Worth Reading: Passwords, guessed, replaced, still with us
Two papers from University of Cambridge security researchers provide useful insights into passwords – how they are chosen and how they could be replaced. The first paper, The Quest to Replace Passwords: A Framework for Comparative Evaluation of Web Authentication Schemes looks at the problem of comparing schemes to replace passwords and comes up with a comparison methodology which brings in twenty-five desired benefits that a replacement should have.
The idea behind the paper was conceived by Frank Stajano, who brought together Joseph Bonneau (University of Cambridge), Cormac Herley (Microsoft Research) and Paul C. van Oorchor (Carleton University), to create the criteria and apply them in an evaluation of 35 replacement schemes. In a blog post, Stejano explains that one insight they gained from the process was that we still use passwords in 2012 and "are probably likely to continue to do so for quite a while". Stejano hopes the methodology will offer a sanity check for future proposals for password replacement schemes. The peer-reviewed paper was presented at the IEEE Symposium on Security and Privacy and is also available in extended form as a tech report.
Another paper presented at the IEEE event by Joseph Bonneau looked at his research into how people choose passwords by analysing 70 million Yahoo users' anonymised passwords. The paper, The science of guessing: analyzing an anonymized corpus of 70 million passwords is based around his PhD dissertation and takes a new approach to password analysis by looking at the distribution of passwords and then trying to work out how efficient "a hypothetical guesser with perfect knowledge" would be at guessing them.
Interestingly, out of the 70 million passwords, over half the users actually chose unique passwords. More surprising was that the registration of credit cards or other valuable information "only seem to nudge users away from the weakest passwords" and experiments to encourage stronger passwords have made little difference. "Even though humans produce distributions with pitifully few bits of security, I think passwords will always be with us... The important thing is to stop considering them the first and last step in authentication" concludes Bonneau on the Light Blue Touchpaper security research blog.