?

Log in

No account? Create an account
Passwords - Arvind Narayanan's journal — LiveJournal [entries|archive|friends|userinfo]

Passwords [Aug. 29th, 2006|06:53 am]
Arvind Narayanan
[Tags|, ]

I changed my work password a while back because of the stupid policy, and promptly forgot it. I was on the line with the help desk last evening for several minutes, listening to music, and hung up because I had a damn presentation to complete (still do) and didn't have the patience. I knew that my new password was at a Hamming distance 1 from my old one, so I brute forced it!

Assuming I'm not alone in the way I pick passwords, there are two interesting questions: 1) what percentage of people change their passwords in a way that's easy to guess given the knowledge of their old password 2) if you have an existing large password database, can you crack significantly more passwords from a new server than if you didn't? There are so many nice experiments I can think of running if I had access to a password database. Oh well.

Anyway, the paper "A Method for Making Password-Based Key Exchange Resilient to Server Compromise" at this year's Crypto by Craig Gentry, Philip MacKenzie, and Zulfikar Ramzan* describes how to do remote authentication using low-entropy passwords. Unless a serious bug is found (this paper itself fixes a bug in a 2002 version) this should be the only way that anyone that cares about security should do password authentication over the Internet. I believe the protocol is already an RFC. How long before we start seeing adoption? My guess is that no one's going to change unless they get attacked.

*None of the three authors is in academia, which kind of explains why the paper is not online :(
LinkReply

Comments:
[User Picture]From: sdevarajan
2006-08-29 03:00 pm (UTC)

Crack that!

1) what percentage of people change their passwords in a way that's easy to guess given the knowledge of their old password

I'll assume that this is a pseudo-poll and answer that with "I do" - but then there are multiple websites that one visits each with a different account...rotation of passwords is another possibility...what goes around, comes around!:P
(Reply) (Thread)
[User Picture]From: kadambarid
2006-08-29 03:30 pm (UTC)

Re: Crack that!

That was by me, actually- a bit of troubleshooting for dad (who'd just started blogging).
Would've let sleeping words lie- but for the fact that they aren't true in his case :P
(Reply) (Parent) (Thread)