Skip to content

OPLIN 4Cast #322: Giving passwords a pass

Posted in 4cast

key ringHow many passwords do you have? How many do you have trouble remembering? How many of your co-workers tape their passwords on the underside of their keyboard? Isn’t there a better way to handle user authentication? Last week, we looked at “social login” authentication, one alternative to passwords that is popular for its ease of use, but may not be particularly secure. But social login is only one entry in the effort to replace passwords. Regardless of how it gets done, it seems that the end of the password may be coming soon.

  • P@$$1234: the end of strong password-only security (Deloitte TMT Predictions 2013)  “However, a number of factors, related to human behavior and changes in technology, have combined to render the ‘strong’ password vulnerable. First, humans struggle to remember more than seven numbers in our short-term memory. Over a longer time span, the average person can remember only five. Adding letters, cases, and odd symbols to the mix makes remembering multiple characters even more challenging. As a result, people use a variety of tricks to make recalling passwords easier. For example, users often create passwords that reference words and names in our language and experience. Users typically put the upper case symbol at the beginning of the password and place the numbers at the end of the password, repeating the numbers or putting them in ascending order. Although a keyboard has 32 different symbols, humans generally only use half-a-dozen in passwords because they have trouble distinguishing between many of them. These tricks and tendencies combine to make passwords less random, and therefore weaker.”
  • Google declares war on the password (Wired/Robert McMillan)  “Passwords are a cheap and easy way to authenticate web surfers, but they’re not secure enough for today’s internet, and they never will be. Google agrees. ‘Along with many in the industry, we feel passwords and simple bearer tokens such as cookies are no longer sufficient to keep users safe,’ Grosse and Upadhyay write in their paper. Thus, they’re experimenting with new ways to replace the password, including a tiny Yubico cryptographic card that — when slid into a USB (Universal Serial Bus) reader — can automatically log a web surfer into Google.”
  • DARPA, FIDO Alliance join race to replace passwords (Threatpost/Brian Donohue) “For years, industry thinkers have somewhat vaguely referenced the need for Internet fingerprints capable of reliably verifing identities online. Yet here we are, it’s 2013 and passwords remain the primary means of authenticating users onto networks and workstations. Two groups today announced projects bent on taking passwords to the curb. The first is an industry group calling itself the FIDO (Fast IDentity Online) Alliance. … The second is the Defense Advanced Research Project Agency (DARPA), a research and development arm of the Defense Department.”
  • Internet giants launch new system to fix the password problem (SecurityWeek/Fahmida Y. Rashid) “Under the FIDO specification, businesses would be able to authenticate and authorize users using existing hardware devices, such as smartphones and tablets, fingerprint readers, microphones, cameras, TPM chips, near-field communications, and one-time password tokens. Instead of traditional username and password combinations, the device the user happens to be holding would play a more central role in authentication, according to the FIDO Alliance. This would make it much more difficult for attackers to steal login credentials and compromise user accounts, Barrett said.”

Overused fact:
Last year, the Trustwave security services firm found that the most commonly used password on business systems – and thus the least secure – was Password1.