Researchers look to simplify passwords
Security experts at Microsoft have devised a novel concept for generating secure passwords that does away with easily-forgettable strings of multi-case alpha-numeric ID codes.
The concept relies on allowing users to choose their own relatively simple passwords, provided those passwords are not chosen by too many other people on the system – making attacks through random guessing less successful.
We would allow any password the user desires, so long as it is not an attractive target for a statistical guessing attack
“We have proposed replacing today’s complex password policies with a simple one,” wrote Stuart Schechter and Cormac Herley in their Popularity is everything report. “We would allow any password the user desires, so long as it is not an attractive target for a statistical guessing attack.”
The recent trend for password protection has been towards longer, more complicated IDs that are designed to thwart “dictionary attacks” in which hackers aim to try millions of passwords on each user account.
Complex password rules – such as “must contain at least 12 characters, contain a mixture of upper case and lower case letters, numbers and at least one symbol” – make it difficult for hackers to guess passwords using dictionary attacks.
However, IT managers need to enforce and protect these passwords by locking out accounts after, say, three failed attempts to log in, the researchers said, which leads to high support costs.
According to the researchers, hackers have worked around the concept of increasingly complex passwords by turning the idea on its head.
Instead of applying hundreds of thousands of passwords to each account, attackers are choosing the most commonly used passwords and applying them to thousands of accounts.
The researchers’ scheme protects against statistical guessing attacks by simply counting how many times users select any given password and once that limit is reached no more users can choose that password.
“Replacing password creation rules with popularity limitations has the potential to increase both security and usability,” the report said.
“Since no passwords are allowed to become too common, attackers are deprived of the popular passwords they require to compromise a significant fraction of accounts using online guessing.”
Although a significant break from current thinking, the system would only work for systems with hundreds of thousands of users, such as Google, Facebook or Hotmail.