Kill All The Passwords
Written by Frank HayesAugust 26th, 2010
It's time to kill all the passwords. That's the only real conclusion to draw from the work being done by Georgia Tech Research Institute researchers, who are using off-the-shelf graphics-processing cards to crack passwords by brute force. The time required to break an eight-character password: two minutes. A seven-character password--the minimum currently required by PCI-DSS for retailers to protect stored payment-card information--goes in seconds. One of the Georgia Tech researchers, Richard Boyd, called seven-character passwords "hopelessly inadequate."
In short, password security is no longer security. The clock isn't just ticking on every retailer's favorite cheap authentication scheme, it has run out. The answer isn't longer passwords; that's just a stopgap, and even if it works, it won't hold for long. Maybe Chip-and-PIN employee ID cards would do the trick. Even a mag-stripe-and-PIN approach could work. But whatever replaces passwords has to be cheap. And it must have a reasonable chance of keeping the bad guys away from information such as card data.
This Story Is Only Available For Premium Subscribers. Click Or Login In Below To Read The Rest Of This Story.
Already a Subscriber? Login Here
Pages: 1 2
3 Comments | Read Kill All The Passwords
Leave a Reply
Readers, specifically those who want to comment on a story:
Our Comment SPAM system is getting very aggressive these days and has been blocking legitimate comments. If you post a comment and don't see it appear within 2 hours or so, can you please send a heads-up to customer-service@storefrontbacktalk? Ideally, please include the time you posted the comment. That will allow us to try and hunt for it. Thanks! P.S. We're working on fixing the system, but we don't want to lose any valuable comments in the meantime.
Our Comment SPAM system is getting very aggressive these days and has been blocking legitimate comments. If you post a comment and don't see it appear within 2 hours or so, can you please send a heads-up to customer-service@storefrontbacktalk? Ideally, please include the time you posted the comment. That will allow us to try and hunt for it. Thanks! P.S. We're working on fixing the system, but we don't want to lose any valuable comments in the meantime.
-Ed
August 27th, 2010 at 4:26 pm
The possibilities you describe are years away from being implemented at best, so for the moment passwords are an ugly reality. Luckily, password managers can easily manage hundreds of passwords of any length. The only thing a user needs to remember is the master password. It seems like an easier task to educate users on how to use password managers rather than implement complex security technology on a global basis.
Here’s the simplest way to manage passwords:
Use a password manager to assign unique, random 15 characters for all accounts, protecting them with a strong master password. Once you get into the habit of it, it’s actually faster than how most people login to various accounts each day.
I recently posted a series on password management that highlights this simple solution to the problem, while also giving more background to those who want it (how attackers steal passwords, which password managers are best, etc.):
http://www.filterjoe.com/2010/05/14/password-management-for-the-average-joe/
August 27th, 2010 at 6:10 pm
This article does mention, but does not give enough attention to, the fact that the attacks discussed are only feasible when the encrypted password file can be copied and subjected to an offline attack.
The trick is to have authentication performed on a separate, much more strongly secured host – such as an Active Directory Domain Controller, or a Kerberos server, or a NIS+ server, or even using something as banal as an LDAP-over-SSL authentication dialog.
In these environments, the odds of the “password file” being stolen and subjected to an offline attack go to near zero, and only online attacks may be carried out by the attacker.
With sensible exponential backoff between failed password attempts, lockout after a modest number of failed attempts on a single account, and pattern detection, that minimum 7 character password is quite secure enough.
Passwords aren’t dead yet for security purposes, and they will be with us for a very long while to come for practical purposes. The trick is to employ them correctly.
September 11th, 2010 at 5:28 pm
What the article does not cover are passphrases. Specifically, instead of using lengthy passwords use lengthy passphrases which a user is likely to remember. If I were a pilot (I’m not) I might use:
!_l0ve_fly!ng_my_Cessina
That’s 24 characters. Each word is separated by an underscore, each “i” is replaced by a “!” and each “o” is replaced by a zero (0) and at least one word is capitalized. This is a secure passphrase. In reality, I would expect someone to NOT use a passphrase to which they could be associated. :-)