[Cryptography] Passwords: Perfect, except for being Flawed
Benjamin Kreuter
brk7bx at virginia.edu
Tue Feb 17 21:14:19 EST 2015
On Tue, 2015-02-17 at 18:17 -0500, Jerry Leichter wrote:
> I basically agree. The attacks we see on passwords are all based on a
> combination of bad and weakly protected implementations
Phishing is a counterexample. The best implementation of passwords
would still be vulnerable to phishing. Phishing uses a tiny bit of
social engineering to exploit a fundamental flaw with passwords. That
flaw is also exploited by keystroke loggers, people looking over your
should while you type in your password, etc. Your password is only
secure as long as it is not copied, but it is not particularly hard to
copy a password.
> and on bad user practices (reuse of passwords).
Which is why passwords are never going to work in a distributed system
like the Internet. People are not going to stop being human beings, no
matter how much we yell at them. People are going to continue to be
tricked by phishing sites (and phishing sites are going to become more
sophisticated).
> There are technical fixes to the former (SRP et al). The latter become
> somewhat less of an issue if the former is resolved, but beyond
> stopping the dumb practice of telling people to *never* write down
> their passwords, requires some more work to help on the human side.
Phishing cannot be solved with just passwords, no matter how fancy your
protocols are. As long as people can be tricked into logging in to a
web page that looks just like their bank's web page (that is unlikely to
change any time soon), passwords will be insecure. Any solution to
phishing is going to involve credentials that are hard to copy -- in
other words, some kind of new hardware will need to be deployed
(keyfobs, phones, smartcards, whatever).
We are almost at the point where deploying all that new hardware becomes
economically justifiable. The rise of OTPs and SMS-based 2FA is
evidence of just how close we are.
-- Ben
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: This is a digitally signed message part
URL: <http://www.metzdowd.com/pipermail/cryptography/attachments/20150217/124bce27/attachment.sig>
More information about the cryptography
mailing list