||[Aug. 29th, 2006|06:53 am]
I changed my work password a while back because of the stupid policy, and promptly forgot it. I was on the line with the help desk last evening for several minutes, listening to music, and hung up because I had a damn presentation to complete (still do) and didn't have the patience. I knew that my new password was at a Hamming distance 1 from my old one, so I brute forced it!
Assuming I'm not alone in the way I pick passwords, there are two interesting questions: 1) what percentage of people change their passwords in a way that's easy to guess given the knowledge of their old password 2) if you have an existing large password database, can you crack significantly more passwords from a new server than if you didn't? There are so many nice experiments I can think of running if I had access to a password database. Oh well.
Anyway, the paper "A Method for Making Password-Based Key Exchange Resilient to Server Compromise" at this year's Crypto by Craig Gentry, Philip MacKenzie, and Zulfikar Ramzan* describes how to do remote authentication using low-entropy passwords. Unless a serious bug is found (this paper itself fixes a bug in a 2002 version) this should be the only way that anyone that cares about security should do password authentication over the Internet. I believe the protocol is already an RFC. How long before we start seeing adoption? My guess is that no one's going to change unless they get attacked.
*None of the three authors is in academia, which kind of explains why the paper is not online :(