Passwords Not Going Away Any Time Soon 232
New submitter isoloisti writes "Hot on the heels of IBM's 'no more passwords' prediction, Wired has an article about provocative research saying that passwords are here to stay. Researchers from Microsoft and Carleton U. take a harsh view of research on authentication (PDF), saying, 'no progress has been made in the last twenty years.' They dismiss biometrics, PKI, OpenID, and single-signon: 'Not only have proposed alternatives failed, but we have learnt little from the failures.' Because the computer industry so thoroughly wrote off passwords about a decade ago, not enough serious research has gone into improving passwords and understanding how they get compromised in the real world. 'It is time to admit that passwords will be with us for some time, and moreover, that in many instances they are the best-fit among currently known solutions.'"
Unclassified Military (Score:4, Informative)
Securty. (Score:5, Informative)
I have worked for years with security and authentication.
there are three ways to establish trust. Something you have , something are , something you know.
that will never change. and most any one of them can be compromised. thus it is better to build systems that use
more then one.
care keys ( something you have)
thumb print ( something you are)
password/ pass phrase/ etc. ( something you know) .
all three together are more secure and more trust can be built by using multiple aspects but the easiest will be probably always be something you know.
Think about it authentication before computers.
Go to the bank ( hopefully the banker recognized you ( multiple bio metric) )
do you have your checkbook / check card/ pass book?
do you have a pin / password etc.
it really won't ever get much better you can use more and more bio metrics but that won't stop fraud only make it more costly.
Re:Stop limiting password length (Score:5, Informative)
Steve Gibson from the Security Now podcast did a lot of work in this arena and found that the password "D0g....................." is harder to break than the password "PrXyc.N(n4k77#L!eVdAfp9". He makes this very clear in his password haystack reference guide and tester [grc.com]: "Once an exhaustive password search begins, the most important factor is password length!"
Timely Missive About a Credential Hack (Score:4, Informative)
A new strain of the Sykipot Trojan is been used to compromise the Department of Defense-sanctioned smart cards used to authorise network and building access at many US government agencies, according to security researchers. ...
Chinese hackers have adapted the Sykipot Trojan to lift card credentials from compromised systems in order to access classified military networks, according to researchers at security tools firm AlienVault.
Re:Whatever happened to passphrases? (Score:5, Informative)
The stupid part is that the limit on the password field is just a piece of UI.
If they're doing it right, they're storing a hash of the password. The hashes are all the same size. You should be able to carry around a USB device that emulates a keyboard and types out the declaration of independence (without using enter) and use that as a password.
Systems that limit the password to, say, 13 characters bug the crap out of me, because I often chose passwords that are longer.
Systems that limit the password size because they are storing them as plaintext, should of course have their source printed out and ritually burned.
Re:Whatever happened to passphrases? (Score:4, Informative)
brute force in the Slepian-Wolf social network (Score:4, Informative)
Brute force security needs to be evaluated under the assumption that a Russian botnet has compromised a large number of social networking sites, and gained three to five different clear-text passwords (of possibly no great importance) associated with the targeted user. They now also know--or strongly suspect--the identities of your financial institutions.
Using commonalities of the exposed password set, the botnet bastards will attempt to model your personal password generation heuristic. Since they are not stupider than bricks, they might also assume that your bank password is similar, but fortified to the next level. Gaining some experience in cracking bank passwords, they'll soon have a model for that, too.
My Thomas and Cover from 1991, which happens to be at hand, has chapters on "Jointly typical sequences", "Encoding of correlated sources", and "Source coding with side information". This last section makes reference to Slepian-Wolf encoding, which is kind of interesting. I hadn't spotted that before.
On Slepian-Wolf compression, in memory of Jack Wolf [blogspot.com]
This might not be precisely the right theory to apply to the breaking of password clusters, but the guy doing the math on that has probably read these papers.
Way too little concern is placed on the independence of the passwords chosen, and this vulnerability increases rapidly with the proliferation of passwords used. I'm sure I have more than 100 passwords out in the wild, many held by hopelessly incompetent and untrusted internet discussion forums.
Even a single compromised site can form a model of your password heuristic if you're duped into changing it often.
It wouldn't surprise me that if everyone adopted the four word xkcd approach, that for many individuals, entropy per word is closer to seven or eight bits than eleven, where concrete nouns of five to eight letters predominate, and a further bias to concrete nouns that are visually active in the mind's eye, and 40% of all such passwords contain at least one animal word.
That's where brute force would begin: assume at least one common animal word (four to five bits; since cat/dog don't make the cut, you'll be seeing a lot of parrot/leopard/zebra/unicorn).
unicornprincesscastledragon
I've cracked one already.
Re:Whatever happened to passphrases? (Score:5, Informative)
You don't have 44 bits of entropy. Rather, the vocabulary of the average American is the entropy.
In the XKCD example, for instance, the true number of permutations you have to check to brute force a password is: Size of Average Person's Vocabulary (about 25,000 words) - from which "correct" "horse" "battery" "stable" is selected - raised to the 4th power, or 3.906 * 10^17 combinations. That's not a huge amount for a password cracking algorithm.
2^44 is 1.7592186 * 10^13, which is SMALLER than 3.906 * 10^17. So if you assume a 25000 word vocab you have MORE than 44 bits of entropy with the passphrases approach. It may not be impossible to crack, but it's harder than the stupid "hard to remember by normal people" passwords. Which is the xkcd example's point, which I guess assumes a conservative 3000 common word vocabulary.
Re:Whatever happened to passphrases? (Score:5, Informative)
My bank has a similar ridiculous restriction. 14 characters max, limited subset of symbols allowed. Because of this, my bank password is my least secure password, while it should be one of the strongest. I find it amusing that my WoW account is much more secure than my bank (greater password freedom + authenticator)--at least from an authentication standpoint.
Mac users can use a program called 1Password to manage their passwords. It stores them in an encrypted file that you use a master password to unlock. And you can use browser extensions to have it automatically login to any site you've told it about, and it will generate passwords for you as well. It's the best solution I've found for having unique, strong passwords for every site or system you have a login for. Just make sure you choose a smart master password.
(There's an iOS version, too, that syncs with the standalone app, so you have access to your passwords on the go.)
Anyone know of something similar for other platforms? I'd like to get the rest of my family using stronger passwords than pet names or whatever they're using.