
Moore’s Law won’t kill passwords - jessaustin
http://www.lightbluetouchpaper.org/2013/01/17/moores-law-wont-kill-passwords/
======
btilly
The problem with passwords is the human element.

People pick predictable passwords. Thanks to compromises of large sets of
random passwords, we know far more about how to predict passwords than we ever
did in the past. That means that, given a new password database, we can crack
more passwords with a shorter search.

But it gets worse. A long time ago, people interacted with very few systems
with very few passwords needed. Today people interact with many systems, and
most still use very few passwords. (Yes, I know all of the ways to make more
passwords feasible. The fact is that people don't do that.) Therefore if you
target a low security system, you frequently get access to much more
worthwhile accounts on another system entirely.

Because of both problems (particularly the second), passwords alone are not
sufficient for anything that actually needs reasonable security.

------
slevin063
As far as password cracking is concerned, it has a HUGE bottleneck as
discussed here, <http://security.stackexchange.com/a/25392>

The only threat to safety will be the human element as btilly suggested.

~~~
DanBC2
Passwords are lousy. Really lousy. As you point out the problem isn't with the
security of them (when properly applied) but because it's all just so klunky
and annoying and different websites have different implementations.

I know at least two websites that ask for a username, a password, and they
also give a capcha. I have some websites that won't let Chrome save my
password.

Really, I want a hardware thing with a long secure passphrase, that has all my
other usernames and passwords (12 character alpha numeric with upper and lower
case) in it, that confirms my identity to all these different websites. (Can I
do this with Yubikey? or anything else?)

~~~
slevin063
Yubikey works well but its only valuable when more number of websites support
it.

Similar project without the hardware is mozilla's persona, which is an open
standard if im not wrong and it is better than signin using fb or gmail, as it
wont be sharing any user data with website.

------
exDM69
If Moore's Law won't kill passwords, something else should. My motto for
computer security is that if it's only protected by a password, it is not
safe.

What the world needs is a future proof de-facto way of two factor (or more)
authentication.

------
rorrr
I think the article completely misses the point. The password hashes we have
_now_ are often considered to take millions of years to be bruteforced, which
is a wrong assumption.

We don't really know what the future tech will be like. Most changes are
evolutionary, but who knows, maybe tomorrow we'll have a quantum CPU with a
trillion times more computational power.

~~~
kolinko
Quantum computers don't work this way.

Solving 1024-bit key in SHA (or sth) will take as much as 512-bit key using a
comparable traditional computer. So it's still hard, and will always be.

~~~
eru
The problem is different for encryption schemes relying on hardness of integer
factorization.

------
acqq
It's not just a computational expense of one password hashing that has to be
considered, the possibility of having the hashes precomputed can't be ignored.
In such a light, we definitely have to start using longer passwords or
passphrases regardless of the expense of computing one hash. Otherwise the
search space is simply too small.

~~~
hartror
Pre-computed? You mean rainbow tables right? They have gone the way of the
dinosaur with salts. Bcrypt has a big fat salt making it mightily impractical
to use rainbow tables as the space required is so large.

~~~
user24
Sadly, many systems for many years will still use unsalted MD5s. Rainbow
tables will still have a place in the cracker's toolkit for some time.

~~~
brazzy
Another problem with rainbow tables is that their size depends on the password
length, and with current technology they become impractical almost as soon as
brute forcing, and much sooner than smart dictionary attacks (e.g. hybrids
where you take a dictionary and for each entry try every possible way to add 3
random characters).

