back to article 'End of passwords' predictions are premature - Cambridge boffin

Advances in the power of computers won't automatically make passwords obsolete, according to a top computer science researcher. Joseph Bonneau, a postgrad researcher at Cambridge University, looked into the perceived wisdom that runs along these lines: "Since computers are getting exponentially faster, yet the human brain is …

COMMENTS

This topic is closed for new posts.
  1. Silverburn
    Black Helicopters

    In a recent study of six million actual user-generated passwords, the 10,000 most common passwords would have accessed 98.1 percent of all accounts,

    Ah, it appears we have found the final destination of all the hacked/uplifted user password files of late...Send in the gunships!

    1. Anonymous Coward
      Anonymous Coward

      @Silverburn

      Interesting conflation of numbers there as well.

      Having the list of 10,000 common passwords doesnt actually help cracking any of the 6mil accounts (unless they are badly configured and allow unlimited attempts) as it is still around a 1 in 600 chance that any given password matches the account you are attacking.

  2. Occams_Cat

    Biometrics?

    A few years ago I bought a family member a laptop with a built in finger pint scanner, he was always forgetting his password to log in. I thought that it was a bit of a gimmick and probably wouldnt work reliably enough to be used a on daily basis...but it's been fantastically dependable and really easy to use.

    Yes, have complicated passwords by all means but we should also be layering security with several levels of authentication such as finger print scanners, iris scanners and voice pattern recognition.

    CTech Astronomy ;-)

    1. Silverburn

      Re: Biometrics?

      Recent developments map the veins in the finger instead of the fingerprint. This is much better news...

      - The user actually has no idea what his "code" is, since he can't see into his finger (unless he's superman)

      - far less likely to be corrupted by scarring, dirt or sweat

      - the action is easier; press and release, rather than press-drag-release

      - the sensor is easier to clean, and less effected by build up

    2. auburnman

      Re: Biometrics?

      Out of curiousity, is there a backup way in if the scanner packs up?

      1. Occams_Cat
        Happy

        Re: Biometrics?

        Sure! Laptops with scanners are only submitting the pre programmed password into the system, after all. You can just side step this process and enter the password. But if this process was mandatory and complimentary for all forms of password submission it would provide a helpful extra layer of security.

        I wouldn't be concerned about the scanner 'packing up' any more than i would for any other non moving part of the PC besides, you can always plug in a spare finger scanner on a PC.

        I'd like to see all phones and tablets adopt an industry standard finger scanner too. Of course, Apple will do their own thing and insist on using an anus scanner for all their products and then sell a finger adapter ;-)

        1. Allan George Dyer
          Boffin

          Re: Biometrics?

          So, a laptop with a fingerprint scanner is less secure than one with just a password. The attacher can choose which method to attack, there is no protection from a poor password AND there is the opportunity to try a gummy finger cast or other false fingerprint method.

          Making biometrics mandatory for all forms of password submission would be so bad. Don't get me wrong, biometrics is a useful form of authentication when used correctly. I've got an ID card with my thumbprint stored, and I can leave the country through an automatic gate by presenting it and my thumb. Very convenient. However, the gate is at a manned checkpoint. Someone with a fake thumb, or who tries to take the gate apart will be caught. Most places we use passwords do not have that sort of protection, so you cannot trust that the biometric reader is reporting correctly. For website authentication, the website owner doesn't even own the reader, so there is no control. BYOD is making the same true for office computing.

          Salting and stronger hashes only protect users who choose strong passwords, starting an arms race is only marginally effective when so many users choose "password1" or "secret"

          We need to move to PKI, then there is no problem with using the same certificate for multiple websites (or whatever) because the private key is never disclosed.

          1. FartingHippo
            Megaphone

            Re: Biometrics?

            "So, a laptop with a fingerprint scanner is less secure than one with just a password. The attacher can choose which method to attack, there is no protection from a poor password AND there is the opportunity to try a gummy finger cast or other false fingerprint method."

            1. Less secure - I don't think so. The typed password should be a back-up, only used in the event of a hardware failure. As it's a backup then usability constraints can be dumped in favour of security: a 30-character random string which you keep on a bit of paper in a locked drawer (or under your mattress if you like). Hopefully you'll never have to use it for the life of the laptop. String length and complexity of backup should IMO be mandatory (again, usability is secondary), to stop the password morons doing their usual thing. Financial losses by password morons hit everyone - you don't think the banks just suck up the loss, do you?

            2. Gummy finger casts don't work with the new vein scanners, thankfully, leaving bolt-cutters as the only realistic alternative for a crook. This is still better than a Minority Report or Demolition Man style eye removal.

            1. monkeyfish

              Re: Biometrics?

              Or the computer could just give you a 30 character string, pseudo randomly generated. That takes away the possibility of of your string being chosen as 'password1password1password1'. Of course the scanner would actually have to work... My Wife has a moto atrix with fingerprint scanner, but still needs a 4 digit passcode, as the scanner only works when her finger is at the right temperature. I.E. the temperature you first scanned it. On a hot or cold day her finger expands/contracts enough that it no longer registers. Also, possibility of more than one stored fingerprint would be nice..

            2. Allan George Dyer
              Coat

              Re: Biometrics?

              @FartingHippo - I'd agree with your counter-arguments, but I was talking about a laptop in the real world. Password strength isn't mandatory, it's at the discretion of the owner, who has just been told by the salesperson how fantastic the fingerprint scanning is. Vein scanners might be better, how many have you seen on laptops?

              You're thankful that bolt-cutters would be the only realistic alternative for a crook? What do you keep on your laptop! I think passwords offer more flexibility against this level of attack. You can choose your level of resistance, based on the value of the protected data, and your assessment of the attacker... you can give up the password at any stage from "calling you rude names" to "here come the bolt-cutters" or beyond. As an additional advantage, you get to avoid the punishment by giving in. With a fingerprint scanner, the crook's fastest, easiest option is the bolt-cutters, so you loose the finger AND the data.

              Sorry, that's getting away from the real world again. For most laptop buyers, a fingerprint scanner is a convenience for people who forget their password a lot, is likely to be used with a weak password backup, and a crook will either be stealing it for the hardware value, or will take the disc out to access the data direct because there's no full disc encryption.

        2. Dr. Vesselin Bontchev
          FAIL

          Re: Biometrics?

          You might want to double-check the security of that biometric scanner...

          You see, the Windows login process is not designed to work with biometric data. So, you still have to set up a regular password to the account. The biometric scanner just provides an easy access to that password.

          The idea is good but the implementation is often awful. I once bought a third-party fingerprint scanner that could be attached to any computer via its USB port. The scanner came with software that would interface between the scanner and the Windows login process and let you log in with your fingerprint. Like you, I was fascinated and found it very convenient...

          Until I discovered that AT EVERT LOGIN the software was appending to a TEXT file in the ROOT directory a complete copy of the environment variables and the password in CLEARTEXT!!!

          When I complained (loudly) to the producer, all they could advise me was to use the NTFS file permissions to remove read access rights from that file. Morons!

          Needless to say, I would never, ever buy ANYTHING from that company EVER again.

    3. hugo tyson
      Holmes

      Re: Biometrics?

      OK, you(r family member) tested often the "pass" case of the fingerprint scanner, and got few false negatives.

      But how often did anyone test the "fail" case?

      If I've misunderstood and (for example) it logs in either you or dad or sis or uncle depending on fingerprint, then that's great and I'm impressed. But if it's always the same user, who owns the laptop, who is supposed to pass the login test, then it's not a test of security.

      1. taxman

        Re: Biometrics?

        And really biometrics are only as good as the metric exists. Unfortunately accidents do happen and limbs/body parts do get damaged/lost.

        Passwords are something that YOU control fully, you can even (roll of drums for innovation) change them if you think they've been compromised. You can't do that with biometrics - and there are reports that fingerprint scanners are now being compromised.

    4. Anonymous Coward
      Thumb Up

      Re: Biometrics?

      "... I bought a family member a laptop with a built in finger pint scanner..."

      Yay! —security through beer!

      1. Anonymous Coward
        Pint

        Re: Yay! —security through beer!

        It's actually very good security - the purpose of a password scheme is to identify you as some degree of "friend" and surely you only let very good friends finger your pint?

  3. Colin Millar
    Alert

    Canbridge postgrads aren't what they used to be

    "since computers are getting exponentially faster, yet the human brain is constant then password crackers will eventually beat human memory …"

    There's 2 evidence free assertions in there. Even were the assertions proved to be true the conclusion is not supported by them.

    Listening to this guy on computer security would be like listening to an investment banker about the best place to keep your life savings.

    uh oh

    1. Anonymous Coward
      Meh

      Re: Canbridge postgrads aren't what they used to be

      Yep, at least as related here reads more like a high school report than anything postgrad. He has a bee in his bonnet about Moore's Law:

      * cites MD5 as having fallen to Moore's Law - of course what felled it is cryptologic research finding viable methods to generate hash collisions for chosen texts, ie it's a flawed algorithm.

      * carefully documented the speed of password cracking improvement and finds that it tracks Moore's Law - well this suggests that he's only looking at the naivest brute-force schemes since ever-better dictionary & letter-substitution schemes have been adopted, naturally including harvested passwords and "use the initial letter of a memorable phrase"

      * and he feels that salvation lies in inventing better hashing schemes, again to flee Moore's monster. Happily enough we already have these to hand in the form of the SHA series: received wisdom is that SHA-2 shows no sign of an impending algorithmic break, ie no crypto researcher is prising an interesting crack in it yet and and then there's the shiny new SHA-3 from the multi-year contest, intentionally different in structure to avoid a class break problem.

      He's right to state that proper salting averts trivial lookup of hash dbs, but that has been the textbook wisdom for 35 years now (yep, lots of companies cock it up - but it's not for want of uni research).

    2. Ian McNee
      Stop

      Re: Canbridge postgrads aren't what they used to be (sic)

      @Colin Millar & Mongo:

      Who knows (or cares...) what "Canbridge" postgrads are like? But your typo is beautifully Freudian as you clearly have not bothered to put the comments in this piece in any kind of context, let alone glance at the research referred to.

      The quotes are lifted from a post on the excellent Light Blue Touchpaper blog that is simply a response to the usual media/consultant-hyped scare stories about brute-force cracking. And, Colin, even the article makes clear that the quote you mistakenly attribute to the researcher was "perceived wisdom" being debunked.

      If you really want a flavour of the actual research check the summary of the thesis or a more weighty LBT posting on authentication. There are boffins and there are boffins, in my experience the bunch at the Cambridge University Computer Laboratory know their stuff.

      1. Colin Millar
        Mushroom

        Re: Canbridge postgrads aren't what they used to be (sic)

        Why should I bother - he's setting himself up to win by arguing with a position that doesn't exist. Basically he is being his own straight man. There are more and more "academics" with something to sell pulling this trick these days -

        1) invent a false premise that you could knock down with a feather

        2) knock it down with a sledgehammer

        3) look like a smartarse bask in the adulation

        It's a variation on the old hack's trick from before the days of mobile phones - invent a load of bollocks, get a no comment and an instant "XX refuses to deny YY" story.

        And if you think that hitting "n" instead of "m" on a qwerty board is a Fredudian slip I would suggest you look up the meaning of "Freudian slip"

      2. Anonymous Coward
        Pint

        Re: Canbridge postgrads aren't what they used to be (sic)

        @Ian McNee - Thanks for the direct links; I see now that the Bonneau content of this Reg story is a not-very-helpful rehash of his LBT posting which serves more to obscure than illuminate his argument (a simple link from the article would have been good). In fact his hash argument is far more sensible, that known broken ones are dropped forwith and replaced by existing tunably expensive approaches whose expense is maintained across time (though this requires servers to be built & maintained actively and intelligently, at least until the swamp of old and often homebrewed authentication & user management systems is drained & replaced with modules built and maintained by experts. However there's often a disjunction between academic work and real world crappiness).

        But I do think he's making light of the difficulty for users to maintain separate strong passwords for many sites; this is one area where human brain is outstripped by the growth in servers needing authentication. And it's still simplistic to say that MD5 was broken by Moore's Law - present-day attacks would have been a lot more expensive in 1991 but if the algorithm wasn't flawed then we'd still be a long way from feasible brute-force collision generation.

        And the dissertation was a good read (though a surprising amount of historical overview compared to many which get straight into novel brain fuckery on the third page; could quite sensibly appear as an article on a geek news site). So a virtual pint to Mr Bonneau by way of apology, and Reg Eds - next time you fillet somebody's work to make an article please link it!

  4. teebie

    Still not there

    "websites need to store password hashes, protected by salting"

    We do this. It's annoying hearing "why can't you tell me what my password is, my bank can" because "your bank is terrible" won't make the conversation any easier

  5. Graham Marsden
    Meh

    "The average user has 26 password-protected accounts"

    Well, yes, but how many of them are trivial? Would it be an absolute disaster if someone cracked my El Reg password and started downvoting posts and making comments that I wouldn't? Probably not.

    Sure, having secure passwords for your work log-in, online bank account etc is sensible, but if El Reg (or other forums) started demanding we change our passwords every 30 days I think most people would get fed up or start re-using passwords from other sites.

    1. Anonymous Coward
      Facepalm

      Re: "The average user has 26 password-protected accounts"

      My El Reg password is as short and trivial as I can make it. It saves time that way, seeing as I have to f***king log in about three times every day —because Britain's foremost IT site can't seem to master the advanced art of setting a login cookie properly!

      1. Graham Marsden
        Thumb Up

        Re: "The average user has 26 password-protected accounts"

        "Britain's foremost IT site can't seem to master the advanced art of setting a login cookie properly!"

        Nor can they manage to have an upvote system that doesn't waste a lot of people's time because it requires going to a new page, waiting for that to load, then having to go back to the original page unlike quite a few other sites I could mention...

        1. Steven Roper

          @Graham Marsden

          "Nor can they manage to have an upvote system that doesn't waste a lot of people's time..." etc.

          I like the way the voting system works on the Reg actually. As I've posted on this issue before, there is method to their madness. The fact that voting (and downvoting!) takes time and effort adds value to the vote. If it worked like a Facebook Like button, with instant response, that means that the votes become completely cheap and meaningless, because it takes no time or effort to give them.

          But if someone is prepared to take the 15-30 seconds required to upvote a post, that means they really like it or agree strongly enough to spend that time on it. Likewise, I know that when I cop a downvote, I must have pissed that person off enough for them to spend the time downvoting me for it. Which to my way of thinking makes the voting more gratifying and meaningful than if it were an instant-response AJAX-style voting system.

        2. Jamie Jones Silver badge
          Thumb Up

          Re: "The average user has 26 password-protected accounts"

          >> "Britain's foremost IT site can't seem to master the advanced art of setting a login cookie properly!"

          THIS ^^^^^

          > "Nor can they manage to have an upvote system that doesn't waste a lot of people's time because it requires going to a new page, waiting for that to load, then having to go back to the original page unlike quite a few other sites I could mention..."

          AND THIS ^^^^^

  6. PyLETS
    Boffin

    Cracking is inherently parrellel and IPV4 death throes

    All an attacker to do is split the dictionary range into however many machines are run in parrallel to do the job. You can still expect most passwords to be crackable on a large enough botnet even if the hash algorithm is run iteratively on its output for 10,000 iterations, sufficient to give a noticeably longer login time on most desktops or servers. Keeping passwords secure requires your enemy does not obtain a copy of the stored hash and is locked out after a certain number of guesses. What will break this is carrier grade NAT installed due to IPV4 address depletion, because locking out an attacker after 10 guesses means locking out many of your honest users as well.

    1. Kubla Cant

      Re: Cracking is inherently parrellel and IPV4 death throes

      Surely "...split the dictionary range..." will only crack passwords that are also dictionary words.

      It's a few years since I designed a password validation subsystem (long enough ago that MD5 was still acceptable). The administrator could select a variety of options: minimum length, mixed case, alphanumeric, comparison with common passwords and comparison with dictionary words. The last option, of course, was so irksome to users that it never got used.

  7. JeffyPooh
    Pint

    Make the Trap-Door function a lot slower

    Make the trap-door function a lot more computationally intensive, so that it requires N seconds to execute on today's hardware. N is chosen to be not very noticeable to the users (maybe 2 or 3 seconds), but enough to massively slow down the dictionary attacks (by orders of magnitude) for a few years.

    It might be as simple as repeating the existing trap-door function X times, where X can be incremented (decimal place moved) every few years to keep the timing at several seconds.

    1. Anonymous Coward
      Anonymous Coward

      Good idea!

      That's exactly what the article you just (didn't) read said.

    2. Anonymous Coward
      Thumb Up

      Re: Make the Trap-Door function a lot slower

      Here's one we prepared earlier! [*]

      http://en.wikipedia.org/wiki/PBKDF2

      exactly the idea you propound - aim for a delay that is perfectly acceptable to fleshies but wastes horrific numbers of CPU cycles. An instructive real-world example of forcing infeasible costs upon a brute force attack:

      http://www.youtube.com/watch?v=SbWg-mozGsU

      [*] where "we" means not me at all, but clever people 13 years ago in a network working group far, far away

    3. Anonymous Coward
      Coffee/keyboard

      Re: Make the Trap-Door function a lot slower

      The downside to this "N is chosen to be not very noticable" is that some of us are not very good typists, and are (at least I am) sorely tempted to patch pam to get rid of the insanely long (seconds) delay between my second bad attempt and my, hopefully correct, third attempt. I've even memorized the domain admin account password because I lock my account at least twice per week.

  8. Brother52

    Missing the point?

    I'm sure that strong well thought out passwords will be providing good protection for a while yet. But, as few people actually use them this doesn't really contribute to the digital safety of the average user. We need something to make it easy for even the stupidest or busiest and most harassed user to be secure. We can tell people about strong passwords, give them complex rules or pretty strength meters all we want, but we will struggle to make them follow good practice until we make it easy for them.

    1. AllYourSrcCodeRBelong2Us
      FAIL

      Re: Missing the point? ....not really.

      You can set 128 random character password, utilizing extended ASCII, UPPER, lower, num and spec char.....and it will not make a bit of difference for what's really awaiting you.....if yer not running Linux - 'cause then you have a whole different set of problems.

      Hackers do not need to crack 'em anymore. ....they say, "Man, you come right out of a comic book" (had to get a Bruce Lee reference in there somehow).

      http://www.sans.org/reading_room/whitepapers/testing/crack-pass-hash_33219

      They're o=in and out @ will....strong passwords are not the answer.

  9. h 6
    WTF?

    Salt? Hash?

    I never put salt on my hash.

    1. AllYourSrcCodeRBelong2Us
      Alert

      Re: Salt? Hash?

      It certainly does nothing to enhance the flavor of security.

  10. AllYourSrcCodeRBelong2Us
    FAIL

    Password cracking.....that's so YESTERDAY!

    Passwords are now an archaic form of authentication. ...and it's not so much that passwords are the failure, but the underlying protocols we continue to use.

    MS doesn't effectively SALT their passwords. If they did, PASS-THE-HASH would not be as successful as it is.

    ....and yes, Caching credentials is part of the problem......lazy admins using 1 GOD-Like account to manage support from desktop-"domain admin", is another.....serious, passwords are ineffective.

    Goooooooooo Tokens!!!! (YEAH!!!!!!).....Oops, sorry, there goes Kerberos, with PASS-THE-TOKEN software. Ok, just shorten Token lifetimes.....Users B complaining now.

    Let's use Smartcard authentication - FANTASTIC, darn it....that only works for Interactive (remote and local) Logons. NTLM / Kerberos is still used for type 3, 4, 5 LOGONS (MS types should understand).

    You're just left with one thing:

    1. An Enterprise Admin Account (per person, assigned AS NEEDED)

    2. A Domain Admin account (which is NOT USED FOR RDP'ing all over the place.

    3. A Server Admin account - Just for Servers.....do not escalate it's privs. It fixes SERVERS.

    4. A Workstation Admin Account - Same, do not elevate privs. It is a desktop admin and nothing else.

    5. An Employee account. I know you want to use it everywhere, but NO!!!! Employee, Email, Benefits, and NOTHING ELSE.

    6. For each type of system (desktop / Server / Domain Controller), each get a specific group that are admins, and it is not a Domain Admin....remote domain admins from all "Administators" group.....it is a domain admin, nothing else).

    7. Populate a specifically named admin group, for its role, in each system type's Administrators group.

    Really, not that hard.

    Now, just how to make my company comply with these SIMPLE RULES!!!!

    For you, KILL LMHASH (which means patch yer systems), Kill NTLM, Kill NTLMv2, use 2 factor for as much as possible, use REMOTE MANAGEMENT Tools.....meaning, STOP RDP'ing all over the place (RSAT and Putty w/ pubkey), set cached creds to ZERO for ALL SERVERS and DESKTOPS.....and use OTP for God's sake, use OTP. Get rid of 2003 and WinXP......and PATCH yer &@(#!!!!!!

    I swear, admins are more problematic than users these days.

This topic is closed for new posts.