[aklug] Biggest weakness of passwords

From: Christopher Howard <choward@indicium.us>
Date: Fri Jun 05 2009 - 11:20:38 AKDT

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

The biggest problem I have with password-based authentication (which, of
course, I use all the time) is that I must physically type in the
password each time I need to authenticate.

That makes me nervous because then it is possible for anyone within
visual range, who has a good memory, to simply memorize the characters
of my password as I type them out on the keyboard. Or even attackers
(crackers, government agents, alien spies from Mars, whatever) with poor
memory could get the password if they could simply get a recording of me
typing it, say with a cellphone camera or a surveillance tape.

I was wondering if anyone had any thoughts about this issue. Obviously
there are solutions like biometrics, which use physical characteristics
of a person. The downside of biometrics, from what I understand, is that
they are more difficult to implement (hardware-wise), not always
accurate, and vulnerable to being fooled; furthermore, once compromised
they cannot easily be changed (e.g., if someone learns how to fake your
fingerprint, you're not going to want to change your fingerprint.)

There are layered solutions, like using a password with a server-synced
security card. However, this does not solve fundamentally the password
problem, but simply says "I am going to lower my chances of being
successfully attacked by making it necessary for the attacker to figure
out my password and steal my security card."

One approach I had considered was a system where, instead of actually
typing your password, the login screen presents you with a 30 line
paragraph of random text. Then, in your mind, you use a 45-step
algorithm, with your password as the key, and generate a 30 line
signature paragraph which you type into the login prompt. The login
program checks that the signature is valid and then lets you gain access.

The advantage of this system is that you never have to type in the
actual password. The disadvantage of it is that it is practically
impossible for the average human being to use it.

- --
Christopher Howard
http://indicium.us
http://theologia.indicium.us

I digitally sign /all/ of my e-mails via PGP. If you receive any e-mail
from me without my valid PGP signature, please take additional steps to
verify the authenticity of the message.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iEYEARECAAYFAkopcAYACgkQQ5FLNdi0BcXKXACfSbOzyGG6NW1d9XrAhCaz4722
vVcAoI1RtjSX91wsidaFmJxVw0GNjHfz
=A8+g
-----END PGP SIGNATURE-----
---------
To unsubscribe, send email to <aklug-request@aklug.org>
with 'unsubscribe' in the message body.
Received on Fri Jun 5 11:20:57 2009

This archive was generated by hypermail 2.1.8 : Fri Jun 05 2009 - 11:20:57 AKDT