Steven M. Bellovin wrote:
> We've become prisoners of dogma here.  In 1979, Bob Morris and Ken
> Thompson showed that passwords were guessable.  In 1979, that was
> really novel.  There was a lot of good work done in the next 15 years
> on that problem -- Spaf's empirical observations, Klein's '90 paper on
> improving password security, Lamport's algorithm that gave rise to
> S/Key, my and Mike Merritt's EKE, many others.  Guess what -- we're not
> living in that world now.  We have shadow password files on Unix
> systems; we have Kerberos; we have SecurID; we have SSL which rules out
> the network attacks and eavesdropping that EKE was intended to counter;
> etc.  We also have web-based systems whose failure modes are not nearly
> the same.  Why do we think that the solutions are the same?  There was
> a marvelous paper at Hotsec '07 that I resent simply because the
> authors got there before me; I had (somewhat after them) come to the
> same conclusions: the defenses we've built up against password failure
> since '79 don't the problems of today's world.  We have to recognize
> the new problems before we can solve them.  (I *think* that the paper
> is at
> but I'm on an airplane now and can't check...

That's a pretty annoying paper.

Firstly, I don't care about the average rate of account compromise for
sites that host my stuff, I only care about _my_ account. This means
that I cannot, despite their claim, write down my long, "secret" user ID
because if anyone ever sees it, I'm sunk because of the short password
they are advocating.

Secondly, they claim that user IDs are in practice secret, on the basis
that if they weren't, then sites would be experiencing massive DoS
attacks. To prove this claim, they cite a case where SSNs are used as
user IDs. Now, if there's one thing we know, it's that SSNs aren't even
a little bit secret. Therefore the reason there is no widepsread DoS is
because no-one wants to mount the attack.

Thirdly, they really need to learn when to use apostrophes!

Incidentally, the reason we don't use EKE (and many other useful
schemes) is not because they don't solve our problems, its because the
rights holders won't let us use them.

> But usability is *the* problem, with server and client penetration a
> close second.

On this we agree. We do have any number of decent cryptographic schemes
that would complete solve phishing. All we have to do is figure out:

a) How to show the user that he is actually using the scheme and is not
being phished.

b) Get it rolled out everywhere.

I am not holding my breath, though perhaps '09 is the year for action?


"There is no limit to what a man can do or how far he can go if he
doesn't mind who gets the credit." - Robert Woodruff

The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to

Reply via email to