Rejecting the Death of Passwords: Advice for the Future

Leon Bošnjak1 and Boštjan Brumen1

  1. Faculty of Electrical Engineering and Computer Science, University of Maribor
    Smetanova ulica 17, 2000 Maribor, Slovenia
    {leon.bosnjak, bostjan.brumen}@um.si

Abstract

Passwords have been a recurring subject of research ever since Morris and Thompson first pointed out their disadvantages in 1979. Several decades later, textual passwords remain to be the most used authentication method, despite the growing number of security breaches. In this article, we highlight technological advances that have the potential to ease brute-force attacks on longer passwords. We point out users’ persistently bad password creation and management practices, arguing that the users will be unable to keep up with the increasingly demanding security requirements in the future. We examine a set of real, user-generated passwords, and compare them to the passwords collected by Morris and Thompson. The results show that today’s passwords remain as weak as they were nearly four decades ago. We provide insight on how the current password security could be improved by giving recommendations to users, administrators, and researchers. We dispute the reiterated claim that passwords should be replaced, by exposing the alternatives’ weaknesses. Finally, we argue passwords will remain widespread until two conditions are met: First, a Pareto-improving authentication method is discovered, and second, the users are 21 motivated to replace textual passwords.

Key words

authentication, password security, comparison

Digital Object Identifier (DOI)

https://doi.org/10.2298/CSIS180328016B

Publication information

Volume 16, Issue 1 (January 2019)
Year of Publication: 2019
ISSN: 2406-1018 (Online)
Publisher: ComSIS Consortium

Full text

DownloadAvailable in PDF
Portable Document Format

How to cite

Bošnjak, L., Brumen, B.: Rejecting the Death of Passwords: Advice for the Future. Computer Science and Information Systems, Vol. 16, No. 1, 313-332. (2019), https://doi.org/10.2298/CSIS180328016B