Researchers look to simplify passwords
By Stewart Mitchell
Posted on 21 Jul 2010 at 13:50
Security experts at Microsoft have devised a novel concept for generating secure passwords that does away with easily-forgettable strings of multi-case alpha-numeric ID codes.
The concept relies on allowing users to choose their own relatively simple passwords, provided those passwords are not chosen by too many other people on the system - making attacks through random guessing less successful.
We would allow any password the user desires, so long as it is not an attractive target for a statistical guessing attack
“We have proposed replacing today's complex password policies with a simple one,” wrote Stuart Schechter and Cormac Herley in their Popularity is everything report. “We would allow any password the user desires, so long as it is not an attractive target for a statistical guessing attack.”
The recent trend for password protection has been towards longer, more complicated IDs that are designed to thwart “dictionary attacks” in which hackers aim to try millions of passwords on each user account.
Complex password rules – such as “must contain at least 12 characters, contain a mixture of upper case and lower case letters, numbers and at least one symbol" – make it difficult for hackers to guess passwords using dictionary attacks.
However, IT managers need to enforce and protect these passwords by locking out accounts after, say, three failed attempts to log in, the researchers said, which leads to high support costs.
According to the researchers, hackers have worked around the concept of increasingly complex passwords by turning the idea on its head.
Instead of applying hundreds of thousands of passwords to each account, attackers are choosing the most commonly used passwords and applying them to thousands of accounts.
The researchers’ scheme protects against statistical guessing attacks by simply counting how many times users select any given password and once that limit is reached no more users can choose that password.
“Replacing password creation rules with popularity limitations has the potential to increase both security and usability,” the report said.
“Since no passwords are allowed to become too common, attackers are deprived of the popular passwords they require to compromise a significant fraction of accounts using online guessing.”
Although a significant break from current thinking, the system would only work for systems with hundreds of thousands of users, such as Google, Facebook or Hotmail.
From around the web
advertisement
- How to install Internet Explorer 9
- Maintaining and supporting IE9
- Plan your deployment
- Creating a custom browser package
- Search in corporate environments
- Chrome's shine getting lost in translation
- BytePac: the cardboard hard disk enclosure
- How tech loosens our grip on reality
- Hokum watch: Safer Internet Day
- Why I'm deleting Adobe from my PC
- Prepare to be patronised: it's Safer Internet Day
- Dear Sony, Samsung and every other tech company in the world: stop trying to be Apple
- Will Apple's Final Cut Pro X update placate the pros?
- Smartr Contacts for iPhone review
- Switching to Office 365's Outlook Web App
- Paying for your crimes with Bitcoin
- Pavement hacking: What it is and how to avoid it
- Google's risky pre-loaded pages
- Mac under attack: how secure is Apple's OS?
- Has your browser been hijacked?
- Can you send a truly anonymous email?
- Is it safe to send bank details over email?
- Sainsbury's Bank bans password storage
- MobileMe triggers credit card blocks
- How to stay safe against session hijacking
advertisement
Printed from www.pcpro.co.uk