Feeds

Net boffins plot password alternatives

CAPTCHAS, split slogans and authenticated tokens

Next gen security for virtualised datacentres

Computer scientists are looking to develop a more secure alternative to passwords for website sign-ons and other functions.

Most users have scores of online accounts and, human nature being human nature, often choose easy-to-remember passwords. Using the same password on multiple sites is also a common problem. Most sites are sensible enough to store passwords as hashes. But if these hashes are exposed via a website vulnerability, then the use of rainbow tables readily exposed passwords based on dictionary words. That's bad enough on its own but gets even worse if a user utilities the same password for social networking as he or she does on more sensitive profiles, such as webmail or e-banking accounts.

Security researchers have long known that consumers can't be trusted to maintain multiple secure password sign-ons. The recent HBGary hack, which partly took advantage of shared passwords, underlined that weak password security is also a problem in business.

A new paper by computer scientists at Max-Planck-Institute for Physics of Complex Systems in Dresden, Germany proposes to fix the weak password problem, in a way that frustrates brute-force dictionary-based attacks but gets around the reluctance of people to choose secure but hard-to-remember passwords. The novel approach involves splitting the password into two parts, one remembered by a human and the second held by the site itself, as explained in a abstract for the paper (extract below).

The core idea of our method is to split a long and secure password into two components. The first component is memorized by the user. The second component is transformed into a CAPTCHA image and then protected using evolution of a two-dimensional dynamical system close to a phase transition, in such a way that standard brute-force attacks become ineffective.

It's an interesting idea, but whether it is strong enough to withstand some modified brute force attack remains unclear.

Cambridge University computer scientists looking into the same well-worn security problem are advocating an even more radical idea: an end to passwords.

In a position paper, Pico: no more passwords (20-page PDF/433 KB), Frank Stajano of Cambridge University proposes a clean-slate design to "get rid of passwords everywhere, not just online". Instead of using passwords, logins should be secured using a token, a controversial idea in the wake of the highly-publicised RSA SecurID hack last month.

Stajano acknowledges as much, stating that he's mainly interested in getting a debate going. "Maybe your gut reaction to Pico will be 'it'll never work', but I believe we have a duty to come up with something more usable than passwords," he wrote on the Cambridge University's Light Blue Touchpaper blog. If nothing else, the paper neatly summarises why users are perfectly entitled to be fed up with passwords.

From a usability viewpoint, passwords and PINs have reached the end of their useful life. Even though they are convenient for implementers, for users they are increasingly unmanageable. The demands placed on users (passwords that are unguessable, all different and never written down) are no longer reasonable now that each person has to manage dozens of passwords. Yet we can't abandon them until we come up with an alternative method of user authentication that is both usable and secure.

The paper (20-page PDF/433 KB) was presented at the International Workshop on Security Protocols in Cambridge last week. ®

The essential guide to IT transformation

More from The Register

next story
Goog says patch⁵⁰ your Chrome
64-bit browser loads cat vids FIFTEEN PERCENT faster!
Chinese hackers spied on investigators of Flight MH370 - report
Classified data on flight's disappearance pinched
NIST to sysadmins: clean up your SSH mess
Too many keys, too badly managed
Scratched PC-dispatch patch patched, hatched in batch rematch
Windows security update fixed after triggering blue screens (and screams) of death
Researchers camouflage haxxor traps with fake application traffic
Honeypots sweetened to resemble actual workloads, complete with 'secure' logins
prev story

Whitepapers

Top 10 endpoint backup mistakes
Avoid the ten endpoint backup mistakes to ensure that your critical corporate data is protected and end user productivity is improved.
Implementing global e-invoicing with guaranteed legal certainty
Explaining the role local tax compliance plays in successful supply chain management and e-business and how leading global brands are addressing this.
Backing up distributed data
Eliminating the redundant use of bandwidth and storage capacity and application consolidation in the modern data center.
The essential guide to IT transformation
ServiceNow discusses three IT transformations that can help CIOs automate IT services to transform IT and the enterprise
Next gen security for virtualised datacentres
Legacy security solutions are inefficient due to the architectural differences between physical and virtual environments.