Monday, January 30, 2012

One Per Cent - Smarter password checker lets you compare with others

Jacob Aron, technology reporter
(Image: Caroline Morley)

Signing up to an online service inevitably means entering a password - hopefully a brand new one you've just randomly generated, but more likely the same one you use on every single website, even though you know you're not supposed to.
Most sign-up forms these days use password strength checkers in an effort to beef up security, displaying "weak", "medium" or "strong" depending on how easy it is to crack your password, but it turns out these can actually be misleading - "Password1" is stronger than "password", but is still easily guessed by an attacker because it is so widely used.
That is why researchers at INRIA in Rocquencourt, France and Ruhr University Bochum in Germany have come up with a more advanced strength checker that rates passwords relative to those already stored in a site's database. Rather than vague strength messages, their system can tell users their password is amongst the weakest 5 per cent on the site, encouraging them to try again with a stronger alternative.
Instead of following simple rules for password strength, such as checking the length or number of special characters, the new scheme looks at each sequence of characters within your password and compares them to the site's database to see how often those sequences occur in other passwords.
For example, the sequence "12345" is likely to occur in many different passwords, so adding the sequence to your own password adds little security. On the other hand, the sequence "t5)Vf" is much less likely, so a password including it will be more secure.
Comparing your password to others does seem potentially risky though - after all, we are told to never tell them to anyone. The researchers avoid that by never using an entire password for the comparisons, only sequences of a certain length. They also add a certain amount of noise to the sequences, which doesn't seriously change the checking scheme but is enough to make it hard for database-stealing hackers to reconstruct a valid password.

No comments:

Post a Comment