Arvind Narayanan (arvindn) wrote,
Arvind Narayanan


I changed my work password a while back because of the stupid policy, and promptly forgot it. I was on the line with the help desk last evening for several minutes, listening to music, and hung up because I had a damn presentation to complete (still do) and didn't have the patience. I knew that my new password was at a Hamming distance 1 from my old one, so I brute forced it!

Assuming I'm not alone in the way I pick passwords, there are two interesting questions: 1) what percentage of people change their passwords in a way that's easy to guess given the knowledge of their old password 2) if you have an existing large password database, can you crack significantly more passwords from a new server than if you didn't? There are so many nice experiments I can think of running if I had access to a password database. Oh well.

Anyway, the paper "A Method for Making Password-Based Key Exchange Resilient to Server Compromise" at this year's Crypto by Craig Gentry, Philip MacKenzie, and Zulfikar Ramzan* describes how to do remote authentication using low-entropy passwords. Unless a serious bug is found (this paper itself fixes a bug in a 2002 version) this should be the only way that anyone that cares about security should do password authentication over the Internet. I believe the protocol is already an RFC. How long before we start seeing adoption? My guess is that no one's going to change unless they get attacked.

*None of the three authors is in academia, which kind of explains why the paper is not online :(
Tags: security, work
  • Post a new comment


    Comments allowed for friends only

    Anonymous comments are disabled in this journal

    default userpic

    Your reply will be screened

    Your IP address will be recorded