[Cryptography] Passwords are dying - get over it
Bill Frantz
frantz at pwpconsult.com
Sun Dec 22 11:09:35 EST 2013
Passwords for high levels of security are a dying technology.
The level of entropy we can reasonably ask a human to remember
is small compared with the cost of exhaustive search attacks.
They can still be useful for medium levels of security like
Facebook pages -- where powerful attackers don't need to break
the password, but not for the higher levels of security needed
for uses like banking.
Using passwords securely is inconvenient. You need a different
password for each site because of the risk of site compromise.
It is insecure to use variants of a common base because they are
too easy to guess once one of them is known.
The only reasons passwords hang on is old habits and the need to
support secure usage from computers at cyber cafes. The need for
this latter use is dying with the popularity of laptops, tablets
and smart phones. (As if anything could be done securely from a
compromised public computer.)
Password safes such as the Apple key chain offer a solution, but
with them we are applying computation and memory that are
personal to each user, so can use solutions which don't involve
the site storing a version of the password.
Discussion of ways to eke out a bit more life for passwords
seems kind of pointless. Lets instead build things that are both
more secure and easier to use. We need to define a protocol and
a migration strategy.
Cheers - Bill
-----------------------------------------------------------------------
Bill Frantz | gets() remains as a monument | Periwinkle
(408)356-8506 | to C's continuing support of | 16345
Englewood Ave
www.pwpconsult.com | buffer overruns. | Los Gatos,
CA 95032
More information about the cryptography
mailing list