Passwords are dead.
Adrianus Warmenhoven
![Adrianus Warmenhoven]()
Adrianus Warmenhoven
CCISO, Security Advisory Board for NordVPN, Advisory Board Threat Intelligence Lab
Full disclaimer: this is just a preliminary article to get a bit of a feel for the LinkedIn Blog Platform. Somewhere in 2015 I will make a more concerted effort.
A lot of internet security revolves around passwords. Of late we see more and more of these being compromised in various manners.
So let me give a few reasons (by no means an exhaustive list) why I think passwords are dead and the concept of username/password should be retired asap.
- The username/password paradigm introduces an uncontrollable factor in the authentication cycle: the user.
It mandates the user to remember or store the combination of username/password and because of the myriad of services now available this almost invariably boils down to either the same username/password combo (crack one old disheveled abandoned webstore and you may have the login for social media or banking) or storage in an often insecure way (spreadsheets...). - The previous (and the fact that it must be processed by humans) also makes for a limitation in entropy; most passwords are in the 8 to 16 character range. And the fact that it is characters limits the passwords again.
I once made the calculations for brute force cracking using custom made boards (hashing is not the same as encrypting...) and came to a neat 8 seconds average for 12 character passwords. Just brute force, no rainbow tables, statistical distributions or anything. - Most password systems send something over the wire that can be calculated back to it's original value (this is not a password paradigm flaw but rather that implementing passwords badly is ridiculously easier, and cheaper, and faster, than implementing a good scheme). Just listen to all the traffic on public WiFi and you are bound to get some passwords. Combine this with the first point and well, you get the idea.
- Passwords are easy to transfer. If I give you my login/password combo then for all intents and purposes, to the system, you are me. This seems like a major glaring problem with something we call 'authentication'. I would personally just call it 'access', because a username/password combo tells me nothing about the person accessing the data.
And I could go on for a good few points more, but you get the idea I guess.
Since this is just a trial run on LinkedIn, I am not going all out with references, possible mitigation etc. That will be for a later time.
Manager bedrijfsvoering Youz Twente (IMH, Kind en Jeugd, i-psy en 18+)
10 年Are we 'somewhere in 2015' yet?
Global I-Banker
10 年Good start - what is next?
Directeur primair onderwijs
10 年Nothing new so far. What's your solution?