Password Exhaustion: Predicting the End of Password Usefulness
Publication: International Conference on Information Systems Security, ICISS 2006 / Lecture Notes in Computer Science, Volume 4332
Page(s): 37 - 55
Publisher: Springer Berlin Heidelberg
Source 1: http://nsrc.cse.psu.edu/tech_report/NAS-TR-0030-2006.pdf
Source 2: http://www.enck.org/pubs/iciss06a.pdf
Source 3: http://link.springer.com/chapter/10.1007/11961635_3 - Subscription or payment required
Abstract or Summary:
Passwords are currently the dominant authentication mechanism in computing systems. However, users are unwilling or unable to retain passwords with a large amount of entropy. This reality is exacerbated by the increasing ability of systems to mount offline attacks. In this paper, we evaluate the degree to which the previous statements are true and attempt to ascertain the point at which passwords are no longer sufficient to securely mediate authentication. In order to demonstrate this, we develop an analytical model for computation to understand the time required to recover random passwords. Further, an empirical study suggests the situation is much worse. In fact, we found that past systems vulnerable to offline attacks will be obsolete in 5-15 years, and our study suggests that a large number of these systems are already obsolete. We conclude that we must discard or fundamentally change these systems, and to that effect, we suggest a number of ways to prevent offline attacks.
PasswordResearch.com Note: Additional author listed for this paper: Trent Jaeger
Do you have additional information to contribute regarding this research paper? If so, please email firstname.lastname@example.org with the details.