Location via proxy:   [ UP ]  
[Report a bug]   [Manage cookies]                

Computer Science and Information Systems 2019 Volume 16, Issue 1, Pages: 313-332
https://doi.org/10.2298/CSIS180328016B
Full text ( 229 KB)
Cited by


Rejecting the death of passwords: Advice for the future

Bošnjak Leon (Faculty of Electrical Engineering and Computer Science, University of Maribor, Maribor, Slovenia)
Brumen Boštjan (Faculty of Electrical Engineering and Computer Science, University of Maribor, Maribor, Slovenia)

Passwords have been a recurring subject of research ever since Morris and Thompson first pointed out their disadvantages in 1979. Several decades later, textual passwords remain to be the most used authentication method, despite the growing number of security breaches. In this article, we highlight technological advances that have the potential to ease brute-force attacks on longer passwords. We point out users’ persistently bad password creation and management practices, arguing that the users will be unable to keep up with the increasingly demanding security requirements in the future. We examine a set of real, user-generated passwords, and compare them to the passwords collected by Morris and Thompson. The results show that today’s passwords remain as weak as they were nearly four decades ago. We provide insight on how the current password security could be improved by giving recommendations to users, administrators, and researchers. We dispute the reiterated claim that passwords should be replaced, by exposing the alternatives’ weaknesses. Finally, we argue passwords will remain widespread until two conditions are met: First, a Pareto-improving authentication method is discovered, and second, the users are motivated to replace textual passwords.

Keywords: authentication, password security, comparison