11:10 Microsoft has offered an alternative to complex passwords | |
In the department of Microsoft Research have come up with a way to create passwords that are easy to remember, but the system, which will use the new approach does not become more vulnerable to hackers. Instead of using the present complex passwords that are used in most organizations, the new scheme ensures that the same password was no more than a few users simultaneously, thus is no need to use complex passwords without prejudice for the overall security system. Improving password complexity requirements, such as a password must be at least 14 characters long, contain at least two uppercase letters, two lowercase letters and three digits, prevent hackers use the technique of sorting through the dictionary when enumerates all passwords from a predefined vocabulary typical combinations. Without these restrictions, people tend to choose passwords that are easy to remember, easy to type and of course, is easier to find. In the past year has been widely reported about the loss of the password database by some social networks. People, analyzed the lists, report that most of them were trivial, such as sequence numbers, vocabulary words, well-known names, etc. Claims that the password contain numbers, characters and mixed case letters, significantly increasing the number of options for sorting. Under such conditions, password recovery dictionary is often not feasible, but on the other hand, such complex passwords are difficult to remember. Circle. One of the ways in which system designers try to fight with brute force and dictionary - it is temporarily disable the account after several attempts to enter the wrong password. This is called a lockout is not surprising that hackers have found a simple way to circumvent this system. Rather than sort out thousands or millions of passwords for one account, the attacker tries to log in with a few common passwords, but to thousands and even millions of user accounts. The new scheme proposed by Microsoft to repeal the requirements of password complexity, while protecting accounts from hacking through brute force. The system simply counts how many times people use the same password, and when several people are starting to use the same password, this password is locked and nobody else can use it in the system. The scheme works in systems with many users, such as email systems. This approach is described in a paper written by researchers Stuart Shetcherom and Cormac Hurley from Microsoft, and will be published in a collection of articles and presented at the August security conference in Washington. Since the password does not allow to become common, the attacking side loses the ability to use popular passwords in an attempt to break an essential part of the user accounts. But is not reported on plans to introduce a new scheme in some Microsoft products. A published scheme in order to get feedback from security experts from around the world. In the past few years, researchers have found flaws in existing security systems. For example, quite often the account is blocked when a person enters their password wrong a few times. Basically, the number of attempts is three. But studies have shown that increasing this number to ten drastically reduces the number of blocked legitimate users without any prejudice to the security of the system as a whole. Often, in the pursuit of convenience and ease of use of their services, many organizations, including banks, use relatively primitive password requirements. And the new system will be able to reconcile the security experts who insist on using complex passwords, and those who care about the convenience of users when they log on. For information: Technology Review, Microsoft Research | |
|
| |
| Total comments: 0 | |