Feeds

Net boffins plot password alternatives

CAPTCHAS, split slogans and authenticated tokens

The Power of One eBook: Top reasons to choose HP BladeSystem

Computer scientists are looking to develop a more secure alternative to passwords for website sign-ons and other functions.

Most users have scores of online accounts and, human nature being human nature, often choose easy-to-remember passwords. Using the same password on multiple sites is also a common problem. Most sites are sensible enough to store passwords as hashes. But if these hashes are exposed via a website vulnerability, then the use of rainbow tables readily exposed passwords based on dictionary words. That's bad enough on its own but gets even worse if a user utilities the same password for social networking as he or she does on more sensitive profiles, such as webmail or e-banking accounts.

Security researchers have long known that consumers can't be trusted to maintain multiple secure password sign-ons. The recent HBGary hack, which partly took advantage of shared passwords, underlined that weak password security is also a problem in business.

A new paper by computer scientists at Max-Planck-Institute for Physics of Complex Systems in Dresden, Germany proposes to fix the weak password problem, in a way that frustrates brute-force dictionary-based attacks but gets around the reluctance of people to choose secure but hard-to-remember passwords. The novel approach involves splitting the password into two parts, one remembered by a human and the second held by the site itself, as explained in a abstract for the paper (extract below).

The core idea of our method is to split a long and secure password into two components. The first component is memorized by the user. The second component is transformed into a CAPTCHA image and then protected using evolution of a two-dimensional dynamical system close to a phase transition, in such a way that standard brute-force attacks become ineffective.

It's an interesting idea, but whether it is strong enough to withstand some modified brute force attack remains unclear.

Cambridge University computer scientists looking into the same well-worn security problem are advocating an even more radical idea: an end to passwords.

In a position paper, Pico: no more passwords (20-page PDF/433 KB), Frank Stajano of Cambridge University proposes a clean-slate design to "get rid of passwords everywhere, not just online". Instead of using passwords, logins should be secured using a token, a controversial idea in the wake of the highly-publicised RSA SecurID hack last month.

Stajano acknowledges as much, stating that he's mainly interested in getting a debate going. "Maybe your gut reaction to Pico will be 'it'll never work', but I believe we have a duty to come up with something more usable than passwords," he wrote on the Cambridge University's Light Blue Touchpaper blog. If nothing else, the paper neatly summarises why users are perfectly entitled to be fed up with passwords.

From a usability viewpoint, passwords and PINs have reached the end of their useful life. Even though they are convenient for implementers, for users they are increasingly unmanageable. The demands placed on users (passwords that are unguessable, all different and never written down) are no longer reasonable now that each person has to manage dozens of passwords. Yet we can't abandon them until we come up with an alternative method of user authentication that is both usable and secure.

The paper (20-page PDF/433 KB) was presented at the International Workshop on Security Protocols in Cambridge last week. ®

Designing a Defense for Mobile Applications

More from The Register

next story
DARPA-derived secure microkernel goes open source tomorrow
Hacker-repelling, drone-protecting code will soon be yours to tweak as you see fit
How long is too long to wait for a security fix?
Synology finally patches OpenSSL bugs in Trevor's NAS
Don't look, Snowden: Security biz chases Tails with zero-day flaws alert
Exodus vows not to sell secrets of whistleblower's favorite OS
Roll out the welcome mat to hackers and crackers
Security chap pens guide to bug bounty programs that won't fail like Yahoo!'s
HIDDEN packet sniffer spy tech in MILLIONS of iPhones, iPads – expert
Don't panic though – Apple's backdoor is not wide open to all, guru tells us
Researcher sat on critical IE bugs for THREE YEARS
VUPEN waited for Pwn2Own cash while IE's sandbox leaked
Four fake Google haxbots hit YOUR WEBSITE every day
Goog the perfect ruse to slip into SEO orfice
prev story

Whitepapers

Designing a Defense for Mobile Applications
Learn about the various considerations for defending mobile applications - from the application architecture itself to the myriad testing technologies.
Implementing global e-invoicing with guaranteed legal certainty
Explaining the role local tax compliance plays in successful supply chain management and e-business and how leading global brands are addressing this.
Top 8 considerations to enable and simplify mobility
In this whitepaper learn how to successfully add mobile capabilities simply and cost effectively.
Seven Steps to Software Security
Seven practical steps you can begin to take today to secure your applications and prevent the damages a successful cyber-attack can cause.
Boost IT visibility and business value
How building a great service catalog relieves pressure points and demonstrates the value of IT service management.