Passwords Not Going Away Any Time Soon

New submitter isoloisti writes "Hot on the heels of IBM's 'no more passwords' prediction, Wired has an article about provocative research saying that passwords are here to stay. Researchers from Microsoft and Carleton U. take a harsh view of research on authentication (PDF), saying, 'no progress has been made in the last twenty years.' They dismiss biometrics, PKI, OpenID, and single-signon: 'Not only have proposed alternatives failed, but we have learnt little from the failures.' Because the computer industry so thoroughly wrote off passwords about a decade ago, not enough serious research has gone into improving passwords and understanding how they get compromised in the real world. 'It is time to admit that passwords will be with us for some time, and moreover, that in many instances they are the best-fit among currently known solutions.'"

But of course...

[Kenja]

All biometric systems do is substitute a text string for a string of values gathered from the users defining characteristics. Its the same thing in the end, and you will ALWAYS want a password backup to any biometric system as, despite popular understanding, your biometric signature can change. The best hand scanners for example mesure blood flow and 3D characteristics using holographic imaging. Getting a cold can cause your fingers to swell and throw off the scanners. Wearing a ring can change your 3D hand scan. Etc, etc.

Re:But of course...

[HockeyPuck]

Try breaking your wrist and having your hand/forearm in a cast...

Exodus' solution was for me to use my left hand, upside down in the scanner and retake the initial scan since they only use right handed hand scanners.

Re:Hmmm...

[GameboyRMH]

No, passwords (or passphrases, just a long password really) will always be there because information that is only stored in your memory is the most secure.

Biometrics are quite easy to force out of you, when the reader is even secure (see face & iris scanners being fooled by pics, fingerprint scanners being fooled by scanned or molded fingerprints). No such thing as a duress password with biometrics.

Keyfobs can enhance the security of a password, but by itself is *less* secure than a password, because they can be physically stolen. Same reason you should use passphrases on your SSH keyfiles.

And everything else is variations on the same theme, biometrics or stealable tokens of authenticity, that all suffer the same flaws. They can enhance the security of passwords, but by themselves are inferior.

Re:But of course...

[shadowrat]

not to mention, many of them can be hacked in simplistic or macabre ways. a coworker was touting his new phone's biometric authentication and how it recognized his face. He claimed it used some new algorithm that couldn't be fooled by a picture. The claim seemed accurate since a printed picture of him could not unlock the phone. However, the phone happily unlocked when shown a picture of his face on my phone.

I don't know why it works. Maybe the identification of a real face is taking lighting into account or something and a self illuminated photo on an lcd throws it off. In any case it could still be defeated with his severed head. Now, a password might be given up under torture, but nobody is going to get it by killing you.

Re:Duh?

[Joce640k]

Ummm...simple answer, Microsoft/IBM/rest of world:

Start adding a "please generate a good password for me because I'm too ignorant to do it myself and I'll choose '123456' " button to your user interfaces.

Re:Stop limiting password length

[hawguy]

Why does web site x have an 8 character length limit, alphanumeric only?

Why does web site y have more allowable character types, but minimum of 5 chars, max of 18?

And why won't they tell me what their password restrictions are until I've failed 3 times and need to reset my password? I use the same (or similar) password at all non-important sites (discussion forums, etc, not anything that involves a credit card, bank account, or personal email). If they'd just post their password requirements when I'm entering the password (or at least after the first time I mistype the password), I'd be able to remember what password I used.

I can't believe hiding the password requirements makes life any harder for a hacker (who could just create a dummy account to see the password requirements).

Re:Whatever happened to passphrases?

[Dr_Barnowl]

I just realized that my bank must be doing this (or at least using reversible encryption) because it uses the whole positional character schtick. Damn.

Re:Duh?

[sco08y]

Publishing a comic isn't going to make people choose better passwords.

People have had well over a decade years to learn about choosing passwords but they're as ignorant as ever.

The only way forward is to take the choice out of their hands. Use the XKCD method if you want, just don't let the users do it themselves.

In many cases, you *can't* use the xkcd method because:
a. the password field is too short
b. the password checker rejects common words
c. you can't see what you're typing when you enter the password

The problem generally isn't the users' ignorance, it's the assholes writing the password system.