Posting in Science
Longer passphrases and biometric approaches may significantly improve security. However, a new Microsoft Research paper suggests password security needs to be put in perspective.
"More than seven years after Bill Gates declared (2004) 'the password is dead,' not only have we failed to get rid of them, but they continue to multiply as an almost universal means of Internet authentication, protecting hundreds of millions of accounts on some large sites."
- Cormac Herley and Paul C. van Oorschot, in a new Microsoft Research white paper on passwords
We've written before about the cumbersome password process, and how end-users tend to pick from a list of obvious common terms for Website and application access. (See our posts on the most common passwords of 2011 and of all time.) Not very secure solutions.
Lately, new alternatives to the password approach have emerged, making access more seamless to end-users, while more secure from an infrastructure point if view.
One alternative gaining support in industry circles is the use of passphrases instead of single passwords. They're easier for end-users to remember, and more unique and uncrackable from a system security standpoint. As Erica Chickowski of Dark Reading points out, "passphrases, such as a sentence from a favorite book -- are easier to remember and harder to crack than most passwords today, even without special characters....even without any special characters, a long passphrase keeps brute-force attacks at bay far better than a shorter mix of alphanumeric soup."
She quotes software security expert Phil Lieberman:
“Making passphrases more secure than one-word passwords is simple mathematics. The ability to reverse a single-word password is simply a matter of the length of the password itself -- hash lookups. By having the phrase go beyond 14 characters in length makes hash lookups very expensive. Fundamentally there are very few long English single words that are memorable, but a phrase or sentence is easy to create and remember that goes beyond the 14 or so characters in length.”
The main barrier to the use of passphrases is not technical, but rather the perception that a short one-word password is easier to remember than a longer phrase.
And there are technical remedies emerging as well. For example, Silicon Republic reports that a pair of 17-year-olds (that's a story in itself) have developed an algorithm for facial recognition, now available through an open API. Viv.ie, created by students Niall Paterson and Sam Caulfield, "works by taking a picture of your face and then analyzing it against a database of registered users." Potentially, social networking sites could easily adopt the API and make typewritten passwords unnecessary.
SmartPlanet colleague Laura Shin also provides insights into new biometric approaches catching on as alternatives to typed-in passwords.
However, in their recent paper, Cormac Herley of Microsoft Research and Paul van Oorschot of Carleton University argue that until new approaches catch on, we're going to have to live with the current password system for some time to come. "No silver bullet will meet all requirements," they argue. "Not only will passwords be with us for some time, but in many instances they are the solution which best fits the scenario of use."
The main compliant about the current password system, they assert, is the requirement at many sites or within many organizations that users change their passwords on a regular basis, resulting in frustration and greater complexity.
Herley and van Oorschot urge that organizations and vendors better understand the risks of password usage, and put these risks in their proper perspective:
"We need better understanding of the harms suffered by users when things go wrong. Worst-case and average case harm differ enormously. For example, by the domino effect of password re-use, a compromised low-value account might lead to financial catastrophe for a user. However, the almost routine leaking of millions of passwords from low-value sites (e.g., RockYou and Gawker), evidently with little visible effect, suggests that the average case may be very different."
Jan 13, 2012
Isn't that one of the least secure methods ever considered? Would a picture of my face be sufficient to unlock it? or if I am asleep? I do not like to set up authentication where my conscious participation is not required - and biometrics would be very insecure for that reason. Look at all the movies where fingers are cut off and such. I will stay with passwords for now, thankyouverymuch.
It would be an exceptional step forward for the general public. Because of the password restrictions I end up using the same one when I go to online seller sites. I do have different catagories and each catagory has it's own, but inevitably use the same password within catagories. Because it is easier to remember! Maybe that should be the next always included with the puter by maufacturers. I make a transaction, it scans whichever biometric I signed on with and verifies and authorizes the transaction. Cool! It gets my vote.
Biometrics is slick, effective, and cool. In that lies its attraction. Considering PIPA legislation and SOPA legislation presently pushed by know-nothing politicians, I find cold comfort in giving instant identity tools to whatever group of hungry-ghost politicos who can get access through clever legislation, to use biometric databases in everything from surveillance cameras to vital information gateways like medical, financial, and "security" facilities be they physical or virtual. Pass phrases are way superior and much toward protecting real privacy. Think about it.
A finger/thumb print is much more secure. In this security aware world we live in, we would have to change phrases very often. That would lead to the same problem passwords are in now. People, in general, cannot not remember lots of different ways to get into all the electronics now and in the future. A simple, physical way to get around passwords is a better way.
We have photo's of everyone in the company published on our intranet. If I want to login as the CEO, will l be able to print out his photo and put it in front of a camera? Images are still 2D so I don't think this would ever work properly. Retina scan on the other hand might be worth looking at. (I don't know of many photo's that could replicate a retina).
Websites (esp. Facebook) have enough data on me already. They (or some third-party API) don't need a facial or thumbprint profile on me as well.
If you are using movies...The real world is hacked every day. Thousands of passwords are stolen every day. Just piss off some qualified hacker. No security! At least this way they do have to have your PHYSICAL presence in some way. If they are willing to cut off your finger, you don't have much chance of surviviving the security breach any way.