Google Site Search

Google
 

Wednesday, April 14, 2010

When will we see the end of the Password era?

I know. I know. Passwords are the simplest means of providing security to applications. It is the simplest piece of knowledge that a subject/user can carry, rather than smart cards, certificates, finger prints, retina scans or whatever stronger forms of security, the world desires.

With the increasing processing speeds/powers of cheap/low cost computers, it will get increasingly easier to crack passwords.

So what is the solution?
* Look to make passwords the strongest? How will I remember all the passwords? I can just write it in my notebook.
* Ensure that the user changes the passwords often and do not allow him to have the last 10-20 recently used passwords? Ok, back to the notebook to keep track of all the accounts and their passwords.

Given the complexity of passwords and the proliferation of accounts that an individual manages in this socially connected, increasingly online world, I would say that the user will probably (wait, will definitely) use the same password in multiple accounts.

So what happens when the apache infrastructure gets compromised and the attacker steals all the passwords? I will have to refer to my notebook to see what my apache password was and which other accounts have the same password. I will then do due diligence in making changes to the password and then feed that information back to the notebook. Lets save paper. We will just maintain the password information in a simple file in my laptop.

I am sorry. I do not have any such notebooks. But my brains are operating at thresholds, right now, in trying to remember all the accounts and their common passwords.

What are the solutions?

1 comment:

Javid said...

Create a base password and an algorithm for altering that password based on the URL (or machine name) which you're accessing.

Example:
Base password - s3cret
Algorithm - add first and second letter of domain to end of password
Domain - facebook.com
Password for Facebook - s3cretfa

Of course the algorithm and base password should be stronger, but that's a solid way to use different passwords on almost every site and still make sure they're strong.