Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!


Forgot your password?
Microsoft Security IT

Passwords Not Going Away Any Time Soon 232

New submitter isoloisti writes "Hot on the heels of IBM's 'no more passwords' prediction, Wired has an article about provocative research saying that passwords are here to stay. Researchers from Microsoft and Carleton U. take a harsh view of research on authentication (PDF), saying, 'no progress has been made in the last twenty years.' They dismiss biometrics, PKI, OpenID, and single-signon: 'Not only have proposed alternatives failed, but we have learnt little from the failures.' Because the computer industry so thoroughly wrote off passwords about a decade ago, not enough serious research has gone into improving passwords and understanding how they get compromised in the real world. 'It is time to admit that passwords will be with us for some time, and moreover, that in many instances they are the best-fit among currently known solutions.'"
This discussion has been archived. No new comments can be posted.

Passwords Not Going Away Any Time Soon

Comments Filter:
  • by tverbeek ( 457094 ) on Friday January 13, 2012 @01:22PM (#38688158) Homepage

    Sounds like job security for those of us who reset passwords for a living.


    • Re:job security (Score:5, Insightful)

      by hawguy ( 1600213 ) on Friday January 13, 2012 @01:36PM (#38688364)

      Sounds like job security for those of us who reset passwords for a living.


      Better to reset a password than find that your fingerprint scanners can be compromised by silly putty or your retinal scanners can be compromised by a picture painted on the back of a marble and instead of resetting a password, you're replacing hardware.

  • by imamac ( 1083405 ) on Friday January 13, 2012 @01:23PM (#38688168)
    In the unclassified areas of the military passwords are almost gone (at least for me) by using PKI and our CAC cards.
    • Wikipedia's article about the CAC [wikipedia.org] makes it out to be some sort of smart card, the same form factor commonly used along with a PIN for debit card payment in some countries. The CAC doesn't really remove passwords at all; a PIN is still needed.
      • by imamac ( 1083405 )
        True, it still needs a PIN. But that CAC works for every DoD website. As opposed to remembering hundreds of login/password combinations.
  • But of course... (Score:4, Interesting)

    by Kenja ( 541830 ) on Friday January 13, 2012 @01:25PM (#38688208)
    All biometric systems do is substitute a text string for a string of values gathered from the users defining characteristics. Its the same thing in the end, and you will ALWAYS want a password backup to any biometric system as, despite popular understanding, your biometric signature can change. The best hand scanners for example mesure blood flow and 3D characteristics using holographic imaging. Getting a cold can cause your fingers to swell and throw off the scanners. Wearing a ring can change your 3D hand scan. Etc, etc.
    • Re:But of course... (Score:5, Interesting)

      by HockeyPuck ( 141947 ) on Friday January 13, 2012 @01:40PM (#38688442)

      Try breaking your wrist and having your hand/forearm in a cast...

      Exodus' solution was for me to use my left hand, upside down in the scanner and retake the initial scan since they only use right handed hand scanners.

    • Re:But of course... (Score:5, Interesting)

      by shadowrat ( 1069614 ) on Friday January 13, 2012 @01:47PM (#38688520)
      not to mention, many of them can be hacked in simplistic or macabre ways. a coworker was touting his new phone's biometric authentication and how it recognized his face. He claimed it used some new algorithm that couldn't be fooled by a picture. The claim seemed accurate since a printed picture of him could not unlock the phone. However, the phone happily unlocked when shown a picture of his face on my phone.

      I don't know why it works. Maybe the identification of a real face is taking lighting into account or something and a self illuminated photo on an lcd throws it off. In any case it could still be defeated with his severed head. Now, a password might be given up under torture, but nobody is going to get it by killing you.
      • In any case it could still be defeated with his severed head.

        That is macabre. I would think just tying him up and holding the phone up to his face would work just as well, or putting a gun to the back of his head, or if you must kill him I don't think removing the head is actually necessary. But hey, different strokes for different folks ;)

        • sure sure, you can do that, but obviously, the best solution is to then have his face removed and surgically grafted to your head. If you have the time, you can also have your old face grafted back on him. Then walk away with a clear conscience and a phone you can unlock at will. The chances of him breaking out of prison after being arrested for your crimes, convincing just one trusted friend that he is not you, hunting you down, and ultimately unlocking the phone are practically nil. He doesn't have the fa
      • In any case it could still be defeated with his severed head. Now, a password might be given up under torture, but nobody is going to get it by killing you.

        Once the password (or head) is given, there is no need to keep you alive. It is the future hope that you will reveal the password that keeps you alive... and keeps them torturing you.

    • by Dan East ( 318230 ) on Friday January 13, 2012 @01:55PM (#38688638) Journal

      And what happens if your biometric signature is discovered? Obviously not from the biological side, but the digital side. After all, it's just a number. Of course it would require a more technical exploit at the software level to utilize, but the big downside is you can't change that signature like you can a password (you've only got so many finger prints, or retinas, or whatever).

  • by na1led ( 1030470 ) on Friday January 13, 2012 @01:25PM (#38688210)
    It's bad enough having to remember all my login names, but when sites don't like your password because it doesn't have Caps, or long enough, or a number in it. Forcing me to come up with a half dozen passswords to remember.
  • Partial security (Score:3, Insightful)

    by Anonymous Coward on Friday January 13, 2012 @01:27PM (#38688244)

    ...but still better than none.

    A proper security system is one that has tests for who you are, what you know, if you are under duress, and potentially if you should even be there that day.

    Such a security system is hard to make, in the simplest form it has a biometric component, two passwords (one for regular use, one to act like the proper password but alert security), and is hooked up with the scheduling system (not to lockout, but also alert security). This is reasonable for high stakes facilities, but sufficiently cumbersome that it gets in the way of getting things done for things like PC login and on-line transactions.

  • by Pope ( 17780 ) on Friday January 13, 2012 @01:28PM (#38688250)

    Why does web site x have an 8 character length limit, alphanumeric only?

    Why does web site y have more allowable character types, but minimum of 5 chars, max of 18?

    Relevant XKCD: http://xkcd.com/936/ [xkcd.com]

    Remember, you can't solve for the parts of a pw, only the whole thing in one go.

    • Good luck typing any password as long as "correct horse battery staple" correctly on the first time on a handheld device's on-screen keyboard.
      • Re: (Score:3, Funny)


        Yup, works fine.

      • by hawguy ( 1600213 )

        Good luck typing any password as long as "correct horse battery staple" correctly on the first time on a handheld device's on-screen keyboard.

        I have a much easier time typing long alphabetic passwords than I do alpha+numeric+symbol passwords.

        And how did you know my password was "correcthorsebatterystaple"!? I followed the XKCD comic *exactly* to generate a secure password, it should have taken you 550 years to guess it.

      • by PPH ( 736903 )

        The example given in XKCD http://xkcd.com/936/ [xkcd.com] appears to be calculating entropy [wikipedia.org] based on the vocabulary space of the English language, not the character space of a random string of N symbols*. Therefore, the strength they calculate would not be diminished by applying a spell checker to your password input. A few small misspellings would be tolerated.

        In other words, your password would be that strong even if your input was misspelled but then auto-corrected. I could live with that.

        *Using the Wikipedia for

      • Technically, you could have your phone autocomplete / spellcheck your password if such a scheme were used.

    • by MagicM ( 85041 ) on Friday January 13, 2012 @01:36PM (#38688382)

      Steve Gibson from the Security Now podcast did a lot of work in this arena and found that the password "D0g....................." is harder to break than the password "PrXyc.N(n4k77#L!eVdAfp9". He makes this very clear in his password haystack reference guide and tester [grc.com]: "Once an exhaustive password search begins, the most important factor is password length!"

      • Of course if that's the root password for the company's server and you type that close to someone else it won't be that difficult for them to find out.

        If your attacks only come from someone who knows nothing about the password, that theory works fine. If they saw you typing a three letter word and then put a bunch of dots after "PrXyc.N(n4k77#L!eVdAfp9" seems "slightly" better.

    • by hawguy ( 1600213 ) on Friday January 13, 2012 @01:49PM (#38688546)

      Why does web site x have an 8 character length limit, alphanumeric only?

      Why does web site y have more allowable character types, but minimum of 5 chars, max of 18?

      And why won't they tell me what their password restrictions are until I've failed 3 times and need to reset my password? I use the same (or similar) password at all non-important sites (discussion forums, etc, not anything that involves a credit card, bank account, or personal email). If they'd just post their password requirements when I'm entering the password (or at least after the first time I mistype the password), I'd be able to remember what password I used.

      I can't believe hiding the password requirements makes life any harder for a hacker (who could just create a dummy account to see the password requirements).

      • by Pope ( 17780 )

        And why won't they tell me what their password restrictions are until I've failed 3 times and need to reset my password?

        Bad design, pure and simple.

      • by Ambvai ( 1106941 )

        My favorite requirement was exactly 8 characters, one of which must be capital, one of which must be a symbol, one of which must be a number, none of those three may be in the first or last position, and it had to be changed every month.

    • Everything is migrating towards mobile devices, or at a minimum, some degree of accessibility from mobile devices. Longer, more complex passwords are even less conducive for use / convenience on mobile devices than computers with full keyboards. So I believe people are going to trend in the exact opposite direction - shorter passwords because they are easier to enter on mobile devices.

  • Seems like a conflict of interest to me: "Oh, passwords are here to stay!" seems to be FUD designed to discourage people from innovating so that MIcrosoft can find the patent first (because it'll eventually supplant their password system and the IP birds will come home to roost).

    • Re: (Score:2, Interesting)

      by GameboyRMH ( 1153867 )

      No, passwords (or passphrases, just a long password really) will always be there because information that is only stored in your memory is the most secure.

      Biometrics are quite easy to force out of you, when the reader is even secure (see face & iris scanners being fooled by pics, fingerprint scanners being fooled by scanned or molded fingerprints). No such thing as a duress password with biometrics.

      Keyfobs can enhance the security of a password, but by itself is *less* secure than a password, because th

  • Securty. (Score:5, Informative)

    by fish_in_the_c ( 577259 ) on Friday January 13, 2012 @01:29PM (#38688276)

    I have worked for years with security and authentication.
    there are three ways to establish trust. Something you have , something are , something you know.
    that will never change. and most any one of them can be compromised. thus it is better to build systems that use
    more then one.

    care keys ( something you have)
    thumb print ( something you are)
    password/ pass phrase/ etc. ( something you know) .

    all three together are more secure and more trust can be built by using multiple aspects but the easiest will be probably always be something you know.

    Think about it authentication before computers.

    Go to the bank ( hopefully the banker recognized you ( multiple bio metric) )
    do you have your checkbook / check card/ pass book?
    do you have a pin / password etc.

    it really won't ever get much better you can use more and more bio metrics but that won't stop fraud only make it more costly.

    • Re:Securty. (Score:5, Funny)

      by Anne_Nonymous ( 313852 ) on Friday January 13, 2012 @01:57PM (#38688674) Homepage Journal

      >> Something you have , something are , something you know.

      My brother-in-law's password oughta be assholeassholeasshole.

    • Still, some users will always find a way to muck things up.

      "Nothing can be made foolproof, because fools are so ingenious."

      care keys ( something you have)

      You'll lose it.

      thumb print ( something you are)

      Like, dead. "We have his key, but his thumb is decomposed, so we can't open it anymore."

      password/ pass phrase/ etc. ( something you know)

      You'll forget it.

      You want to have a truly secure system? Get rid of any humans in the system.

      • by fnj ( 64210 )

        Secure and sure. Secure and sure. Not just secure. A system even the authorized user can never enter because it's too bloody hard to accomplish is busted, but it's still secure. DAMN secure.

    • by Laur ( 673497 )

      there are three ways to establish trust. Something you have , something are , something you know.

      This is incorrect, there are only two. "Something you are" (fingerprints, retinas, etc.) is really just another kind of "something you have". The only differences between biometrics and something like a physical key or access card is that biometrics are horribly insecure (how many objects have you left your fingerprints on today?) and nearly impossible to replace if they get compromised.

      • by fnj ( 64210 )

        If your arm is eaten by a shark or your eye is poked out by a nail gun, you'll never be able to get a replacement fingerprint or retina pattern, but if you lose your access card and are able to talk the security officer into giving you another, you won't be fired for inability to do your job because you can't get into the site.

  • As more and more of my "online" activities take place on the iphone instead of the computer, password management has become much easier. Other than bank accounts, all log in info is kept by the phone and I never have to log in to anything: counting on the password lock of the phone itself to keep my stuff private should someone pick up my phone. But someone could overcome my 4-digit pass key or observe it (I know my wife's because everytime she has trouble with her phone she asks me for help and so I witnes
    • by fnj ( 64210 )

      Which do you fear more? Making your passwords so easy to steal that someone robs you of everything? Or making your passwords so hard to retrieve that you effectively lose access to them and lose access to all of your own stuff? Choose one or the other. Think carefully. Hint ... it's a trick question. Hobson's choice.

  • There's particular relevance to this subject today in relation to the news (via Eurogamer [eurogamer.net]) of a potential weakness in the password system protecting Xbox Live accounts.

    If MS can't refute this one quickly, I suspect it's going to get quite serious. Potentially "Playstation Network hack" serious.
  • by djl4570 ( 801529 ) on Friday January 13, 2012 @01:51PM (#38688574) Journal
    http://www.theregister.co.uk/2012/01/13/sykipot_trojan_dod_smart_card_attack/ [theregister.co.uk]

    A new strain of the Sykipot Trojan is been used to compromise the Department of Defense-sanctioned smart cards used to authorise network and building access at many US government agencies, according to security researchers. ... Chinese hackers have adapted the Sykipot Trojan to lift card credentials from compromised systems in order to access classified military networks, according to researchers at security tools firm AlienVault.

  • Even if we still use passwords, a lot of things had changed in the last 20 years, not so much in technology, but in culture. A lot could had been obvious or not back then, but now there is more awareness regarding requiring longer passwords, having harder to guess/bruteforce but easier to remember ones, giving alternate approachs like two-factor authentication, etc. Is like comparing the first cars with modern hybrid or electric ones, still are "cars", the basic scheme is still there, there are no flying ca
  • In my opinion, passwords are pretty much here to stay for the foreseeable future. The thing that I see changing is making the password a single item in an authentication scheme. Most of the major websites have two factor authentication methods available (think Google, Facebook, Paypal, etc.) and most of the banks that I use have methods of dealing with unknown devices connecting, via a series of questions, an email link, or a code sent to me out-of-band. We are certainly moving in a direction where the pass

  • About a million years ago (1997, maybe?) I worked for a financial company that wanted to implement client-side digital certificates. No more passwords! At a time when all the web stuff was coded in Perl making external calls to a C library that talked to something called a "SafeKeypr" box to generate the actual certificates, it was pretty darned advanced. That crucial bit of hardware in middle was so secure that it literally had several WarGames-style keys that all had to be inserted simultaneously for the thing to work. At one point when it needed to be debugged, the tech wouldn't even let me see how she cracked it open, she just took the whole box back to her lab. (Neat - just found a link to a book on the project [google.com] I never new existed. I wrote that code ;)]

    And yet, here we are almost 15 years later still using usernames and passwords. Oh, well. Was a fun project. :)

    True story -- when the project launched we had a big event, with everybody gathered around the box to turn their keys. Then they all took their key and scattered off to wherever, what with the whole "must keep the keys off site and multiple locations" thing. What nobody realized is that the network center (we did our own hosting) had already posted plans for a scheduled power outage that weekend, and nobody'd connected these particular thoughts. So they cycled power in the room to do whatever it is that they did, and the box didn't come back online. Somebody contacted me. I told them to round everybody up to come back and turn their keys again. :)

  • by epine ( 68316 ) on Friday January 13, 2012 @02:38PM (#38689366)

    Brute force security needs to be evaluated under the assumption that a Russian botnet has compromised a large number of social networking sites, and gained three to five different clear-text passwords (of possibly no great importance) associated with the targeted user. They now also know--or strongly suspect--the identities of your financial institutions.

    Using commonalities of the exposed password set, the botnet bastards will attempt to model your personal password generation heuristic. Since they are not stupider than bricks, they might also assume that your bank password is similar, but fortified to the next level. Gaining some experience in cracking bank passwords, they'll soon have a model for that, too.

    My Thomas and Cover from 1991, which happens to be at hand, has chapters on "Jointly typical sequences", "Encoding of correlated sources", and "Source coding with side information". This last section makes reference to Slepian-Wolf encoding, which is kind of interesting. I hadn't spotted that before.

    On Slepian-Wolf compression, in memory of Jack Wolf [blogspot.com]

    Along with David Slepian, Wolf proved the Slepian-Wolf theorem: as long as certain conditions are met, files X and Y can be compressed to H(X,Y), even if the X server has no knowledge of file Y, and vice versa.

    This might not be precisely the right theory to apply to the breaking of password clusters, but the guy doing the math on that has probably read these papers.

    Way too little concern is placed on the independence of the passwords chosen, and this vulnerability increases rapidly with the proliferation of passwords used. I'm sure I have more than 100 passwords out in the wild, many held by hopelessly incompetent and untrusted internet discussion forums.

    Even a single compromised site can form a model of your password heuristic if you're duped into changing it often.

    It wouldn't surprise me that if everyone adopted the four word xkcd approach, that for many individuals, entropy per word is closer to seven or eight bits than eleven, where concrete nouns of five to eight letters predominate, and a further bias to concrete nouns that are visually active in the mind's eye, and 40% of all such passwords contain at least one animal word.

    That's where brute force would begin: assume at least one common animal word (four to five bits; since cat/dog don't make the cut, you'll be seeing a lot of parrot/leopard/zebra/unicorn).


    I've cracked one already.

  • Where I work we have to change our passwords every 6 weeks. Microsoft even encourages draconian practices like this. Even though research shows that enforcing changing of passwords frequently leads to people using bad passwords, and quite frequently writing them down and leaving the written down copy at their computer.

    What really frustrates me is that our IT knows this, they wave it off as everyone uses bad passwords anyways. I try to use good passwords, but coming up with a new one every 6 weeks is diffi
  • Don't sell your stock in the Post-It note company after all.

If graphics hackers are so smart, why can't they get the bugs out of fresh paint?