (#38688598)

If wired claims it, it's wrong. No exceptions.

Reasonable (1)

Flipstylee (1932884) | more than 2 years ago | (#38688632)

Cause in the future, who knows? I might decide to remove the locks from my house...

I enjoy my many barriers of common entry.
My property is managed by my identity and that's me, If i'm (here), it's because i belong (here).

Nowadays information is unlike everything around seemingly, in overabundance,
And in high density, damning even, only considering what one can find on Facebook and the likes.

Privacy? This is the USA!

Re:Reasonable (0)

Anonymous Coward | more than 2 years ago | (#38688784)

*bong noises* riiight on maan

Learning (1)

gmuslera (3436) | more than 2 years ago | (#38688634)

Even if we still use passwords, a lot of things had changed in the last 20 years, not so much in technology, but in culture. A lot could had been obvious or not back then, but now there is more awareness regarding requiring longer passwords, having harder to guess/bruteforce but easier to remember ones, giving alternate approachs like two-factor authentication, etc. Is like comparing the first cars with modern hybrid or electric ones, still are "cars", the basic scheme is still there, there are no flying cars everywhere now as predicted 30 years ago, but still a lot had improved.

Brainstorming Discussion Group (0)

Anonymous Coward | more than 2 years ago | (#38688706)

Question. If there was some kind of online group, mailing list or forum dedicated to brainstorming alternatives to password authentication, would you participate? I wanted to create one for a while, but I'm not 100% sure how to promote such thing to get people of different backgrounds into that discussion.

No one's thought about usablity, etc? NIST (0)

Anonymous Coward | more than 2 years ago | (#38688866)

I guess NIST is nobody.... (For those outside the US, NIST: National Inst on Stds & Tech, official US gov't agency.)

                mark

Stupid bastards (1)

Rational (1990) | more than 2 years ago | (#38688884)

This is the kind of arrant bullshit that just begs to be disrupted to death. Smartphones were shit and the companies that were complacent with that state got murdered by Apple. Digital music distribution was shit - same thing. Authentication is in an absolutely dire state, and ripe to be disrupted in the same way, as soon as a company with a bit of vision and a pair of balls takes charge. Apple, Google? Fuck knows, but it's going to happen, count on it. "Shitty" is not a stable, long term state in technology - even Windows has been shamed into becoming halfway-useable.

Two Factor Authentication (1)

pwileyii (106242) | more than 2 years ago | (#38688972)

In my opinion, passwords are pretty much here to stay for the foreseeable future. The thing that I see changing is making the password a single item in an authentication scheme. Most of the major websites have two factor authentication methods available (think Google, Facebook, Paypal, etc.) and most of the banks that I use have methods of dealing with unknown devices connecting, via a series of questions, an email link, or a code sent to me out-of-band. We are certainly moving in a direction where the password is simply a single piece of information of many needed to authentication. Obviously, the sensitivity of the information will determine what kind of security is needed, but five years ago two factor authentication was only used in the most secure situations and now it is available on the most popular web sites.

Anybody remember client-side digital certificates? (2)

dmorin (25609) | more than 2 years ago | (#38689284)

About a million years ago (1997, maybe?) I worked for a financial company that wanted to implement client-side digital certificates. No more passwords! At a time when all the web stuff was coded in Perl making external calls to a C library that talked to something called a "SafeKeypr" box to generate the actual certificates, it was pretty darned advanced. That crucial bit of hardware in middle was so secure that it literally had several WarGames-style keys that all had to be inserted simultaneously for the thing to work. At one point when it needed to be debugged, the tech wouldn't even let me see how she cracked it open, she just took the whole box back to her lab. (Neat - just found a link to a book on the project [google.com] I never new existed. I wrote that code ;)]

And yet, here we are almost 15 years later still using usernames and passwords. Oh, well. Was a fun project. :)

True story -- when the project launched we had a big event, with everybody gathered around the box to turn their keys. Then they all took their key and scattered off to wherever, what with the whole "must keep the keys off site and multiple locations" thing. What nobody realized is that the network center (we did our own hosting) had already posted plans for a scheduled power outage that weekend, and nobody'd connected these particular thoughts. So they cycled power in the room to do whatever it is that they did, and the box didn't come back online. Somebody contacted me. I told them to round everybody up to come back and turn their keys again. :)

brute force in the Slepian-Wolf social network (3, Informative)

epine (68316) | more than 2 years ago | (#38689366)

Brute force security needs to be evaluated under the assumption that a Russian botnet has compromised a large number of social networking sites, and gained three to five different clear-text passwords (of possibly no great importance) associated with the targeted user. They now also know--or strongly suspect--the identities of your financial institutions.

Using commonalities of the exposed password set, the botnet bastards will attempt to model your personal password generation heuristic. Since they are not stupider than bricks, they might also assume that your bank password is similar, but fortified to the next level. Gaining some experience in cracking bank passwords, they'll soon have a model for that, too.

My Thomas and Cover from 1991, which happens to be at hand, has chapters on "Jointly typical sequences", "Encoding of correlated sources", and "Source coding with side information". This last section makes reference to Slepian-Wolf encoding, which is kind of interesting. I hadn't spotted that before.

On Slepian-Wolf compression, in memory of Jack Wolf [blogspot.com]

Along with David Slepian, Wolf proved the Slepian-Wolf theorem: as long as certain conditions are met, files X and Y can be compressed to H(X,Y), even if the X server has no knowledge of file Y, and vice versa.

This might not be precisely the right theory to apply to the breaking of password clusters, but the guy doing the math on that has probably read these papers.

Way too little concern is placed on the independence of the passwords chosen, and this vulnerability increases rapidly with the proliferation of passwords used. I'm sure I have more than 100 passwords out in the wild, many held by hopelessly incompetent and untrusted internet discussion forums.

Even a single compromised site can form a model of your password heuristic if you're duped into changing it often.

It wouldn't surprise me that if everyone adopted the four word xkcd approach, that for many individuals, entropy per word is closer to seven or eight bits than eleven, where concrete nouns of five to eight letters predominate, and a further bias to concrete nouns that are visually active in the mind's eye, and 40% of all such passwords contain at least one animal word.

That's where brute force would begin: assume at least one common animal word (four to five bits; since cat/dog don't make the cut, you'll be seeing a lot of parrot/leopard/zebra/unicorn).

unicornprincesscastledragon

I've cracked one already.

IT is also enforcing worse password security (1)

HannethCom (585323) | more than 2 years ago | (#38689424)

Where I work we have to change our passwords every 6 weeks. Microsoft even encourages draconian practices like this. Even though research shows that enforcing changing of passwords frequently leads to people using bad passwords, and quite frequently writing them down and leaving the written down copy at their computer.

What really frustrates me is that our IT knows this, they wave it off as everyone uses bad passwords anyways. I try to use good passwords, but coming up with a new one every 6 weeks is difficult.

That isn't to say that having a forced password change every blue moon is a bad idea, but more than twice a year for most people is too much. For quite a few companies twice a year might be too much.

As with previous posters, I love how some sites only allow alphanumeric passwords, where others require special characters and you have the different minimums and maximums. Really drives me nuts how some sites have a maximum of 8 characters.

Have you ever hacked MSDN and M$ (1)

NSN A392-99-964-5927 (1559367) | more than 2 years ago | (#38689466)

Does anyone remember or even use Lynx anymore? These were the days in 1982 and I first had a Unix SLIP Serial Line Interface Protocol. That's right and dare I say it that was UN-31337 nothing was digital. it was only developers who illegally worked for GCHQ (deep packect inspection) British Telecom phorming. Well this is why we do not like the black boxen of all windows installations.

AMEN!

Load More Comments
Slashdot Account

Need an Account?

Forgot your password?

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>
Create a Slashdot Account

Loading...