Password Exhaustion: Predicting the End of Password Usefulness

Passwords are currently the dominant authentication mechanism in computing systems. However, users are unwilling or unable to retain passwords with a large amount of entropy. This reality is exacerbated by the increasing ability of systems to mount offline attacks. In this paper, we evaluate the degree to which the previous statements are true and attempt to ascertain the point at which passwords are no longer sufficient to securely mediate authentication. In order to demonstrate this, we develop an analytical model for computation to understand the time required to recover random passwords. Further, an empirical study suggests the situation is much worse. In fact, we found that past systems vulnerable to offline attacks will be obsolete in 5-15 years, and our study suggests that a large number of these systems are already obsolete. We conclude that we must discard or fundamentally change these systems, and to that effect, we suggest a number of ways to prevent offline attacks.

[1]  Thomas D. Wu The Secure Remote Password Protocol , 1998, NDSS.

[2]  Ronald L. Rivest,et al.  The MD5 Message-Digest Algorithm , 1992, RFC.

[3]  G. A. Miller THE PSYCHOLOGICAL REVIEW THE MAGICAL NUMBER SEVEN, PLUS OR MINUS TWO: SOME LIMITS ON OUR CAPACITY FOR PROCESSING INFORMATION 1 , 1956 .

[4]  Pradeep Dubey,et al.  Platform 2015: Intel ® Processor and Platform Evolution for the Next Decade , 2005 .

[5]  Fabian Monrose,et al.  Authentication via keystroke dynamics , 1997, CCS '97.

[6]  Daniel Klein,et al.  Foiling the cracker: A survey of, and improvements to, password security , 1992 .

[7]  Steven M. Bellovin,et al.  Limitations of the Kerberos authentication system , 1990, CCRV.

[8]  Ken Thompson,et al.  Password security: a case history , 1979, CACM.

[9]  W. Summers,et al.  Password policy: the good, the bad, and the ugly , 2004 .

[10]  Eli Biham,et al.  A Fast New DES Implementation in Software , 1997, FSE.

[11]  David Mazières,et al.  A future-adaptive password scheme , 1999 .

[12]  Vitaly Shmatikov,et al.  Fast dictionary attacks on passwords using time-space tradeoff , 2005, CCS '05.

[13]  Jim Nilsson,et al.  An in-depth look at computer performance growth , 2005, CARN.

[14]  David Mazières,et al.  The Advanced Computing Systems Association a Future-adaptable Password Scheme a Future-adaptable Password Scheme , 2022 .

[15]  Mihir Bellare,et al.  Authenticated Key Exchange Secure against Dictionary Attacks , 2000, EUROCRYPT.

[16]  David C. Feldmeier,et al.  UNIX Password Security - Ten Years Later , 1989, CRYPTO.

[17]  Michael K. Reiter,et al.  The Design and Analysis of Graphical Passwords , 1999, USENIX Security Symposium.

[18]  Thomas D. Wu A Real-World Analysis of Kerberos Password Security , 1999, NDSS.

[19]  P. Twining Oversold and underused: computers in the classroom , 2002 .

[20]  John T. Kohl,et al.  The Kerberos Network Authentication Service (V5 , 2004 .