Net boffins plot password alternatives

CAPTCHAS, split slogans and authenticated tokens

The Essential Guide to IT Transformation

Computer scientists are looking to develop a more secure alternative to passwords for website sign-ons and other functions.

Most users have scores of online accounts and, human nature being human nature, often choose easy-to-remember passwords. Using the same password on multiple sites is also a common problem. Most sites are sensible enough to store passwords as hashes. But if these hashes are exposed via a website vulnerability, then the use of rainbow tables readily exposed passwords based on dictionary words. That's bad enough on its own but gets even worse if a user utilities the same password for social networking as he or she does on more sensitive profiles, such as webmail or e-banking accounts.

Security researchers have long known that consumers can't be trusted to maintain multiple secure password sign-ons. The recent HBGary hack, which partly took advantage of shared passwords, underlined that weak password security is also a problem in business.

A new paper by computer scientists at Max-Planck-Institute for Physics of Complex Systems in Dresden, Germany proposes to fix the weak password problem, in a way that frustrates brute-force dictionary-based attacks but gets around the reluctance of people to choose secure but hard-to-remember passwords. The novel approach involves splitting the password into two parts, one remembered by a human and the second held by the site itself, as explained in a abstract for the paper (extract below).

The core idea of our method is to split a long and secure password into two components. The first component is memorized by the user. The second component is transformed into a CAPTCHA image and then protected using evolution of a two-dimensional dynamical system close to a phase transition, in such a way that standard brute-force attacks become ineffective.

It's an interesting idea, but whether it is strong enough to withstand some modified brute force attack remains unclear.

Cambridge University computer scientists looking into the same well-worn security problem are advocating an even more radical idea: an end to passwords.

In a position paper, Pico: no more passwords (20-page PDF/433 KB), Frank Stajano of Cambridge University proposes a clean-slate design to "get rid of passwords everywhere, not just online". Instead of using passwords, logins should be secured using a token, a controversial idea in the wake of the highly-publicised RSA SecurID hack last month.

Stajano acknowledges as much, stating that he's mainly interested in getting a debate going. "Maybe your gut reaction to Pico will be 'it'll never work', but I believe we have a duty to come up with something more usable than passwords," he wrote on the Cambridge University's Light Blue Touchpaper blog. If nothing else, the paper neatly summarises why users are perfectly entitled to be fed up with passwords.

From a usability viewpoint, passwords and PINs have reached the end of their useful life. Even though they are convenient for implementers, for users they are increasingly unmanageable. The demands placed on users (passwords that are unguessable, all different and never written down) are no longer reasonable now that each person has to manage dozens of passwords. Yet we can't abandon them until we come up with an alternative method of user authentication that is both usable and secure.

The paper (20-page PDF/433 KB) was presented at the International Workshop on Security Protocols in Cambridge last week. ®

Build a business case: developing custom apps

More from The Register

next story
14 antivirus apps found to have security problems
Vendors just don't care, says researcher, after finding basic boo-boos in security software
'Things' on the Internet-of-things have 25 vulnerabilities apiece
Leaking sprinklers, overheated thermostats and picked locks all online
iWallet: No BONKING PLEASE, we're Apple
BLE-ding iPhones, not NFC bonkers, will drive trend - marketeers
Only '3% of web servers in top corps' fully fixed after Heartbleed snafu
Just slapping a patched OpenSSL on a machine ain't going to cut it, we're told
Multipath TCP speeds up the internet so much that security breaks
Black Hat research says proposed protocol will bork network probes, flummox firewalls
How long is too long to wait for a security fix?
Synology finally patches OpenSSL bugs in Trevor's NAS
Israel's Iron Dome missile tech stolen by Chinese hackers
Corporate raiders Comment Crew fingered for attacks
Fiendishly complex password app extension ships for iOS 8
Just slip it in, won't hurt a bit, 1Password makers urge devs
Tor attack nodes RIPPED MASKS off users for 6 MONTHS
Traffic confirmation attack bared users' privates - but to whom?
prev story


Implementing global e-invoicing with guaranteed legal certainty
Explaining the role local tax compliance plays in successful supply chain management and e-business and how leading global brands are addressing this.
Boost IT visibility and business value
How building a great service catalog relieves pressure points and demonstrates the value of IT service management.
Why and how to choose the right cloud vendor
The benefits of cloud-based storage in your processes. Eliminate onsite, disk-based backup and archiving in favor of cloud-based data protection.
The Essential Guide to IT Transformation
ServiceNow discusses three IT transformations that can help CIO's automate IT services to transform IT and the enterprise.
Maximize storage efficiency across the enterprise
The HP StoreOnce backup solution offers highly flexible, centrally managed, and highly efficient data protection for any enterprise.