Wednesday, January 10, 2007

Musings On Passwords

Many people predict the death of password any-day-now, since 1985. Let me try to throw something discussion-worthy out there. I'd make the claim that passwords a) are just fine if done right and b) will never die.

So, here are two recent pieces related to death of passwords:

This "Password Irony" piece refers to Bruce Schneier's paper which analyzes MySpace password cracking. In "Password Irony" Pete adds: "I am at a loss to explain how he can come to this conclusion when every single one of the 34,000 passwords he analyzed were stolen through a phishing attack." OK.

This "Myth of secure password is ended" does reminds us that rainbow tables allow us to crack passwords much easier: "then arrived the Rainbow Table method and everything changed." OK, OK

So passwords are bad. Or are they?

However, think about your typical 4 digit ATM PIN: are you freaking out because of it? I don't! Why:

* no password data to run rainbow tables methods
* no brute forcing (lockout after 3)
* only complicated and conspicuous physical "sniffing" (and shoulder surfing) can be used to steal the PIN
* password needs to be entered only at a specific location and not remote (and there is usually a camera that watches you while you do this)

The above sure seems sufficient since "ATM password attacks" are not that common. So, passwords seems to be done right in this case.

Now, think about all the good things about passwords:
* no physical device to possess (and lose, and buy, and carry, etc)
* easy to change (unlike most if not all biometric methods - this scare me for good since once lost biometrics cannot be changed ...)
* [sometimes] easy to remember while secure (in case of long pass phrases)

Thus the conclusion is obvious: long live the passwords!

Dr Anton Chuvakin