Goodbye, passwords? New alternatives emerge, but passwords persist

Longer passphrases and biometric approaches may significantly improve security. However, a new Microsoft Research paper suggests password security needs to be put in perspective.

"More than seven years after Bill Gates declared (2004) 'the password is dead,' not only have we failed to get rid of them, but they continue to multiply as an almost universal means of Internet authentication, protecting hundreds of millions of accounts on some large sites."

- Cormac Herley and Paul C. van Oorschot, in a new Microsoft Research white paper on passwords

We've written before about the cumbersome password process, and how end-users tend to pick from a list of obvious common terms for Website and application access. (See our posts on the most common passwords of 2011 and of all time .) Not very secure solutions.

Lately, new alternatives to the password approach have emerged, making access more seamless to end-users, while more secure from an infrastructure point if view.

One alternative gaining support in industry circles is the use of passphrases instead of single passwords.  They're easier for end-users to remember, and more unique and uncrackable from a system security standpoint. As Erica Chickowski of Dark Reading points out, "passphrases, such as a sentence from a favorite book -- are easier to remember and harder to crack than most passwords today, even without special characters....even without any special characters, a long passphrase keeps brute-force attacks at bay far better than a shorter mix of alphanumeric soup."

She quotes software security expert Phil Lieberman:

“Making passphrases more secure than one-word passwords is simple mathematics. The ability to reverse a single-word password is simply a matter of the length of the password itself -- hash lookups. By having the phrase go beyond 14 characters in length makes hash lookups very expensive. Fundamentally there are very few long English single words that are memorable, but a phrase or sentence is easy to create and remember that goes beyond the 14 or so characters in length.”

The main barrier to the use of passphrases is not technical, but rather the perception that a short one-word password is easier to remember than a longer phrase.

And there are technical remedies emerging as well. For example, Silicon Republic reports that a pair of 17-year-olds (that's a story in itself) have developed an algorithm for facial recognition, now available through an open API., created by students Niall Paterson and Sam Caulfield, "works by taking a picture of your face and then analyzing it against a database of registered users." Potentially, social networking sites could easily adopt the API and make typewritten passwords unnecessary.

SmartPlanet colleague Laura Shin also provides insights into new biometric approaches catching on as alternatives to typed-in passwords.

However, in their recent paper, Cormac Herley of Microsoft Research and Paul van Oorschot of Carleton University argue that until new approaches catch on, we're going to have to live with the current password system for some time to come. "No silver bullet will meet all requirements," they argue. "Not only will passwords be with us for some time, but in many instances they are the solution which best fits the scenario of use."

The main compliant about the current password system, they assert, is the requirement at many sites or within many organizations that users change their passwords on a regular basis, resulting in frustration and greater complexity.

Herley and van Oorschot urge that organizations and vendors better understand the risks of password usage, and put these risks in their proper perspective:

"We need better understanding of the harms suffered by users when things go wrong. Worst-case and average case harm differ enormously. For example, by the domino effect of password re-use, a compromised low-value account might lead to financial catastrophe for a user. However, the almost routine leaking of millions of passwords from low-value sites (e.g., RockYou and Gawker), evidently with little visible effect, suggests that the average case may be very different."

This post was originally published on