Passwords Not Going Away Any Time Soon 232
New submitter isoloisti writes "Hot on the heels of IBM's 'no more passwords' prediction, Wired has an article about provocative research saying that passwords are here to stay. Researchers from Microsoft and Carleton U. take a harsh view of research on authentication (PDF), saying, 'no progress has been made in the last twenty years.' They dismiss biometrics, PKI, OpenID, and single-signon: 'Not only have proposed alternatives failed, but we have learnt little from the failures.' Because the computer industry so thoroughly wrote off passwords about a decade ago, not enough serious research has gone into improving passwords and understanding how they get compromised in the real world. 'It is time to admit that passwords will be with us for some time, and moreover, that in many instances they are the best-fit among currently known solutions.'"
But of course... (Score:4, Interesting)
Re:But of course... (Score:5, Interesting)
Try breaking your wrist and having your hand/forearm in a cast...
Exodus' solution was for me to use my left hand, upside down in the scanner and retake the initial scan since they only use right handed hand scanners.
Re:Hmmm... (Score:2, Interesting)
No, passwords (or passphrases, just a long password really) will always be there because information that is only stored in your memory is the most secure.
Biometrics are quite easy to force out of you, when the reader is even secure (see face & iris scanners being fooled by pics, fingerprint scanners being fooled by scanned or molded fingerprints). No such thing as a duress password with biometrics.
Keyfobs can enhance the security of a password, but by itself is *less* secure than a password, because they can be physically stolen. Same reason you should use passphrases on your SSH keyfiles.
And everything else is variations on the same theme, biometrics or stealable tokens of authenticity, that all suffer the same flaws. They can enhance the security of passwords, but by themselves are inferior.
Re:But of course... (Score:5, Interesting)
I don't know why it works. Maybe the identification of a real face is taking lighting into account or something and a self illuminated photo on an lcd throws it off. In any case it could still be defeated with his severed head. Now, a password might be given up under torture, but nobody is going to get it by killing you.
Re:Duh? (Score:4, Interesting)
Ummm...simple answer, Microsoft/IBM/rest of world:
Start adding a "please generate a good password for me because I'm too ignorant to do it myself and I'll choose '123456' " button to your user interfaces.
Re:Stop limiting password length (Score:5, Interesting)
Why does web site x have an 8 character length limit, alphanumeric only?
Why does web site y have more allowable character types, but minimum of 5 chars, max of 18?
And why won't they tell me what their password restrictions are until I've failed 3 times and need to reset my password? I use the same (or similar) password at all non-important sites (discussion forums, etc, not anything that involves a credit card, bank account, or personal email). If they'd just post their password requirements when I'm entering the password (or at least after the first time I mistype the password), I'd be able to remember what password I used.
I can't believe hiding the password requirements makes life any harder for a hacker (who could just create a dummy account to see the password requirements).
Re:Whatever happened to passphrases? (Score:4, Interesting)
I just realized that my bank must be doing this (or at least using reversible encryption) because it uses the whole positional character schtick. Damn.
Re:Duh? (Score:4, Interesting)
Publishing a comic isn't going to make people choose better passwords.
People have had well over a decade years to learn about choosing passwords but they're as ignorant as ever.
The only way forward is to take the choice out of their hands. Use the XKCD method if you want, just don't let the users do it themselves.
In many cases, you *can't* use the xkcd method because:
a. the password field is too short
b. the password checker rejects common words
c. you can't see what you're typing when you enter the password
The problem generally isn't the users' ignorance, it's the assholes writing the password system.