PDA

View Full Version : "Passwords don't work as an authentication technology,"



Gremlinzzz
June 2nd, 2011, 02:25 PM
I was surprised to see this line in the story!always thought a good pass word was all you needed.what's your thoughts on it?
Passwords don't work as an authentication technology," said Mr Kaminsky.

"They are too flexible, too transferable and too easy to steal," he said. "However, we are stuck with them for now due to technical limitations and because users find them easy to use."
http://www.bbc.co.uk/news/technology-13626104
:D What I was thinking we are limited too using the password.what if anything can replace it?

sydbat
June 2nd, 2011, 03:28 PM
I was surprised to see this line in the story!always thought a good pass word was all you needed.what's your thoughts on it?
Passwords don't work as an authentication technology," said Mr Kaminsky.

"They are too flexible, too transferable and too easy to steal," he said. "However, we are stuck with them for now due to technical limitations and because users find them easy to use."
http://www.bbc.co.uk/news/technology-13626104
:D What I was thinking we are limited too using the password.what if anything can replace it?Strong passwords are fine for traditional, brute force attacks. It's the social engineering that circumvents all security protocols.

Joe of loath
June 2nd, 2011, 03:30 PM
Well, fingerprints aren't hard to break (Mythbusters did it to a top of the range door lock jut by licking a piece of paper and pressing it against the sensor).

No way I'm letting my PC scan my iris (Because them my biometric data is available for the world to see if I lose my laptop), plus the fact that I have corneal scarring means that probably won't work. And then there's the camera needed...

Facial recognition is a joke, you can fool it with a piece of paper and some papercraft skills. Another interesting thing to note is that Microsoft's facial recognition doesn't work on black people.

So, passwords are still top. A password is as complex as you make it, people just using a single word (like most users), and Microsoft's password authentication joke (gimme 30 seconds with chtnpw and any password on that machine is gone) is why they get such a bad rap for being easy to crack.

Gremlinzzz
June 2nd, 2011, 05:16 PM
Well, fingerprints aren't hard to break (Mythbusters did it to a top of the range door lock jut by licking a piece of paper and pressing it against the sensor).

No way I'm letting my PC scan my iris (Because them my biometric data is available for the world to see if I lose my laptop), plus the fact that I have corneal scarring means that probably won't work. And then there's the camera needed...

Facial recognition is a joke, you can fool it with a piece of paper and some papercraft skills. Another interesting thing to note is that Microsoft's facial recognition doesn't work on black people.

So, passwords are still top. A password is as complex as you make it, people just using a single word (like most users), and Microsoft's password authentication joke (gimme 30 seconds with chtnpw and any password on that machine is gone) is why they get such a bad rap for being easy to crack.

For now ,looks like were stuck with the old password system.

CTIINC
June 2nd, 2011, 05:54 PM
A single layer of text-based password protection will never be strong enough security, even if the user chooses a really strong password. Many people unkowingly have keyloggers installed on their machines, or they are easily tricked into giving their passwords away on phishing sites. Additionally, cybercriminals can readily purchase advanced GPU processors online that make it easy to break even a "strong" password consisting of 7 random alphanumeric characters in just minutes: http://www.pcpro.co.uk/blogs/2011/06/01/how-a-cheap-graphics-card-could-crack-your-password-in-under-a-second/. And how many people actually have passwords consisting of 7 or more entirely random letters, numbers and symbols? Not many.

Websites and online businesses need multiple layers of authentication and multi-factor authentication. Even that will never be 100% secure but it's much more secure than relying on a password alone.

disabledaccount
June 2nd, 2011, 06:15 PM
http://www.pcpro.co.uk/blogs/2011/06/01/how-a-cheap-graphics-card-could-crack-your-password-in-under-a-second/ :

The results are startling. Working against NTLM login passwords, a password of “fjR8n” can be broken on the CPU in 24 seconds, at a rate of 9.8 million password guesses per second. On the GPU, it takes less than a second at a rate of 3.3 billion passwords per second.Actually that's ********, or one may call it theoretical/synthetic test. Most of currently used authentication systems cannot be broken that way.

It's sufficient to put limit on allowed frequency of entering passwords and speed of typing letters (typical anti-bot protection) - that's all - GPU power wont help, even after 100 years.
After second or third faulty entry system can be locked for eg. 10 minutes or 24hrs, depending on what data is protected.

Secondary: all passwords are transfered in encrypted form (i'm not talking about terribly crappy PS3 network - they were begging for what they got) - so even simplest password is extended to very long sequence of numbers.

3Miro
June 2nd, 2011, 06:31 PM
Passwords are good enough if you understand what they are and how to use them. Most people falling for the phishing scams need education more than new technology.

Unfortunately, at the present time, passwords are the best we have. Some people mentioned biometrics, but those are the same as passwords: "a piece of information that is unique about you and you alone" If you can steal someone's password with phishing, the can do the exact same thing with retina or facial recognition.