Net boffins plot password alternatives

Computer scientists are looking to develop a more secure alternative to passwords for website sign-ons and other functions.

Most users have scores of online accounts and, human nature being human nature, often choose easy-to-remember passwords. Using the same password on multiple sites is also a common problem. Most sites are sensible enough to store passwords as hashes. But if these hashes are exposed via a website vulnerability, then the use of rainbow tables readily exposed passwords based on dictionary words. That's bad enough on its own but gets even worse if a user utilities the same password for social networking as he or she does on more sensitive profiles, such as webmail or e-banking accounts.

Security researchers have long known that consumers can't be trusted to maintain multiple secure password sign-ons. The recent HBGary hack, which partly took advantage of shared passwords, underlined that weak password security is also a problem in business.

A new paper by computer scientists at Max-Planck-Institute for Physics of Complex Systems in Dresden, Germany proposes to fix the weak password problem, in a way that frustrates brute-force dictionary-based attacks but gets around the reluctance of people to choose secure but hard-to-remember passwords. The novel approach involves splitting the password into two parts, one remembered by a human and the second held by the site itself, as explained in a abstract for the paper (extract below).

The core idea of our method is to split a long and secure password into two components. The first component is memorized by the user. The second component is transformed into a CAPTCHA image and then protected using evolution of a two-dimensional dynamical system close to a phase transition, in such a way that standard brute-force attacks become ineffective.

It's an interesting idea, but whether it is strong enough to withstand some modified brute force attack remains unclear.

Cambridge University computer scientists looking into the same well-worn security problem are advocating an even more radical idea: an end to passwords.

In a position paper, Pico: no more passwords (20-page PDF/433 KB), Frank Stajano of Cambridge University proposes a clean-slate design to "get rid of passwords everywhere, not just online". Instead of using passwords, logins should be secured using a token, a controversial idea in the wake of the highly-publicised RSA SecurID hack last month.

Stajano acknowledges as much, stating that he's mainly interested in getting a debate going. "Maybe your gut reaction to Pico will be 'it'll never work', but I believe we have a duty to come up with something more usable than passwords," he wrote on the Cambridge University's Light Blue Touchpaper blog. If nothing else, the paper neatly summarises why users are perfectly entitled to be fed up with passwords.

From a usability viewpoint, passwords and PINs have reached the end of their useful life. Even though they are convenient for implementers, for users they are increasingly unmanageable. The demands placed on users (passwords that are unguessable, all different and never written down) are no longer reasonable now that each person has to manage dozens of passwords. Yet we can't abandon them until we come up with an alternative method of user authentication that is both usable and secure.

The paper (20-page PDF/433 KB) was presented at the International Workshop on Security Protocols in Cambridge last week. ®