As a part of some recent research, I’ve found myself reading older papers in this field. It has been fascinating to consider the problems they saw in the 80s and early 90s and their solutions. Do we still see those problems today? Cybersecurity is an ever evolving field, I’m interested in how things have changed over time. This means reading papers and reading papers those papers cite and then reading papers those papers cite. I call it chasing citations.
While chasing citations, I found one that mentioned an article in UnixWorld, a magazine published between 1984 and 1995. This article called “Is your system safe” was published in 1990. A quote from it:
Easy-to-guess passwords are the biggest problems on most systems.
(Here’s the exact citation if you want to look it up for yourself: Hayes, Frank. “Is your system safe.” UNIX World 7.6 (1990): 44.)
That was published 30 years ago.
So yes, we still have that problem today. We’re still grappling with bad passwords and we don’t have a solution yet.
In fact, the Mirai botnet, the cause of one of the biggest DDOS attacks ever, was partly caused by default passwords on IoT devices. Default passwords are bad passwords because they’re easily shared and people forget to change them. I’ve found github repositories with IoT default passwords stored in them.
I’ve also done some research into password complexity requirements. It seems every website I look at has a different idea of what makes a good password and almost all of them have complex requirements. Must contain special characters, must not contain special characters. At least one letter, no, make that two letters and only one number. Must… you get the idea,
This doesn’t help users choose and remember good passwords if every site they need one for has different requirements. Researchers have also shown that the more complex the requirements are, the easier it is to crack the password.
I think (my opinion here, I’ve done no research to back this up has been done yet) that a good solution is passphrase. Like ‘The quick red dog jumps’ or ‘My cat is gray and purrs’. Sentences. Something that’s easier to remember but long enough it’s hard to crack.
But again, my opinion.
Passwords are a problem that need a good solution, not just for websites but for devices. Do you have a good solution that’s practical? Write it up for DTRAP and submit it https://dtrap.acm.org/