[Cryptography] Passwords are dying - get over it

Bill Frantz frantz at pwpconsult.com
Sun Dec 22 11:09:35 EST 2013


Passwords for high levels of security are a dying technology.

The level of entropy we can reasonably ask a human to remember 
is small compared with the cost of exhaustive search attacks. 
They can still be useful for medium levels of security like 
Facebook pages -- where powerful attackers don't need to break 
the password, but not for the higher levels of security needed 
for uses like banking.

Using passwords securely is inconvenient. You need a different 
password for each site because of the risk of site compromise. 
It is insecure to use variants of a common base because they are 
too easy to guess once one of them is known.

The only reasons passwords hang on is old habits and the need to 
support secure usage from computers at cyber cafes. The need for 
this latter use is dying with the popularity of laptops, tablets 
and smart phones. (As if anything could be done securely from a 
compromised public computer.)

Password safes such as the Apple key chain offer a solution, but 
with them we are applying computation and memory that are 
personal to each user, so can use solutions which don't involve 
the site storing a version of the password.

Discussion of ways to eke out a bit more life for passwords 
seems kind of pointless. Lets instead build things that are both 
more secure and easier to use. We need to define a protocol and 
a migration strategy.

Cheers - Bill

-----------------------------------------------------------------------
Bill Frantz        | gets() remains as a monument | Periwinkle
(408)356-8506      | to C's continuing support of | 16345 
Englewood Ave
www.pwpconsult.com | buffer overruns.             | Los Gatos, 
CA 95032



More information about the cryptography mailing list