Passwords: If we’re so smart, why are we still using them?
Cormac Herley, Paul van Oorschot and I recently led a panel discussion session at the Financial Cryptography and Data Security conference. The topic was passwords, which everyone agrees are problematic forms of authentication, but nobody seems to be doing much about it. We wrote up a summary of the issues and discussion at the conference and the paper is now available. Here is the Abstract:
While a lot has changed in Internet security in the last 10 years, a lot has stayed the same — such as the use of alphanumeric passwords. Passwords remain the dominant means of authentication on the Internet, even in the face of significant problems related to password forgetting and theft. In fact, despite large numbers of proposed alternatives, we must remember more passwords than ever before. Why is this? Will alphanumeric passwords still be ubiquitous in 2019, or will adoption of alternative proposals be commonplace? What must happen in order to move beyond passwords? This note pursues these questions, following a panel discussion at Financial Cryptography and Data Security 2009.
Citation: C. Herley, P.C. van Oorschot, A.S. Patrick. Passwords: If We’re So Smart, Why Are We Still Using Them? Financial Cryptography and Data Security (FC 2009), 13th International Conference, Rockley, Christ Church, Barbados, Feb. 2009 (post-proceedings to appear, Springer LNCS).

Passwords: If we’re so smart, why are we still using them? Read More »



This article from researchers at the University of Notre Dame discusses some of the limitations of iris biometric systems. Pupil dilation, for example, is found to affect the accuracy of iris recognition, especially if the amount of dilation is different at enrollment than at verification. Wearing contact lenses, especially cosmetic lenses designed to change the color and appearance of the eye, can also decrease recognition rates. The researchers also find that the false rejection rate increases over the four-year time span they have tested.

When thinking about replacing or strengthening traditional passwords, one alternative is to add a hardware device that proves the users are in possession of a token. RSA has done this for years with their SecurID product, but people with multiple accounts have to carry multiple SecurID tokens. Now VeriSign has come out with an iPhone application that does the same thing, and already supports three different account types. Is this the solution to adding “something you have” to the authentication process, without requiring that people “have” too many things? Will the application be secure, or just another attack vector for the bad guys?
Do you know who 







