Robert Hensing's Blog

Software Security . . . and stuff.

Blogs

The future of passwords?

  • Comments 1
  • Likes

Given what I do, I tend to be pretty interested in technologies that will allow me to do away with passwords altogether.  One area that's shown promise in the past is the use of graphical passwords (again, demonstrating that passwords are an antiquated term here since graphical passwords have nothing to do with 'words' at all).

Here's a fascinating article on some research done by some college kids on this topic: http://searchsecurity.techtarget.com/originalContent/0,289142,sid14_gci1000783,00.html

What I found interesting was not the concept here, but the findings that even these schemes will be fairly easy to crack given knowledge of human nature. :)

p.s. I like how the 'story scheme' is not un-like a pass-phrase or a password composed of multiple words describing something.  The researchers point out that its better but increases the error rate as people 'forget the story'. :)

Comments
  • It just goes to show...passwords aren't the issue...it's how passwords are used that's the issue.

    I remember doing password cracking as part of vulnerability assessments 5 years ago, using L0phtcrack. In one case, we had a client w/ 3000+ users, and 85% of the SAM was cracked in 15 minutes. This was partially due to the fact that no requirements were put in place for strong passwords, but also due to the fact that when the helpdesk reset someone's password to "password", they didn't (or couldn't) force the user to change it when they first logged in...

    This is just a subset of the bigger issue w/ regards to infosec, and things like the Principle of Least Privilege and defense-in-depth...you can't say somethings not working if it hasn't been employed correctly to begin with. Well...I take that back...you *can* say that, but it wouldn't be intellectually honest to do so...