Good point, but be careful what you wish for <g>. When Laymen users start using sentences (aka passpharases) they pull from an active vocabulary of about 400 words. Constructing a grammatical dictionary attack seems quite feasible. It has been said before in one of the blogs (much more detailed and eloquent than my comment here - so credit to them), unfortunatly I don't recall where.

The tagline anyway is right: Passwords are broken.
:-) stw

> Constructing a grammatical dictionary attack seems quite feasible

I don't agree that this is feasible at all, for a phrase of more than trivial length (eg, 5+ words).

However bad the phrase will be, it can't be as bad as the same user picking a single word password, even with forced restrictions on things like word length and having a number/character in it.

Passwords are a fundamentally bad choice for security. I mean, what were they originally invented for, back in the mists of time? A few selected men spying on Caesar's enemies, or fetching gold bars from the safe, or something like that.

Now we expect every Joe and Mary to remember 26 different passwords for their completely mundane computer work? That's just ridiculous. Of course this won't work, how could it ever? Typical example of taking the first and simplest solution that fits the computer, no matter how badly it fits the users.

We need to get away from this ancient, cumbersome, unsafe "technology" and move on to something sensible like biometrics, or at least a unified computerized security token. Microsoft Passport wasn't a bad idea, really -- if only it hadn't been made by Microsoft (so everyone opposed it)!

> move on to something sensible like biometrics

Biometrics is only slightly more secure than a password:

<a href="http://www.dansdata.com/uareu.htm">http://www.dansdata.com/uareu.htm</a>

Scroll down or find to..

"The UareU scanner is optical and probably wouldn't know the difference, but I nonetheless decided to see if I could fool it with a gummi finger."

"Ugly and bubble-y the jelly thumb was, but the UareU scanner loved it. It thought the jelly finger was a real one more than 50% of the time. And since you can attempt recognition about once a second, that means it'd be trivially easy to log in with a thing like this, even with people watching. Trim the jelly so it fits over the end of your real finger, and some very rudimentary prestidigitation will keep your fakery from the attention of onlookers."

"Earlier this year, German tech mag c't tested nine fingerprint scanners (six capacitive, two optical and one thermal), plus Panasonic's Authenticam iris scanner, and Cognitec Systems' FaceVACS-Logon face recognition system. All of the widgets tested were current models, and all came with impressive marketing claims.

And all of them, in layman's terms, sucked, if used as the only source of identification."

We need to switch to a physical key device that can't be easily duplicated. I should be able to put my "key" into the "lock" on my computer and "open" it. Pretty much just a USB-looking device with a long security key burnt into it should do. The biggest issue is with people losing keys. But this can be taken care of by having layers of administration. This would work best for enterprises.

Something like, say.. this?

http://www.hanselman.com/blog/Coding4FunSomeAssemblyRequiredUSBWirelessPCLock.aspx

http://froogle.google.com/froogle?q=%22USB+PC+Lock%22&scoring=p

Close. Something more like a built in RFID reader and cheap RFID password cards. The computer manufacturer would send you a stack of them when you buy the computer or you can go buy a stack of 10 at Best Buy for about $5. You simply swipe/pass the card through/near the computer and you are in. You would keep your administrator card hidden somewhere in your house and use your card for the limited user login on a regular basis. The cards would also have the password number (say... 30+ random characters) printed on it so that it can be hand entered if the card goes bad.

It's all very easy to imagine and what you have posted is very similar in concept. It just needs wider acceptance and needs to be much cheaper.

In the military they use their CAC card in a smart card reader. Since the CAC (Common Access Card) card is also your id, you're less likely to lose it. Then again, most enterprises don't check your id 4 or 5 times before you get to sit down and use your computer to log in, so it's unclear to me if this is the real solution we're looking for.

There is no excuse to not at least allow pass-phrases. The password text box on a form should be set to the maximum length. Then of course since you're not storing the password in plain text, you create a hash from your encryption algorithm of choice. This will create a fixed length digest of the password which will not create any length issues in the database you are storing this possibly very long pass-phrase.

Now the next point you make is a very good one. User education of the security benefits of pass-phrases would be the only other thing needed in your application.

As for biometric verification, I think if this ever became a commonly used verification technique, it would actually end up being LESS secure than passwords. I think at the moment, the only commercially viable biometric verification is fingerprint scanning. Now think about how you would leave the equivalent of a post-it note with your password on it with every object you touch throughout the day. If the use was ever widespread, the materials you would need to lift fingerprints would probably become widely available, thus allowing anyone to use your prints for accessing your sensitive information just by taking your coffee cup out of the trash.

3-dimensional facial biometrics...

link:
http://www.tgdaily.com/content/view/33676/113/

I wish more people read this.
Even the web access at my bank account doesn't allow for more than 8 chars !
And if you look, most services on the web take 6 or 7 chars.
(Withoput event considering encryption...)
What are we supposed to do with that ?

@Chris Nahr:

OpenId.

The nice thing about single keys is that one only needs to steal the single key to gain access to everything.

The nice thing about it being a hardware key is that it's a lot easier to steal.

The nice thing about a biometric key is that once it's stolen, you can never change it.

Not to mention the question of how you'd want to link verification at your personal workstation to verification online without security, secrecy and privacy risks.

Old and primitive as the text password may be, atleast it's hidden inside your head. It eliminates the avenue of "hacking" the key at the source.

Biometrics is actually a very, very bad idea.

The way to steal a biometric-locked Mercedes is to steal the owner's thumb:

http://www.theregister.com/2005/04/04/fingerprint_merc_chop/

The Great Debates: Pass Phrases vs. Passwords

Part 1 of 3
http://www.microsoft.com/technet/community/columns/secmgmt/sm1004.mspx

Part 2 of 3
http://www.microsoft.com/technet/community/columns/secmgmt/sm1104.mspx

Part 3 of 3
http://www.microsoft.com/technet/community/columns/secmgmt/sm1204.mspx

Tim Cinel:

OpenID is great for centralized authentication to things like MySpace and Facebook, but it was never meant as a high-security auth-scheme for banks. For this, two-factor authentication is required. Banks just *think* what they are implementing today is two-factor, when it is really multiple single-factor (e.g. Bank of America's SiteKey crap). And, it certainly doesn't do anything to squash phishing.

Martijn:

Single Keys - Hopefully, when a hardware key is used, it is used in conjunction with something you know (2-factor auth). So, if it is stolen, who cares. A better solution is the key FOBs that generate a number that has to be entered in conjunction with your password. PayPal and eBay are doing this today for cheap ($5 for a FOB).

Biometrics - Not true. Biometric keys are stored as hashes and I believe they are different each time they are generated. So, if it was stolen somehow, you'd just need to re-generate the key. Otherwise, this form of identity verification would have been thrown away a long time ago. Again, multi-factor auth solves this problem as you'd use biometrics (something you are) with a password (something you know).

Passwords in head - Um.. passwords are not just in your head. They are stored somewhere electronically which is why brute forcing exists. Said hacker gains access to a system somehow, steals the password database, uses tools to hack it. Actually, if a person has elevated access in a company and decides to turn evil, it's easier than you think.

http://en.wikipedia.org/wiki/Authentication_factor

I use password generator that creates 32-character passwords... and they don't work most of the time! Web apps tend to have stupid limits like 16, 18 or 24 characters and of course those MySQL-based won't complain (and it's really scary to see how many websites don't hash passwords).

When you're hashing passwords, there really isn't a limitation on password length, because it is stored in the database as 32 (or 40, for SHA1) characters anyways. That way, your "password" can be up to several thousand characters with no sweat.

What about patterns on the keyboard? Seems like you just need a mnemonic to remember it and the result is very random since it's very large - larger at least than the English vocabulary.

For instance, I start my banking pswd with the name of the company's first letter then go from there. If I use a geometric pattern from that starting point (even linked to their logo :), then the issue becomes simply remembering the initial cue (the shape) rather than a long string past short-term memory limits (+/- 7).

The problem isn't one of computation. It's human memory. You have to solve it with memory chunking features.

Good idea, but the name pass phrase is already taken. That is the "password" for your ssh key, since the ssh key itself is the real password. The pass phrase just unlocks the password.

Just use a USB key with a bunch of randomly generated passwords. Back it up on a hard drive at home or two, and you're good to go. Works well with firefox portable.

For the web, I use SuperGenPass. It's a bookmarklet that generates a hash from the current domain+secret. Just click on the bookmarklet, enter your master password and never forget the "once visited" website's password. http://labs.zarate.org/passwd_new/

Another interesting identification way are visual passwords like asking the user to draw a symbol. This domain is still new and needs more investigation. I didn't find any implementation yet.

My friend gave me a neat approach to passwords. In setting up a web server for me, he used the first letter of each word in part of a song we wrote together. (I guarantee you've never heard it.)

Maybe you don't know a song nobody else does, but you could pick some of your favorite song lyrics and get something like "ehmhibaiaithog" ("every house must have its builder, and I awoke in the house of God"). I imagine that would be pretty hard to guess, but still fairly easy to remember.

I am a proponent of long passwords but only recently. Most applications will not allow it in my experience - so you are exactly right.

For reference I checked my "Writing Secure Code" 2nd edition; Howard & Lipner and note that "Versions of Windows prior to Windows 2000 allowed 14-character passwords. Windows 2000 and later supports passwords up to 256 characters long".

So from a Windows world, one can guess where the habit of short passwords came from.

ss

@dude

RFID is broken :P

Google it. It's a radio signal. Easy to pickup and duplicate :P

How many websites have you seen that only support letters and numbers for passwords? Too many in my book.

My password for everything is "orange" :O

What are your thoughts on this: http://www.safelogin.com

I've recently come across it and it looks promising.