His premise is that user behavior has historically proven the system of password authentication to be inadequate. Users always seem to opt for easy passwords that can be cracked by brute force with ease, and this is not a problem that will lessen with the advancement of technology. Instead, the inverse is true: desktop computers can now run brute-force programs, given enough time, and guess user passwords. Study after study shows that the majority, not a small minority of users, decide on passwords that are not in any way secure.
Two-factor authentication and encrypted databases have been the primary focus of engineers looking to solve the riddle for some time now, but Leblanc is over that. Why not just attach the account to a user's biometrics, something that won't be imitable for decades to come?
Leblanc's Proposal (or Prediction)
Leblanc begins his presentation by pointing out what this article has already said: too many users are picking poor passwords. Seven percent of users, according to his presentation, use the password `password.` That is staggering when one considers that billions of people are using the web. That creates a huge market in identity theft, easy pickings, and low-hanging fruit.
Only nine of passwords are not from the list of 1000 top passwords, meaning that the overwhelming majority of passwords, despite all the money that has been invested and all the time that has been taken to ensure that users understand the risks of weak passwords, are, in a word, weak. Because of these reasons, Leblanc suggests a near-future where vein recognition, heart rate monitoring, and fingerprint scanning will all be used in concert with improved versions of existing user identification. He lists the following algorithms as being bad for security:
•MD5
•SHA-1
•SHA-2
•SHA-3
And lists the following algorithms as being, in his estimation, good:
•PBKDF2
•BCRYPT
•SCRYPT
The latter algorithm has been used in numerous applications, and is the underpinning of numerous cryptocurrencies, including Litecoin.
Financially speaking, companies, even the most deep-pocketed, will have to decide if solutions such as those Leblanc proposed are viable. After all, issuing or requiring heart monitors of all users could be a difficult task, at least until smart watches become the norm. Culturally, there are certain groups who would never go for such a thing, such as groups who would consider a piece of technology in their blood stream to be an abomination.
No one knows what the future holds, but certainly with more things than ever being done via the Internet, the problem of password security remains a huge concern for millions of companies and individuals. When an account is compromised, so is the data it has sent to received from, in many cases. Lives have been destroyed thanks to weak passwords, and this continues to this day. While some may consider Leblanc's proposals to be ahead of their or simply untenable for ethical reasons, others may see them as the inevitable.
Read original article
No comments:
Post a Comment