What is it all about?
Researchers at Microsoft have come up with a way to create easy-to-remember passwords without making a system more vulnerable to hackers.
Instead of enforcing complex passwords, as many organizations do, the new scheme makes sure that no more than a few users can have the same password, which has a similar overall effect on security. Further research from Microsoft also reveals why only some organizations insist on very complex passwords.
Without such restrictions, people tend to pick passwords that are easy to remember, easy to type--and easy to guess. For example, when 32 million passwords from the social media website RockYou were inadvertently released last December, nearly half were found to be "trivial passwords" such as consecutive digits, dictionary words, or common names, according to an analysis last January. Requiring that passwords include numbers, symbols, and mixed cases significantly increases the number of possible passwords. With such rules, a dictionary attack becomes in-feasible, but passwords also become harder to remember.
Researchers at Microsoft have come up with a way to create easy-to-remember passwords without making a system more vulnerable to hackers.
Instead of enforcing complex passwords, as many organizations do, the new scheme makes sure that no more than a few users can have the same password, which has a similar overall effect on security. Further research from Microsoft also reveals why only some organizations insist on very complex passwords.
Increasingly complex password requirements--rules like "passwords must be 14 characters long and contain at least two uppercase letters, two lowercase letters, and three symbols"--make it difficult for attackers to guess passwords using a so-called "dictionary attack," which involves trying many possible passwords in succession.
One way that system designers try to defeat dictionary attacks is by temporarily disabling an account when a wrong password is submitted more than a few times. This is called account lock-out, and not surprisingly, attackers have discovered a simple way to defeat the approach. Instead of guessing thousands or millions of passwords for a single account, attackers simply guess the most commonly used passwords for thousands, or even millions, of different accounts.
The new scheme from Microsoft Research does away with complexity requirements entirely while protecting against both dictionary attacks and statistical guessing. The service simply counts how many times any user on the service chooses a given password. When more than a small number of users pick a password, the password is banned and no one else is allowed to choose it. The scheme can only be used by organizations with millions of users--websites like Microsoft's Hotmail, for instance.Since no passwords are allowed to become too common, attackers are deprived of the popular passwords they require to compromise a significant fraction of accounts using online guessing.
No comments:
Post a Comment