back to article Experts: We're stuck with passwords – and maybe they're best

Late last year IBM reckoned biometrics would finally replace the password within the next five years. The prediction was part of a series that also speculated that the digital divide would cease to exist and that mind-reading technology would become a possibility. But, at least on the subject of passwords, new research from …

COMMENTS

This topic is closed for new posts.
  1. Tom_

    Why 20 years?

    Passwords have been used for centuries because they work.

    1. Silverburn
      Thumb Up

      That was when you only had to remember one, and it was 'simple', and invariably permanent.

      Now we have literally dozens, most must meet a minimum strength criteria, and all expire after xx days.

      You're correct - passwords do work. but it's the fleshy bit using them that's reaching it's operational limit.

      1. Geoffrey W Silver badge
        Angel

        RE: Fleshy Bits and operational limits

        I suppose we're reaching EOL (end of life). All the signs have been there to see; the manufacturer hasn't shown much interest in support for a while now and upgrades have been noticeably thin on the ground. Prepare for humanity V2.0.

      2. Anonymous Coward
        Anonymous Coward

        @Silverburn

        I share your concerns but not your opinion. I mean; while it is true that we now have a dozen different passwords to consider, we now /also/ have a dozen different tools which can help us in that process.

        For starters; using programs like pwgen (also available on Windows). And second; using a password vault. Even modern browsers like firefox or seamonkey can store your passwords in a database so that you can still have dozens different passwords while its still easy to use.

        So I don't think its reaching its limits; we simply need to extend on it. Use the 'One' password to protect the rest.

  2. Anonymous Coward
    Anonymous Coward

    duress

    If I were at an ATM under duress i'd rather be able to give some cash to the guy holding a knife to my throat.

    1. Anonymous Coward
      Anonymous Coward

      There's so much wrong with that.

      I can't see how it'd do anything but throw up false positives most of the time. If you're running late for something, but need cash you might be stressed for instance.

      What if you're pissed?

      1. Mark 65

        Then you have the issue that oppressive regimes will routinely take biometrics of their citizens for ID purposes - passport anyone? Oh, we'll need your fingerprints and an iris scan. Wow, we can now access your bank details, computer etc and share these biometrics with the local council just like we allow them to use RIPA terrorism intended laws to investigate rogue dogshit. I'd rather forget a password than carry around a biometric anyone can access.

      2. Stuart 13
        Pint

        User options

        Can I tick the box for "no more cash when pissed"

        Hmm, i'de also need the override "Cab fair required, not going back in for another swifty honest guv'"...

  3. JimmyPage Silver badge
    Boffin

    Or maybe they just haven't tried hard enough

    Idea:

    person chooses 3 famous people from a list of thousands.

    person is challenged by system which shows a grid with (say) 100 photos of people in

    person has to pick 2

    almost, but not entirely secure - and much easier to remember.

    1. Edwin

      yay

      next, install webcam and deduce the right ones by process of elimination over a few weeks :)

    2. PassiveSmoking

      And blind users or those with poor facial recognition skills use the system by...?

      1. Northern Fop
        Coat

        Good point

        I guess they'd be relying on blind chance. Ba-dum-tish.

        Anyone seen my hat?

    3. Anonymous Coward
      Anonymous Coward

      > almost, but not entirely secure

      Unless of course you have malware on the box. A password replacement proposal that doesn't stand up to malware-infected clients isn't all that interesting.

  4. Richard Wharram
    Thumb Up

    No surprise

    Only sales people and people who don't understand security have been pushing biometrics. A great big password that you can't change is one memorable description. Also, fucking expensive to test in comparison to passwords.

    1. Marty
      Coat

      add to that...

      add to that, the technology involved is likely to have many flaws that can and will be compromised.

      the simplicity of a password is its strength. its easy to use and so long as a large enough word is used using upper and lower case, including numbers and punctuation is quite secure. its just a matter of how secure the platform that is is being used on is.

      ATM's should have two pin numbers in use. your real oner and a duress code. the duress code should still issue funds, but alert the local law enforcement and automatically focus the local cctv system to the area....the money it issues should have some sort of trace attached to it, like smart water so that the perpetrator can be traced more easy. or get rid of cash all together

      The best way to beat criminals it to make it not worth while or worth the risk.

      now, where the hell did i put my wallet?

      1. JimmyPage Silver badge

        Why a separate duress password

        I know ADT alarm systems will trigger a panic mode if you enter the PIN backwards.

        1. Anonymous Coward
          Coat

          Hmm...

          I wonder what happens if your PIN is 3333, or 1221, or, ... Just sayin'.

          1. LaeMing Silver badge

            Good-point, KingZongo

            Assuming the system can allow for that, you then have a built-in configuration-free way to opt out of having a duress code (not sure why you would want an opt-out, but the option is free so why not).

      2. Matware

        Knights of the Rainbow Table

        You're much better off using a correctly punctuated pass phrase than some 8 character alphanumeric password

        It is many orders of magnitude easier to bust :

        'ytZo0&5x' (100ish hours)

        than it is to bust

        "My mum really likes a mango on a Monday" (10^50ish years)

        On you will not remember 1s after reading it, the other you have already remembered.

        1. Anonymous Coward
          Anonymous Coward

          Yes, but then your secure passphrase is rejected because it has no symbols nor numbers in it, you become exasperated and use a less secure password :)

    2. Chad H.

      "Duress Passwords" aren't new...

      If you shop with a CC (In the US at least - I havent been able to verify if something similar exists in the UK) and hear your clerk say the words "I have a Code 10 Authorisation Request" whilst manually attemping your payment, prepare yourself for a visit from the Fraud Squad...

      1. Anonymous Coward
        Anonymous Coward

        I used to work for a major UK DIY retailer

        and Code 10 meant something of that nature, yes. (There was a panic alarm under the till too but I wasn't told about that until I asked what the red button was.)

      2. AdamWill

        more simply...

        if I was committing credit card fraud, I'd have been out of the store by the time the clerk looked funnily at the card reader and picked up the phone.

  5. Tom 35 Silver badge

    You can change your password

    Fingerprint is fine for a closed system like a bank ATM, I already don't trust no-name ATMs and finger print scanner would not help.

    But if I use a fingerprint (or other biometric) reader to log onto internet banking then that fingerprint has to be converted into a number, and if that is intercepted by bad guys (the same way a password can be today) then I'm screwed. I can change my password but I can't change my fingerprint.

    Sure they are going to transmit the fingerprint encrypted but I'm sure someone is going to crack it when there is lots of money involved. Or we will see fake fingerprint scanners like the fake card readers they have today.

    1. NogginTheNog
      FAIL

      Exactly!

      My primary argument against biometrics is that they're BLOODY difficult to change if they're ever compromised.

      1. LaeMing Silver badge
        Happy

        Technically,

        most people have 10 password choices (20 if they take off their shoes).

        I'm still not convinced biometrics are any use as a general password alternative, though.

      2. SYNTAX__ERROR
        FAIL

        Not Exactly

        Maybe you should do some reading around to help you understand the subject.

        I would suggest you look at some cryptography basics.

        No one sends sensitive security tokens in the clear.

    2. Marty
      Holmes

      call me pessamistic but....

      "Sure they are going to transmit the fingerprint encrypted but I'm sure someone is going to crack it when there is lots of money involved"

      when they are designing such a system, they are going to make some assumptions.

      The first assumption is going to be that the system is going to be secure enough that nobody is going to be able to intercept the digitized fingerprint.

      the second assumption is going to be that if someone was to possibly intercept the digitized fingerprint, then injecting the numbers back in is going to be twice as hard.

      The third assumption is going to be, that it is going to be impossible to get past the first two assumptions, so encrypting the fingerprint ingo is going to be time consuming and a waste of man hours...

      they will most likely buy in some cheap encryption (probably already compromised ( like ON Digital / ITV digital did)) or just reverse the data stream of the digitized fingerprint .... then go the pub....

      these are the people entrusted in keeping our money safe dont forget... look at the track record...

  6. Headley_Grange Silver badge

    Passwords rule until....

    Many organizations have a clause in their Ts&Cs stating that passwords must not be written down. Many people who have, say, 40+ logins to remember write their passwords down in some way or other. I foresee a court case in the not too distant future where, after losing money due to someone stealing his/her list of passwords, a user claims that such a contract clause is unreasonable on the basis that an average person cannot be expected to remember dozens of different passwords- after which banks, shopping sites, etc will find an alternative to passwords.

    1. TeeCee Gold badge
      Facepalm

      Actually the court case I'm waiting for is the biometric one.

      That's where some bloke lacking pieces of his anatomy sues the fuck out of Hollywood for leading the bad guys to believe that they could get into his biometrically secured office, by taking along his fingers and eyeballs....

      1. Stuart 13
        Alert

        Already removing fingers

        http://news.bbc.co.uk/1/hi/world/asia-pacific/4396831.stm

    2. Anonymous Coward
      Anonymous Coward

      I use passphrases for accounts that need to be really secure

      I paste them into a little c program that mangles them and it spits out a horrible password like "fjbit1eUuQspStjfphxt"

      which I then paste into whatever.

      Needless to say the password program is owned by root and is only executable.

      For SSH access I also use a highly unusual username which is the only account on my server that is allowed SSH access

  7. johnnytruant

    Can't imagine I'm going to be first with this

    But, http://xkcd.com/936/

    1. jai

      yeah, but now _everyone_ is going to be using correcthorsebatterystaple as their password and so there's no security there either!

    2. ArmanX
      Go

      I see you link...

      ...and raise you an XKCD password generator:

      http://passphra.se/

    3. quartzie
      FAIL

      Computers vs Humans

      Sorry to pee in your cornflakes - this is exactly the reason why serious crackers have rainbow tables and dictionary files.

      1. Paul Crawford Silver badge

        @Computers vs Humans

        Rainbow tables only 'work' if you have access to the hash on the target system. If you are having to attack it as a normal user then anything that puts the mean-time-to breach at a few attempts per second (or whatever limit is applied on multiple failures) to hundreds of years is fine.

        The XKCD argument was based on that premise.

        If they have full access to the target to get the hashes, they probably have that system owned. They also can reverse your password, but if you have easy phrases that differ, no advantage to other site.

        What is needed is:

        A) Easy but strong choices.

        B) Several of them so little shared to compromise vis honeypot sites.

        C) Means of dealing with infested PCs that allow a local attack using the just-gathered information for a given site.

        I think (C) is the hardest to deal with following XKCD-like education.

      2. Anonymous Coward
        Anonymous Coward

        Computers vs Humans

        There are 225,000 words in Websters dictionary.

        Four random words produces a possible 2562890625000000000000 combinations.

        A ten character password using entirely random characters, assuming 100 available characters, produces a possible 100000000000000000000 combinations, or rather 1/25 as many as the four words option.

        1. eulampios

          A little inaccurate 2562890625000000000000?

          # comb-s of 4 words out of n=250000 (distinct ones) is

          P_n^4=n!/(n-4)!=2562822281806873650000

        2. eulampios

          I mean n=225,000 not 250,000

        3. veti Silver badge
          Boffin

          That's a little silly...

          To meet the requirement of being easy to remember, the password must be limited to words that the owner actually knows. To the average English speaker, that limits the range to something between 15,000 and 30,000 words.

          If you put someone on the spot and tell them to 'think of four words', I'd bet a small fortune that at least 50% of the subjects would come up with four words chosen from a pool of no more than 2,000 in total, and 90% would have two or three words chosen from that pool.

          So the *probable* range of passwords using this system is closer to 16,000,000,000,000.

          Of course the *probable* range of passwords using 'random' characters is much smaller, too, since the huge majority of people base their 'random characters' on English words, and even serious security geeks tend heavily towards letters and numbers.

          Bottom line: this is a silly calculation.

      3. Old n Cynical

        @Computers vs Humans

        Rainbow tables are exactly the reason that one should, at the very least, sprinkle a decent amount of salt over passwords - about 128 crypto-random bits on each password should get the ball rolling.

        As for brute force or basic dictionary attacks, these are a different kettle-o-fish, but there are relatively trivial ways to /assist/ in reducing exposure.

        The problem is there are a lot of commercial systems out there that still dont even take the most rudimentary of data security precautions. 'Reap what you sow' I suppose.

  8. Anonymous Coward
    Anonymous Coward

    WTF

    "But that’s fiction. In reality, ATM cameras using facial and iris recognition may be able to detect stress, pupil dilation, and changes in heart rate and breathing patterns to establish a confidence level that the user is not in danger."

    Great, so you have to be a nice calm state in order to get in to a system?? Buggered any time I'm running late, just been to the gym, stressed 'cos the boss needs something NOW, shivering 'cos it's cold, etc...

  9. Anonymous Coward
    Anonymous Coward

    Article seems to overlook the growth of two+factor authentications

    IE with tokens and now mobiles (either soft token apps or a text with a code). Passwords on their own are seen as outdated by many, but with a second-factor that is how it becomes a worthy oponent to a biometric solution.

    1. Anonymous Coward
      FAIL

      Oh, like RSA?

      As in, the one that's already been compromised? Yeah, that'll work.

      http://arstechnica.com/security/news/2011/06/rsa-finally-comes-clean-securid-is-compromised.ars

      1. Ru

        No, not like RSA.

        We've got nice things like TOTP these days; that's the sort of stuff that google uses to provide 2-factor authentication for gmail using, eg. an android app. Hardware token systems could work just fine if they could be configured by the end user (or employer). I have some nice TOTP and HOTP tokens here... the security issue with those is that the vendor knows which serial numbers they sold to me, which presents an avenue of attack, assuming the attackers could also get my password.

        Don't assume that one corporation's greed (they wanted centralised control of the system to protect their income stream) and ineptitude means the underlying system is broken.

        I'd also suggest that public key cryptosystems can exist separately from a formal PKI. I've been quite happy with my SSH keys, for example, though they require a little more care than 'normal' users might be expected to exercise.

  10. jai

    one time pass

    I've given up trying to remember passwords. Where I can, I set a long password completely at random and make no attempt to remember it. Then, the next time I need to log in, I request a new password.

    There are two flaws in this approach, but I feel the freedom from having to remember random alphanumeric words that need to be changed every 30 days is worth it.

    Flaw 1: I have to wait around for the new password to be generated and emailed to me.

    Flaw 2: I'd be completely unable to reveal my amazon.com password even if under torture and at risk of death.

    1. Anonymous Coward
      Anonymous Coward

      @Jai

      Why not use a password manager?

      I use 1password on my macs & iPhone. When creating an account on any website, I let 1password generate a random 16 digit password [mixture of upper and lower case and digits]. Then when I revisit that site, I just hit CMD+\ and enter my password for 1password itself in a popup and 1password automatically fills in the login details for me.

      I've no idea what my passwords are, for most of the sites I frequent. I just let 1password remember all that crap for me. And it syncs wirelessly across all my gadgets too, which is nice.

      [Disclaimer: No relation. No personal interest in the company etc. Just a satisfied customer. Other password managers are available]

      1. Charles 9 Silver badge

        Some people have bad memories.

        That's like saying just write it all down in a memo book...until you lose the memo book.

        Or in this case, put them in a password vault under one super password...until you forget THAT password.

        1. A. Coatsworth Silver badge

          Nah, you just save the super password inside an unrelated excel or txt document somewhere in your PC. That's what I do, and unless someone starts reading each and every file in my computer (and knowing what are they looking for) I think it's secure enough.

          Now, if you manage to forget not only the super password but also the place where you saved it... you have bigger things to worry about, such as that Alzheimer...

          1. Charles 9 Silver badge

            OR...

            ...the fact that your hard drive crashed and the backup failed. Or you're trying to access the passwords from your phone where the secret password isn't kept for security reasons.

            1Password sounds interesting, but I hear the Android interface isn't well polished. I would also like to have a cloud sync to say Dropbox in case I change machines or phones (had a phone break--thank goodness for a phone insurance plan). Perhaps if there was an alternative...

        2. AdamWill

          it's very unlikely

          when you have to enter it about a dozen times a day. the (current) super password for my password database will likely be the very last thing that sticks in my rapidly declining grey matter at the terminal moment. what a sad thought...

          (actually, I've started to memorize some of the *completely random* passwords my password generator generates. amazing that you can memorize 12 random characters, which don't form anything even vaguely pronounceable, if you have to enter them manually maybe twenty times...the one i always recall is my wireless password, which I'm always entering on different devices and so can't just copy/paste from the manager.)

  11. Robert Carnegie Silver badge

    Some sort of dual key system.

    Nowadays a password that lets you into the bank has to be inconveniently long to be safe. So some arrangement is needed whereby you input a short personal authentication into a device that you and the service that you're using both trust - like an ATM. That device is the other part of the dual key.

  12. Anonymous Coward
    Boffin

    Phone Proximity

    Someone has probably thoguht of this already, but if someones phone is fitted with an NFC device, even something inocuous fitted in the battery compartment, then the physical presence of the phone can also be used as a partial authorisation.

    if the person leaves the workstation and takes their phone with them, then the system logs them off, or locks the workstation, etc.

    Good idea, or a load of crap?

    1. Simon_E

      re: Phone proximity

      Been done.

      I played around with a bluetooth PC-locking program three or four years ago.

      Couldn't get it to _un_lock it automatically, though...

  13. Anonymous Coward
    Anonymous Coward

    How a password should be

    "bruteforcemypasswordifyoucanyousillyhackeryou"

    1. Anonymous Coward
      Anonymous Coward

      and add a digit to the end, that increases each time you have to change your password !!

  14. Anonymous Coward 15
    FAIL

    Detecting duress like...

    The emergency chocolate and flowers when you forget your anniversary?

    Christmas shopping?

    Paying off a loan shark/money shop/pawnbroker?

    Needing money for a cab at 3am after the trains have stopped?

  15. Anonymous Coward
    Anonymous Coward

    "In reality, ATM cameras using facial and iris recognition may be able to detect stress, pupil dilation, and changes in heart rate and breathing patterns to establish a confidence level that the user is not in danger."

    "It says it won't let me take any money out as I am stressed by all this mugging business, so put the knife away OK Mr Mugger?"

    So how long before the knife is put to good use cutting out/off the required body part to get the scanner to work?

    1. Anonymous Coward 101
      Windows

      Correct

      Mugger: "Give me your money or I'll shoot you!"

      Muggee: "I can't withdraw cash because the iris scanner says I am under too much stress!"

      Mugger: "Then calm down or I'll shoot you!"

  16. Anonymous Coward
    FAIL

    Passwords...

    http://xkcd.com/936/

    That says it all...

  17. MoreFun
    Go

    Tools like keepass ?

    I think that once you get used to tools like keepass (which I use), this becomes much less an issue, and the amount of passwords you can maintain increases dramatically.

    You do need to learn (and be confident) using them ...

  18. WinHatter
    WTF?

    even your DNA ...

    to protect my data ... well DNA tends to be leaked (pun intended).

    1. Anonymous Coward
      Anonymous Coward

      and.....

      my evil twin brother will have access to all my shit !!

  19. TeeCee Gold badge
    Coat

    Predictions, passwords.......

    "The prediction was part of a series that also speculated..............."

    Did they say anything about the death of COBOL?

  20. Fenton

    God I hate passwords

    As a consultant working at multiple sites, they really have become a pain in the backside.

    Each site has different timeouts, different rules (and they sometimes change).

    The amount of time lost, due to having to reset passwords mounts up fairly quickly.

    Even a well maintained encrypted password solution has it's limitations (i.e. I forgot the password that was reset just before I went on holiday). Hard disk crashed and the last good backup was two weeks old. (how many of us have nightly backups of our laptops)

  21. PassiveSmoking

    Churchill is supposed to have once observed tha Democracy was the worst system of government, except for all the others that have been tried. Perhaps the same applies to passwords.

    1. Anonymous Coward
      Anonymous Coward

      paper says exactly this

      "Indeed it might be said of passwords that they are the worst possible authentication system, except for all the other systems"

  22. Anonymous Coward
    Anonymous Coward

    What really winds me up is when sites ask you to set a password and then reject it for failing to meet various requirements that [and this is the really teethgrindingly annoying bit] they didn't tell you about in the first place:

    • Sorry. Your password must be at least six letters

    • Sorry. Your password must contain at least one number

    • Sorry. Your password cannot contain all numbers

    • Sorry. Your password must contain both upper and lower case

    • Sorry. Your password cannot be a dictionary word

    I start out with an idea for a password, which is secure enough for he risk-level associated with the site in question, and which I can remember but then, by the time I've jumped through all their ridiculous hoops to make it conform to their idea of what constitutes a secure password, it's so far removed from what I started off with that I have to write it down myself, so I'll remember it. Which kinda defeats the purpose!

    1. Tom 35 Silver badge

      Password tests

      Then you get something like P@ssw0rd that they say is secure.

      1. Keep Refrigerated
        FAIL

        And those bloody meaningless secure meters...

        Choose your password - must contain at least 8 characters:

        "Try h@cking this 5uckaz!!! &" Secure Meter: []

        ***Special chars not allowed!***

        "Try hacking this 5uckaz" Secure Meter: []

        ***Spaces not allowed!***

        "Tryhackingthis5uckaz" Secure Meter: [][][]

        ***Too long!***

        "passw0rd" Secure Meter: [][][][][] OGMZ SO SECURE!

        *** This is good - Proceed! ***

    2. Hungry Sean
      Flame

      groan

      or my most hated one:

      "your password contains an illegal character"

      Which is fucking useless considering it doesn't tell you which character exactly is forbidden (and they change with every site). Financial institutions pulling this garbage is particularly frustrating because this is one of the cases where I'm willing to go out of my way to use a particularly strong password.

    3. Headley_Grange Silver badge

      They're not protecting you....

      They're protecting themselves. They don't care if your password is weak - as long as there is a password. if it's compromised and you lose money then as long as the site can show that the loss was caused by someone using correct account and password information then the problem must be that you told someone your password or wrote it down somewhere. This way they don't have to pay up.

  23. Anonymous Coward
    Anonymous Coward

    Trouble with a lot of biometrics is people leave them lying around. It would not be that difficult to get some fingerprints from a target without them being any the wiser.

  24. Anonymous Coward
    Anonymous Coward

    It's got so ridiculous I spent two hours finding software for storing passwords that works on my desktop, my tablet and my phone, then syncs amongst them as at the last count I need to hold 86 personal passwords with associated websites, 19 gadget passwords at home and 53 work related passwords!

    All I have to do is lose my main password to the password safe and my life is for all intents purposes kaput!

  25. Anonymous Coward
    Anonymous Coward

    Duress password

    I was told that banks (and other organisations) use your pin Plus or minus one as the duress password. This was from an annoyed secruity guard after I had just "almost" got my little used pin to a secure area right

    Took me a while to submit this as I couldn't remember what username and password I had used when I created this account years ago!!!

  26. Dadz
    Paris Hilton

    "even your DNA"???

    New DNA-based system: There is a pinkie finger-sized hole. It says "insert finger here."

    When I insert a finger, a clamp locks the finger in place, then a solenoid pricks the finger - drains out some blood for a DNA test - then the clamp unlocks. Five minutes later, the DNA test is complete and I have access. (The system would also check for a pulse and oxygen in the blood to ensure I'm not putting someone else's finger in; it could also scan the fingerprint).

    1. Charles 9 Silver badge

      Dirty needles.

      Hate to be behind the guy with HIV or AIDS who uses the system. And there may be other diseases out there hardy enough to withstand various means of "cleaning" the needle afterward.

    2. Headley_Grange Silver badge

      I use mSecure

      It syncs from PC to mobile devices.

  27. Anonymous Coward
    Anonymous Coward

    Cards form a new security hazzard

    Its partly personal interest and partly for work; but right now I'm checking how well Windows 7 operates using an rfid card reader. SO basically assigning specific cards to a specific user account.

    Well, needless to say but Windows 7 is very extensive with this. Merely plugging in the cardreader (USB) will already trigger a change in "Admin pop-ups". Instead of having to type in a password you can now also "insert" the assigned card.

    But the problem with this setup should be obvious.. Its much easier to simply keep your card lying on the rfid reader and click "ok" as soon as the prompt shows up. As such; while it makes authentication easier, it also increases the risk factor tremendously when dealing with common end-users.

    End users care more about ease of use than security whereas admins and techies sometimes tend to swing a bit too much to the other side of the fence.

    So yes; I think passwords will indeed be around for quite some time to go.

  28. Marty McFly
    Boffin

    Still only one factor

    Password = Something you know

    Token = Something you have

    Biometrics = Something you are

    Switching from passwords to biometrics does not enhance security. It only changes it from one factor to another. Now ADDING biometrics to passwords - that will improve security.

  29. OffBeatMammal
    FAIL

    frustration

    the problem is that while there are some quite viable alternatives - yubiKey or the RSA SecureID/VIP app there's no interoperability and everyone wants to roll their own... and totally pointlessly sites require users to sign up for an account (true even in many cases where you can log-in via OAuth.. you still have to fill out a profile)

    the niggly little differences in detail (8 characters, 6 characters plus 2 digits, 10 characters at least one upper case, one digit and one special character, no special characters) just lead to frustration and security busting solutions like post-it notes. even though I know better I use a password manager solution (though it is one secured with a yubiKey token) but it doesn't help with some banking sites that additionally want me to use an on-screen keyboard and enter specific characters from the password.... aaaaaargh

  30. Peter 48

    more complex isn't the trick

    I would have thought one simple way of improving password security is limiting the number of false entries you can make when trying to enter a password and in the simplest cases require a captcha or similar system to reset the count or require separate verification over the phone or in person (with banks). Also stop requesting the entire password, instead only ask for extracts of it (my bank does that for example). Use onscreen keyboards where you have to click with the cursor to enter the password / pin would reduce the risk of keystroke captures. Where pin numbers or passwords are entered on touch screens they should randomize the position of the entry keypad to reduce the risk of reading your fingerprint smudges. There are numerous methods you could easily use to make passwords & pins more secure without increasing their complexity.

    1. Charles 9 Silver badge

      Then you end up with false negatives.

      Excerpts of passwords only work if you're able to arbitrarily memorize PARTS of a password, but many people memorize the password by some sort of mnemonic and so go from start to finish: otherwise, they mess up. That could be frustrating in a scenario where you can't type the whole thing and than backtrack (think ATMs). In any event, extracts simply make the malware get a little smarter and recognize that passwords being entered are incomplete. If the malware records the card number, the excerpt, and what the excerpt represents, they'll reconstruct the entire thing after enough fishing. On-screen keyboards with random layouts? Useless to the blind (they need to be able to FEEL the keys—usually by Braille) and powerless against screenreader malware and overlays that can point a camera at the screen. And since you can't physically rearrange a physical keyboard...

  31. J.G.Harston Silver badge

    My one insistance is that passwords should be case insensitive. I remember my password as "fredgardengolfbag" (or whatever). I do NOT remember my password as upper f lower e lower r upper d. It is "fredgardengolfbag".

  32. Anonymous Coward
    Anonymous Coward

    Trying to make things secure often makes them very insecure!

    Organisations should think long and hard about how people actually use passwords and how important the data being secured is?

    And remember that the more difficult it is, the more users will write it down (and often stick it on a post it note on the their desk!)

    The Olympic volunteer web site required IIRC alpha numeric, mixed case >8 chars and the information is held is of low to medium importance. I hate to think of the password requirements for their financial and anti terrorist security depts!

  33. Keep Refrigerated
    Boffin

    2-Part Authentication

    Biometric data should only really be used to complement the password authentication.

    So ideally something like this: You walk up to the ATM and the screen reads, "Hello and welcome back! Your last name begins with "R" and your first name contains the letter "E", is this correct? Then there could be 3 names to choose from for you to select, then enter your password. This could then be used for panic mode... the delay in answering the questions about your identity serve to keep the mugger in the same spot whilst security arrive.

    Rather than using facial recognition though, a much more secure and simpler implementation, would be combining methods to identify if more than one person was present at the ATM. So have the customer stand on a pressure pad that calculates the weight, along with a camera that identifies number of bods present. You could also have a rotating screen slide around the ATM which only has room for one person.

    I've actually seen this kind of thing (weight + sliding screen door) implemented in a security door in Austria. It occasionally refused you access and you had to step out and in again - but this is something the hoi polloi is already conditioned to deal with in other areas.

This topic is closed for new posts.

Biting the hand that feeds IT © 1998–2019