Feeds

back to article 'End of passwords' predictions are premature - Cambridge boffin

Advances in the power of computers won't automatically make passwords obsolete, according to a top computer science researcher. Joseph Bonneau, a postgrad researcher at Cambridge University, looked into the perceived wisdom that runs along these lines: "Since computers are getting exponentially faster, yet the human brain is …

COMMENTS

This topic is closed for new posts.

Page:

This post has been deleted by a moderator

Silver badge
Meh

Re: MASSIVELY IMPROVES SECURITY: End Of Windows

Since many people use the word password for their password and many people have none I suppose we are almost there.

1
0
Anonymous Coward

Re: MASSIVELY IMPROVES SECURITY: End Of Windows

Eadon, your continued dedication to the eradication of Windows is admirable, but ever so boring.

7
2
LDS
Silver badge

Re: MASSIVELY IMPROVES SECURITY: End Of Windows

And of course that will protect you from bad passwords management implemented in a PHP/Postgres/Apache site running on Linux...

2
2
Anonymous Coward

Re: MASSIVELY IMPROVES SECURITY: End Of Windows

"Eadon, your continued dedication to the eradication of Windows is admirable, but ever so boring."

He doesn't really have anything else to say. It's interesting to note that though he says of himself, "I'm about as geeky and technical as they come.", he doesn't seem to offer much in the way of technical opinions - just jumps on any tenuous reason to proclaim MS dead, etc. Other than those that have been posted countless times by others, anyway. As I've said the other day, he seems to be just trolling. Or trying to convince himself of what he's saying. Trying to get approval from Linux fans? Going for the precious gold badge? Explanations abound for his behaviour, but applying Occam's Razor would seem to point towards some major emotional shootout. I don't even think I'll expend the effort to downvote him any more.

2
1

This post has been deleted by a moderator

This post has been deleted by a moderator

Anonymous Coward

Re: MASSIVELY IMPROVES SECURITY: End Of Windows

> AC FAIL!

UPS ?

7
0
Facepalm

Re: MASSIVELY IMPROVES SECURITY: End Of Windows

Well, so there's Eadon again... Still so sore about how many times your lunch pail ended up on top of the gym cupboards at college? I should apologise, but they say laughter's the best medicine and I'm still feeling fine.

Keep it up! Maybe some day you'll convince even me! :-)

2
1
Trollface

Re: MASSIVELY IMPROVES SECURITY: End Of Windows

Hey, Bill! Wow, college, that takes me back too ... remember all those wedgies we gave Eadon? Good times, man, good times.

Say, if you bump into him, ask him if he remembers too?

Later, friendo, there's a peace-loving commune of Linux users over here that needs a good pillagin'!

3
0
Silver badge

Re: MASSIVELY IMPROVES SECURITY: End Of Windows

Speaking as a seasoned Linux geek, Windows is going nowhere. As amusing as it is to imagine that Windows 8 is so bad that it will finally kill it off it's just not going to happen (just like it didn't happen with Vista). So long as there are desktop PCs and notebooks they will be dominated by Windows. Why? Because Macs are too expensive for most people and prebuilt computers with Linux aren't on the shelves where people go to buy computers (or, on the rare occasion that they are, cost the same as the identical computer running the more familiar Windows sitting right next to them).

0
0

Re: MASSIVELY IMPROVES SECURITY: End Of Windows

Absolutely. Maybe someone can tell me I'm missing something, but isn't this approach obvious?

0
0
Silver badge

Re: MASSIVELY IMPROVES SECURITY: End Of Windows

They tend to get around that with botnets. Instead of 1 machine trying a million combinations, you have a million machines trying one each. This is hard to block since an actual user could be in the mix.

0
0
Go

Re: MASSIVELY IMPROVES SECURITY: End Of Windows

Still easy to block - just let the real user get locked out too! ie have the server implement increasing response delays and a lockout period after N failed guesses (where the period may be infinite, requiring a fleshy to beg the BOFH to unlock having reasonably convinced him of his bona fides, or at the least provided a good laugh through abject crawling)

1
0
Anonymous Coward

Re: MASSIVELY IMPROVES SECURITY: End Of Windows

Gargh..... What is the world coming to. I find myself agreeing with Eadon. HELP!

@LarsG - the idea is to prevent people using easy-to-guess passwords by telling them to use stronger passwords.

Also, to prevent cracking, the idea is that you have increasing-time-delays between wrong password guesses. This makes cracking impractical. It doesn't matter how many passwords you can guess per second if you can only attempt one per three seconds, with increasing increments.

Just goes to show that even idiots can be right sometimes.

0
0
Anonymous Coward

Re: MASSIVELY IMPROVES SECURITY: End Of Windows

They tend to get around that with botnets. Instead of 1 machine trying a million combinations, you have a million machines trying one each. This is hard to block since an actual user could be in the mix.

Only if you block by IP address.

If you have (for example) a system which enforces a 1 min delay after three failed attempts, no matter how many bots are in the botnet, they get three shots. It can risk a DOS to a real user but this can be mitigated against (such as educating users to be patient and wait the minute, most remote attack tools will give up at this and move elsewhere).

0
0
Bronze badge

Re: MASSIVELY IMPROVES SECURITY: End Of Windows

It doesn't matter how many passwords you can guess per second if you can only attempt one per three seconds, with increasing increments.

Two words: offline attack.

It's not feasible to crack even terrible passwords through a typical sign-on UI, unless you can distribute the attack across many authenticators (in which case the input delay doesn't help anyway). Using the sign-on UI to test passwords is only useful when you have a small candidate set, typically because you have a lot of information about the user.

When anyone who knows anything at all about password security talks about the number of attempts per second, they're referring to the number of digest images ("hashes") their tool can calculate and compare against the target image. They're not talking about generating candidates and trying to sign on with them.

0
0
Bronze badge

Re: MASSIVELY IMPROVES SECURITY: End Of Windows

If you have (for example) a system which enforces a 1 min delay after three failed attempts, no matter how many bots are in the botnet, they get three shots. It can risk a DOS to a real user but this can be mitigated against (such as educating users to be patient and wait the minute, most remote attack tools will give up at this and move elsewhere).

Obviously it prevents a trivial DOS (denial of service) attack - which can often be followed by a social-engineering, impersonation, or MITM (man-in-the-middle) attack to capture the password reset which inevitably follows. Lockout schemes just push the attack to a different branch of the attack tree.

And in any case, using the target system as the verifier is extremely rare, because the target system is almost always a lousy oracle for testing candidates even if it doesn't have a deliberate input delay or lockout. It's simply far too inefficient. You get hold of a hash or set of hashes and do an offline attack, or you attack some other part of the protocol.

0
0
Black Helicopters

In a recent study of six million actual user-generated passwords, the 10,000 most common passwords would have accessed 98.1 percent of all accounts,

Ah, it appears we have found the final destination of all the hacked/uplifted user password files of late...Send in the gunships!

0
0
Anonymous Coward

@Silverburn

Interesting conflation of numbers there as well.

Having the list of 10,000 common passwords doesnt actually help cracking any of the 6mil accounts (unless they are badly configured and allow unlimited attempts) as it is still around a 1 in 600 chance that any given password matches the account you are attacking.

0
0

Biometrics?

A few years ago I bought a family member a laptop with a built in finger pint scanner, he was always forgetting his password to log in. I thought that it was a bit of a gimmick and probably wouldnt work reliably enough to be used a on daily basis...but it's been fantastically dependable and really easy to use.

Yes, have complicated passwords by all means but we should also be layering security with several levels of authentication such as finger print scanners, iris scanners and voice pattern recognition.

CTech Astronomy ;-)

1
1

Re: Biometrics?

Recent developments map the veins in the finger instead of the fingerprint. This is much better news...

- The user actually has no idea what his "code" is, since he can't see into his finger (unless he's superman)

- far less likely to be corrupted by scarring, dirt or sweat

- the action is easier; press and release, rather than press-drag-release

- the sensor is easier to clean, and less effected by build up

1
0
Silver badge

Re: Biometrics?

Out of curiousity, is there a backup way in if the scanner packs up?

1
0
Happy

Re: Biometrics?

Sure! Laptops with scanners are only submitting the pre programmed password into the system, after all. You can just side step this process and enter the password. But if this process was mandatory and complimentary for all forms of password submission it would provide a helpful extra layer of security.

I wouldn't be concerned about the scanner 'packing up' any more than i would for any other non moving part of the PC besides, you can always plug in a spare finger scanner on a PC.

I'd like to see all phones and tablets adopt an industry standard finger scanner too. Of course, Apple will do their own thing and insist on using an anus scanner for all their products and then sell a finger adapter ;-)

0
0
Bronze badge
Boffin

Re: Biometrics?

So, a laptop with a fingerprint scanner is less secure than one with just a password. The attacher can choose which method to attack, there is no protection from a poor password AND there is the opportunity to try a gummy finger cast or other false fingerprint method.

Making biometrics mandatory for all forms of password submission would be so bad. Don't get me wrong, biometrics is a useful form of authentication when used correctly. I've got an ID card with my thumbprint stored, and I can leave the country through an automatic gate by presenting it and my thumb. Very convenient. However, the gate is at a manned checkpoint. Someone with a fake thumb, or who tries to take the gate apart will be caught. Most places we use passwords do not have that sort of protection, so you cannot trust that the biometric reader is reporting correctly. For website authentication, the website owner doesn't even own the reader, so there is no control. BYOD is making the same true for office computing.

Salting and stronger hashes only protect users who choose strong passwords, starting an arms race is only marginally effective when so many users choose "password1" or "secret"

We need to move to PKI, then there is no problem with using the same certificate for multiple websites (or whatever) because the private key is never disclosed.

6
1
Silver badge
Megaphone

Re: Biometrics?

"So, a laptop with a fingerprint scanner is less secure than one with just a password. The attacher can choose which method to attack, there is no protection from a poor password AND there is the opportunity to try a gummy finger cast or other false fingerprint method."

1. Less secure - I don't think so. The typed password should be a back-up, only used in the event of a hardware failure. As it's a backup then usability constraints can be dumped in favour of security: a 30-character random string which you keep on a bit of paper in a locked drawer (or under your mattress if you like). Hopefully you'll never have to use it for the life of the laptop. String length and complexity of backup should IMO be mandatory (again, usability is secondary), to stop the password morons doing their usual thing. Financial losses by password morons hit everyone - you don't think the banks just suck up the loss, do you?

2. Gummy finger casts don't work with the new vein scanners, thankfully, leaving bolt-cutters as the only realistic alternative for a crook. This is still better than a Minority Report or Demolition Man style eye removal.

1
0
Bronze badge

Re: Biometrics?

Or the computer could just give you a 30 character string, pseudo randomly generated. That takes away the possibility of of your string being chosen as 'password1password1password1'. Of course the scanner would actually have to work... My Wife has a moto atrix with fingerprint scanner, but still needs a 4 digit passcode, as the scanner only works when her finger is at the right temperature. I.E. the temperature you first scanned it. On a hot or cold day her finger expands/contracts enough that it no longer registers. Also, possibility of more than one stored fingerprint would be nice..

0
0
Holmes

Re: Biometrics?

OK, you(r family member) tested often the "pass" case of the fingerprint scanner, and got few false negatives.

But how often did anyone test the "fail" case?

If I've misunderstood and (for example) it logs in either you or dad or sis or uncle depending on fingerprint, then that's great and I'm impressed. But if it's always the same user, who owns the laptop, who is supposed to pass the login test, then it's not a test of security.

0
0
Bronze badge

Re: Biometrics?

And really biometrics are only as good as the metric exists. Unfortunately accidents do happen and limbs/body parts do get damaged/lost.

Passwords are something that YOU control fully, you can even (roll of drums for innovation) change them if you think they've been compromised. You can't do that with biometrics - and there are reports that fingerprint scanners are now being compromised.

2
0
FAIL

Re: Biometrics?

You might want to double-check the security of that biometric scanner...

You see, the Windows login process is not designed to work with biometric data. So, you still have to set up a regular password to the account. The biometric scanner just provides an easy access to that password.

The idea is good but the implementation is often awful. I once bought a third-party fingerprint scanner that could be attached to any computer via its USB port. The scanner came with software that would interface between the scanner and the Windows login process and let you log in with your fingerprint. Like you, I was fascinated and found it very convenient...

Until I discovered that AT EVERT LOGIN the software was appending to a TEXT file in the ROOT directory a complete copy of the environment variables and the password in CLEARTEXT!!!

When I complained (loudly) to the producer, all they could advise me was to use the NTFS file permissions to remove read access rights from that file. Morons!

Needless to say, I would never, ever buy ANYTHING from that company EVER again.

0
0
Thumb Up

Re: Biometrics?

"... I bought a family member a laptop with a built in finger pint scanner..."

Yay! —security through beer!

1
0
Pint

Re: Yay! —security through beer!

It's actually very good security - the purpose of a password scheme is to identify you as some degree of "friend" and surely you only let very good friends finger your pint?

1
0
Bronze badge
Coat

Re: Biometrics?

@FartingHippo - I'd agree with your counter-arguments, but I was talking about a laptop in the real world. Password strength isn't mandatory, it's at the discretion of the owner, who has just been told by the salesperson how fantastic the fingerprint scanning is. Vein scanners might be better, how many have you seen on laptops?

You're thankful that bolt-cutters would be the only realistic alternative for a crook? What do you keep on your laptop! I think passwords offer more flexibility against this level of attack. You can choose your level of resistance, based on the value of the protected data, and your assessment of the attacker... you can give up the password at any stage from "calling you rude names" to "here come the bolt-cutters" or beyond. As an additional advantage, you get to avoid the punishment by giving in. With a fingerprint scanner, the crook's fastest, easiest option is the bolt-cutters, so you loose the finger AND the data.

Sorry, that's getting away from the real world again. For most laptop buyers, a fingerprint scanner is a convenience for people who forget their password a lot, is likely to be used with a weak password backup, and a crook will either be stealing it for the hardware value, or will take the disc out to access the data direct because there's no full disc encryption.

0
0
Bronze badge
Alert

Canbridge postgrads aren't what they used to be

"since computers are getting exponentially faster, yet the human brain is constant then password crackers will eventually beat human memory …"

There's 2 evidence free assertions in there. Even were the assertions proved to be true the conclusion is not supported by them.

Listening to this guy on computer security would be like listening to an investment banker about the best place to keep your life savings.

uh oh

5
1
Meh

Re: Canbridge postgrads aren't what they used to be

Yep, at least as related here reads more like a high school report than anything postgrad. He has a bee in his bonnet about Moore's Law:

* cites MD5 as having fallen to Moore's Law - of course what felled it is cryptologic research finding viable methods to generate hash collisions for chosen texts, ie it's a flawed algorithm.

* carefully documented the speed of password cracking improvement and finds that it tracks Moore's Law - well this suggests that he's only looking at the naivest brute-force schemes since ever-better dictionary & letter-substitution schemes have been adopted, naturally including harvested passwords and "use the initial letter of a memorable phrase"

* and he feels that salvation lies in inventing better hashing schemes, again to flee Moore's monster. Happily enough we already have these to hand in the form of the SHA series: received wisdom is that SHA-2 shows no sign of an impending algorithmic break, ie no crypto researcher is prising an interesting crack in it yet and and then there's the shiny new SHA-3 from the multi-year contest, intentionally different in structure to avoid a class break problem.

He's right to state that proper salting averts trivial lookup of hash dbs, but that has been the textbook wisdom for 35 years now (yep, lots of companies cock it up - but it's not for want of uni research).

3
1
Stop

Re: Canbridge postgrads aren't what they used to be (sic)

@Colin Millar & Mongo:

Who knows (or cares...) what "Canbridge" postgrads are like? But your typo is beautifully Freudian as you clearly have not bothered to put the comments in this piece in any kind of context, let alone glance at the research referred to.

The quotes are lifted from a post on the excellent Light Blue Touchpaper blog that is simply a response to the usual media/consultant-hyped scare stories about brute-force cracking. And, Colin, even the article makes clear that the quote you mistakenly attribute to the researcher was "perceived wisdom" being debunked.

If you really want a flavour of the actual research check the summary of the thesis or a more weighty LBT posting on authentication. There are boffins and there are boffins, in my experience the bunch at the Cambridge University Computer Laboratory know their stuff.

1
0
Bronze badge
Mushroom

Re: Canbridge postgrads aren't what they used to be (sic)

Why should I bother - he's setting himself up to win by arguing with a position that doesn't exist. Basically he is being his own straight man. There are more and more "academics" with something to sell pulling this trick these days -

1) invent a false premise that you could knock down with a feather

2) knock it down with a sledgehammer

3) look like a smartarse bask in the adulation

It's a variation on the old hack's trick from before the days of mobile phones - invent a load of bollocks, get a no comment and an instant "XX refuses to deny YY" story.

And if you think that hitting "n" instead of "m" on a qwerty board is a Fredudian slip I would suggest you look up the meaning of "Freudian slip"

0
0
Pint

Re: Canbridge postgrads aren't what they used to be (sic)

@Ian McNee - Thanks for the direct links; I see now that the Bonneau content of this Reg story is a not-very-helpful rehash of his LBT posting which serves more to obscure than illuminate his argument (a simple link from the article would have been good). In fact his hash argument is far more sensible, that known broken ones are dropped forwith and replaced by existing tunably expensive approaches whose expense is maintained across time (though this requires servers to be built & maintained actively and intelligently, at least until the swamp of old and often homebrewed authentication & user management systems is drained & replaced with modules built and maintained by experts. However there's often a disjunction between academic work and real world crappiness).

But I do think he's making light of the difficulty for users to maintain separate strong passwords for many sites; this is one area where human brain is outstripped by the growth in servers needing authentication. And it's still simplistic to say that MD5 was broken by Moore's Law - present-day attacks would have been a lot more expensive in 1991 but if the algorithm wasn't flawed then we'd still be a long way from feasible brute-force collision generation.

And the dissertation was a good read (though a surprising amount of historical overview compared to many which get straight into novel brain fuckery on the third page; could quite sensibly appear as an article on a geek news site). So a virtual pint to Mr Bonneau by way of apology, and Reg Eds - next time you fillet somebody's work to make an article please link it!

2
0
Bronze badge

Still not there

"websites need to store password hashes, protected by salting"

We do this. It's annoying hearing "why can't you tell me what my password is, my bank can" because "your bank is terrible" won't make the conversation any easier

1
0
Silver badge
Meh

"The average user has 26 password-protected accounts"

Well, yes, but how many of them are trivial? Would it be an absolute disaster if someone cracked my El Reg password and started downvoting posts and making comments that I wouldn't? Probably not.

Sure, having secure passwords for your work log-in, online bank account etc is sensible, but if El Reg (or other forums) started demanding we change our passwords every 30 days I think most people would get fed up or start re-using passwords from other sites.

2
0
Facepalm

Re: "The average user has 26 password-protected accounts"

My El Reg password is as short and trivial as I can make it. It saves time that way, seeing as I have to f***king log in about three times every day —because Britain's foremost IT site can't seem to master the advanced art of setting a login cookie properly!

5
0
Silver badge
Thumb Up

Re: "The average user has 26 password-protected accounts"

"Britain's foremost IT site can't seem to master the advanced art of setting a login cookie properly!"

Nor can they manage to have an upvote system that doesn't waste a lot of people's time because it requires going to a new page, waiting for that to load, then having to go back to the original page unlike quite a few other sites I could mention...

3
0
Silver badge

@Graham Marsden

"Nor can they manage to have an upvote system that doesn't waste a lot of people's time..." etc.

I like the way the voting system works on the Reg actually. As I've posted on this issue before, there is method to their madness. The fact that voting (and downvoting!) takes time and effort adds value to the vote. If it worked like a Facebook Like button, with instant response, that means that the votes become completely cheap and meaningless, because it takes no time or effort to give them.

But if someone is prepared to take the 15-30 seconds required to upvote a post, that means they really like it or agree strongly enough to spend that time on it. Likewise, I know that when I cop a downvote, I must have pissed that person off enough for them to spend the time downvoting me for it. Which to my way of thinking makes the voting more gratifying and meaningful than if it were an instant-response AJAX-style voting system.

0
2
Bronze badge
Thumb Up

Re: "The average user has 26 password-protected accounts"

>> "Britain's foremost IT site can't seem to master the advanced art of setting a login cookie properly!"

THIS ^^^^^

> "Nor can they manage to have an upvote system that doesn't waste a lot of people's time because it requires going to a new page, waiting for that to load, then having to go back to the original page unlike quite a few other sites I could mention..."

AND THIS ^^^^^

3
0
Bronze badge
Boffin

Cracking is inherently parrellel and IPV4 death throes

All an attacker to do is split the dictionary range into however many machines are run in parrallel to do the job. You can still expect most passwords to be crackable on a large enough botnet even if the hash algorithm is run iteratively on its output for 10,000 iterations, sufficient to give a noticeably longer login time on most desktops or servers. Keeping passwords secure requires your enemy does not obtain a copy of the stored hash and is locked out after a certain number of guesses. What will break this is carrier grade NAT installed due to IPV4 address depletion, because locking out an attacker after 10 guesses means locking out many of your honest users as well.

0
1
Silver badge

Re: Cracking is inherently parrellel and IPV4 death throes

Surely "...split the dictionary range..." will only crack passwords that are also dictionary words.

It's a few years since I designed a password validation subsystem (long enough ago that MD5 was still acceptable). The administrator could select a variety of options: minimum length, mixed case, alphanumeric, comparison with common passwords and comparison with dictionary words. The last option, of course, was so irksome to users that it never got used.

0
1

This post has been deleted by a moderator

Happy

@Eadon Re: Cracking is inherently parrellel and IPV4 death throes

Cheers for the joke icon - that's better. Now - incrementing time delays sound ok but this implies a byte somewhere is counting, which assumes some code is running, which means it may have a vulnerability itself...interesting stuff eh?

0
0
Pint

Make the Trap-Door function a lot slower

Make the trap-door function a lot more computationally intensive, so that it requires N seconds to execute on today's hardware. N is chosen to be not very noticeable to the users (maybe 2 or 3 seconds), but enough to massively slow down the dictionary attacks (by orders of magnitude) for a few years.

It might be as simple as repeating the existing trap-door function X times, where X can be incremented (decimal place moved) every few years to keep the timing at several seconds.

0
0
Anonymous Coward

Good idea!

That's exactly what the article you just (didn't) read said.

0
0

Page:

This topic is closed for new posts.