Rejecting the Death of Passwords: Advice for the Future
- Faculty of Electrical Engineering and Computer Science, University of Maribor
Smetanova ulica 17, 2000 Maribor, Slovenia
{leon.bosnjak, bostjan.brumen}@um.si
Abstract
Passwords have been a recurring subject of research ever since Morris and Thompson first pointed out their disadvantages in 1979. Several decades later, textual passwords remain to be the most used authentication method, despite the growing number of security breaches. In this article, we highlight technological advances that have the potential to ease brute-force attacks on longer passwords. We point out users’ persistently bad password creation and management practices, arguing that the users will be unable to keep up with the increasingly demanding security requirements in the future. We examine a set of real, user-generated passwords, and compare them to the passwords collected by Morris and Thompson. The results show that today’s passwords remain as weak as they were nearly four decades ago. We provide insight on how the current password security could be improved by giving recommendations to users, administrators, and researchers. We dispute the reiterated claim that passwords should be replaced, by exposing the alternatives’ weaknesses. Finally, we argue passwords will remain widespread until two conditions are met: First, a Pareto-improving authentication method is discovered, and second, the users are 21 motivated to replace textual passwords.
Key words
authentication, password security, comparison
Digital Object Identifier (DOI)
https://doi.org/10.2298/CSIS180328016B
Publication information
Volume 16, Issue 1 (January 2019)
Year of Publication: 2019
ISSN: 2406-1018 (Online)
Publisher: ComSIS Consortium
Full text
Available in PDF
Portable Document Format
How to cite
Bošnjak, L., Brumen, B.: Rejecting the Death of Passwords: Advice for the Future. Computer Science and Information Systems, Vol. 16, No. 1, 313-332. (2019), https://doi.org/10.2298/CSIS180328016B