Of Passwords and People: Measuring the Effect of Password-Composition Policies
Major points:
- 16 character minimum passwords, with no other requirements resulted in the test users passwords having the highest entropy/usability combination.
- Dictionary checks almost completely frustrates heuristics based attacks, but also results in the users having difficulty in the password creation process.
- Users who write down/store their passwords tend to have stronger passwords.
- Users typically create passwords that exceed the minimum password requirements.
- Adding numbers to passwords can greatly increase entropy
Major Points:
- Passphrases tend to be much more secure compared to normal passwords, and are only marginally more difficult to memorize.
- Random passwords can be strong if long enough but are extremely hard to memorize.
Major Points:
 |
| Hello, 14 million password list |
- A subset of users will tend to pick passwords from a very small subset (such as Passw0rd1), that can technically be strong but their overuse makes them weak.
- Disclosed passwords have tremendous impact on password cracking capabilities, the larger the list the bigger the impact.
Major Points:
- Some password managers have serious vulnerabilities
- Password auto-fill can be hijacked to steal all passwords
- Password managers are responding to these problems
Major Points:
- While GPU hash cracking is already extremely powerful, smaller cheaper microprocessors can be utilized for incredible performance/energy gains.
- Bcrypt will need to be replaced as these custom hashing machines get cheaper and faster.
As you can gather from the above sources, there are some serious problems with password authentication today. I believe that passwords are here to stay, there are too many circumstances where they are the best option for me to seriously consider an alternative, even some forms of multi-factor authentication (MFA). Especially in cases where anonymity need to be maintained, the traditional MFA factors such as phone confirmation, bio-metrics, heuristics, and more have the unfortunate side effect of making connections between that authentication and your person. Another problem is that while password thefts are common and unfortunate passwords are easy to replace, theft of MFA properties will be much harder to resolve because they can be tied to your physical person and/or how you act.
Hence, I think password authentication is here to stay and we must come to face with the challenges presented.
Hence, I think password authentication is here to stay and we must come to face with the challenges presented.
No comments:
Post a Comment