Wednesday, January 10, 2007

Musings On Passwords

Many people predict the death of password any-day-now, since 1985. Let me try to throw something discussion-worthy out there. I'd make the claim that passwords a) are just fine if done right and b) will never die.

So, here are two recent pieces related to death of passwords:

This "Password Irony" piece refers to Bruce Schneier's paper which analyzes MySpace password cracking. In "Password Irony" Pete adds: "I am at a loss to explain how he can come to this conclusion when every single one of the 34,000 passwords he analyzed were stolen through a phishing attack." OK.

This "Myth of secure password is ended" does reminds us that rainbow tables allow us to crack passwords much easier: "then arrived the Rainbow Table method and everything changed." OK, OK

So passwords are bad. Or are they?

However, think about your typical 4 digit ATM PIN: are you freaking out because of it? I don't! Why:

* no password data to run rainbow tables methods
* no brute forcing (lockout after 3)
* only complicated and conspicuous physical "sniffing" (and shoulder surfing) can be used to steal the PIN
* password needs to be entered only at a specific location and not remote (and there is usually a camera that watches you while you do this)

The above sure seems sufficient since "ATM password attacks" are not that common. So, passwords seems to be done right in this case.

Now, think about all the good things about passwords:
* no physical device to possess (and lose, and buy, and carry, etc)
* easy to change (unlike most if not all biometric methods - this scare me for good since once lost biometrics cannot be changed ...)
* [sometimes] easy to remember while secure (in case of long pass phrases)

Thus the conclusion is obvious: long live the passwords!

2 comments:

Anonymous said...

You are comparing two-factor authentication (ATM cards + PINs) with passwords. Of course there are no "ATM password attacks", because you do need to carry around a physical device. the ATM card.

Anonymous said...

Paul Clancy said ....

I have invented devices that totally conceal the entry of a pin number or any password.

The only transaction that a shoulder surfer can see are 4 unmarked buttons being selected.

Likewise any password is secure using the patent pending device because it cannot be recorded by a shoulder surfer or a minature camera.

To see how simple and secure the device is then go to my website - http.//www.visualsecuritysolutions.com

Dr Anton Chuvakin