Computer scientists want to develop a safe alternative to a password to register on sites and perform other functions.
For most users, dozens of online accounts, and by virtue of human nature, many of them often use easy-to-remember passwords. Apply the same password at multiple sites is also a widespread problem. Most sites are sufficiently protected to store passwords as hashes. But if these hashes get revealed from a web site with vulnerability, while in many cases using rainbow tables can be use to identify passwords. This in itself is dangerous, but it becomes even worse if a person uses social networking sites with the same password as on the more important sites, such as mail server or internet banking.
Security researchers have long known that customers can not be trusted in maintaining security while using passwords on multiple sites. Recent hacking on HBGary during which usage of same passwords were demonstrated, that the weak security of passwords is also a problem for companies.
Scientists from the Max Planck Institute in Dresden, Germany, offered to fix the problem with weak passwords, not by reflection attacks with the full brute force, but by overcoming the reluctance of people to choose safe, but it’s hard to remember passwords. The new approach involves the separation of the password into two parts, one – remember the man and another – stored on the site, as explained in the excerpt from the article shown below.
The main idea of ??our method is to divide a long and secure password into two components. The first component is stored by the user. The second component is transformed into a CAPTCHA and then protected with advanced two-dimensional dynamic system, similar to a phase transition in such a situation, the exhaustive search becomes inefficient.
It’s an interesting idea, but it is not known whether this method is modified to resist certain attacks using exhaustive search.
Computer scientists from Cambridge University, engaged in finding solution to this perennial problem of security, offer even more radical idea: to put an end to passwords.
Pico: no more passwords; Frank Stayano University of Cambridge offers an end to the past and generally get rid of passwords, not just online. ” Instead of passwords, security logins will be required to provide tokens. Idea is quite questionable in the light of past month and press coverage breaking RSA that jeopardized SecurID.
Stayano takes this into account and said that he is more interested in open debate. “Perhaps, your immediate reaction to the Pico will be as follows:” This will never work – but I believe we must come up with something more acceptable than passwords, “he wrote in a blog post at Cambridge University Light Blue Touchpaper. At least, the article clearly summarizes why users tired of passwords.
In terms of usability, passwords, PIN-codes are at the end of his life. Even though they are convenient to deploy, users become increasingly difficult to manage. Requirements for users (complex passwords, and all are different) are becoming more acceptable, when each of them has to deal with dozens of passwords. Nevertheless, we can not get rid of them as long as no more than create a suitable and safe alternative method for authenticating users.
Paper was presented at an international seminar on security issues International Workshop on Security Protocols, Cambridge last week.