the most trusted source for computer security training, certification and research

Passwords are DEAD! (Long live passwords?)

Click Here
Abstract
In this modern world, there are several viable alternatives to passwords for authentication into computer systems with important functions or containing sensitive data. Passwords are ubiquitous. Removing passwords from all proprietary computer operating systems would be a slow, costly process. Passwords, if used appropriately, provide a low risk, cost effective, and familiar interface to authenticate into systems of low functional importance, or that don't contain sensitive data. The strength of passwords, or an alternate authentication system should be proportional to the value or importance the system that requires protection. Passwords have algebraic, computer implementation, and human behavioral properties that for low value systems, are risks that require mitigation through policies and technical controls. For systems of high importance these same properties are critical flaws which no longer have strong mitigations which render passwords unsuitable for use in this time period. Following a brief history and definition of passwords, this paper will show three properties of passwords that render passwords risky or unsuitable for use. Suggestions for mitigating risk from these properties are covered briefly. Current attacks on passwords, illustrated by a simple experiment, and future trends in computing that will obsolete password use are highlighted. A short description of a risk analysis as applied to authentication is sketched out and pointers are given to alternative forms of authentication.
<<Reading Room Home     <<Back to Category

Contact us: (301) 654-SANS(7267)
Monday - Friday 9am-8pm EST/EDT