Good crypto, bad passwords
A couple of weeks ago, Ars Technica’s Team Vodka Martini solved Certicom’s ECC2-109 cryptography challenge. This accomplishment demonstrates a number of important facts: computers are getting faster, elliptic-curve cryptography seems pretty strong, and passwords as we know them are dead.
Passwords have a number of problems. Most critically, they have to be short enough for people to remember them. Study after study has shown that most people choose very poor passwords. When forced to choose more complex passwords, people end up writing them down, changing them infrequently, or finding other ways to defeat password complexity.
Because passwords are short, they’re easy to crack. If a dedicated group can amass the resources to crack ECC2-109, then your average desktop PC can crack most passwords in seconds.
Also, people don’t really take passwords all that seriously. Passwords are routinely written on Post-Its, reused on multiple systems, and transferred in plain text. According to one of the news headlines above, it even seems that most people will happily tell their password to random strangers in a train station.
Of course, the alternatives have their own problems, which is leading most security researchers to recommend dual-factor systems that require both a physical token and a separate password or PIN. Such systems should be considerably more secure, assuming, of course, that we can teach people to stop jotting their PIN on the back of their bank cards.
As reported by Tim Kientzle at Mobilized Software