I heard another really interesting presentation at CyberNorth’s CyberSips event last week. It was delivered by Charles Dodd, Postdoctoral Research Associate at Durham University and was all about the current and future states of passwords. This time the regular monthly event was focussed on Space (Durham County Council and University are leading organisations in the space sector) and so Charles’ presentation was a bit tangential though still relevant.
A lot of what he was talking about was above my head yet I think I managed to keep up. He told us how, with increasing computer power, the ability to crack passwords was becoming easier and easier, as long as you had the resources. A five character password could be breached in seconds and the time got longer for every character added. I’ve ended up with a sixteen character password and so this may prove to be more difficult, though I suspect it would still crack in a matter of minutes.
He did offer a couple of solutions to make things harder. He talked about the use of hashes to store passwords so that it was not necessary to pass your password over a network as the hash would verify that what was in the block was correct.
He also talked about memory usage. If I have this right, trying to crack passwords is memory hungry. With every character added, the number of permutations grows exponentially, requiring more and more memory to do the calculations. By applying a limit to the amount of memory that the computer is able to use when trying to crack passwords, it makes those above a certain length much more difficult, that is until somebody finds a solution.
On his very last slide he mentioned quantum and I raised the obvious question as to how this would affect the future of passwords. This was outside his immediate area of expertise, though my question kicked off an interesting discussion in the audience. We got around to talking about the cost of quantum and its benefits and how, at this stage at least, it takes very large companies or a nation state to be able to afford such a thing.
If you are a national government, intent on having a go at another country, what better way than to invest in quantum and hack all their intelligence and critical national infrastructure. But, what is to stop your opponents from also investing in quantum, to a point where they could hack your intelligence and critical national infrastructure.
It reminded me very much of the Mutual Assured Destruction (MAD) that has supposedly held countries back from using their nuclear weapons. As long as each potential adversary is counterbalanced with opposing countries having their own quantum computer then the world should be held in a state of computing tension, MACT perhaps. That is, unless someone is MAD enough to try it.
Thoughts from a Guerrilla Worker 