tag:blogger.com,1999:blog-8281035461329714656.post6380187168920353595..comments2020-06-20T06:49:48.100-04:00Comments on Web Insecurity: Does expiring passwords really help security?Terri Odahttp://www.blogger.com/profile/10462169521890966235noreply@blogger.comBlogger2125tag:blogger.com,1999:blog-8281035461329714656.post-47040313275943177482010-10-12T12:59:34.255-04:002010-10-12T12:59:34.255-04:00While I totally appreciate your enthusiasm on the ...While I totally appreciate your enthusiasm on the subject and hopefully some of my readers will appreciate your rundown of issues in password authentication... I should point out here that I do actually work for a <a href="http://ccsl.carleton.ca" rel="nofollow">research lab</a> which includes a number of people working on cutting-edge alternative authentication techniques, the effects of password interference, and other issues in authentication and usable security. My own 100ish students took part in the first long term, large-scale study of graphical passwords in the passpoints style, and I get to hear a lot of cutting-edge (often not-yet-published) research through work. <br /><br />So what I'm getting at is that explaining issues with password authentication to <em>me</em> actually borders on insultingly patronizing.<br /><br />Likely you just weren't aware, or maybe you were misled by the tone of this blog since I use this blog as a place to describe research ideas for a wider audience. But yeah... you should skip the basic explanations and go right to "have you seen this new research?" in the future! <br /><br />You might want to take a look at <a href="http://www.ccsl.carleton.ca/publications/" rel="nofollow">some of the publications</a> that our research group has done on the subject if your'e looking for starting points for discussion -- I think you'll find them very interesting.Terri Odahttps://www.blogger.com/profile/10462169521890966235noreply@blogger.comtag:blogger.com,1999:blog-8281035461329714656.post-36389011928131014402010-10-12T02:51:33.742-04:002010-10-12T02:51:33.742-04:00It's worse than that, actually. Passwords are,...It's worse than that, actually. Passwords are, generally speaking, obsolete. The recommended way of handling passwords, is something like the following:<br /><br />Pick passwords that are fairly long, and a good mix of letters and other symbols. Use different, unrelated passwords for each purpose. Do not write the passwords down. Change the passwords regularily.<br /><br />The problem with this is, that human beings are unable to do that. I certainly have more than 100 accounts of various types. I am not able to remember 100 unrelated, complex passwords at all, and asking me to change them all regularily, is COMPLETELY out of the question.<br /><br />Instead, most people use the same password everywhere, and never change it. If you're lucky, they MAY have 2-3 passwords and for example use one of them for job-related and another for private stuff.<br /><br />It's only getting worse too, machines never get slower. You'll need about one more bit of real entropy in the password for every year, just to maintain security. With passwords being non-random, this translates to adding one character to your password something like every 4 or 5 years.<br /><br />Gr0w$hume- is probably an above-average password, but it's still a LONG way away from random. "grow" is an english word, and "hume" is an english-sounding word-fragment.<br /><br />If 8 characters, of a quality similar to the example above, provides reasonable security today (I actually question this, especially for offline attacks), are we going to insist on 9+ starting 2015 and 10+ 2019 ? Just how much of a hassle can you expect users to put up with -- WITHOUT choosing more banal passwords to compensate ?<br /><br />And for how long, can you claim that the users is the problem, since they're not following advice - when that advice is in practice IMPOSSIBLE for human beings to follow ?<br /><br />2-factor, is the way to go. Google got it right. My debit-card with a 4-digit pin, offers good security, because you need the pin AND the physical card, which is a -huge- help against many attacks.Eivindhttps://www.blogger.com/profile/07327083310096712235noreply@blogger.com