January/February 2018 issue of acmqueue

The January/February issue of acmqueue is out now



Download PDF version of this article
This and other acmqueue articles have been translated into Portuguese
ACM Q em Língua Portuguesa

ITEM not available


Originally published in Queue vol. 10, no. 12
see this item in the ACM Digital Library



Arvind Narayanan, Jeremy Clark - Bitcoin's Academic Pedigree
The concept of cryptocurrencies is built from forgotten ideas in research literature.

Geetanjali Sampemane - Internal Access Controls
Trust, but Verify

Thomas Wadlow - Who Must You Trust?
You must have some trust if you want to get anything done.

Mike Bland - Finding More Than One Worm in the Apple
If you see something, say something.


(newest first)

Poch | Sat, 15 Jun 2013 03:12:04 UTC

Hi Ches, if you're trying to figure out what you'd like to do next in your life, look no further, it's all in you (ie, what you are already interested in). Even if you try something different (eg, theatre, poetry, politics, or whatever), you'd still gravitate towards what you are already interested in. By the way, I read about the english word passphrase generation in Jef Raskin's book The Humane Interface. Thanks for the article!

Martin Leiser | Mon, 04 Feb 2013 08:54:36 UTC

Green Book in Todays world? How many entries has Your password safe, mine has nearly 100. How many places besides that do you have passwords stored e.g. on your mobile phone? You cannot effectively Use a Android or Apple Phone without storing at least one password in it.

What is completely broken is the aphorism: Don't write your passwords down. Is there an easy way out?

Once your your googlemail password is stolen, the thieve may completely impersonate you. Any offer of Solutions?

Nate | Thu, 03 Jan 2013 16:57:21 UTC

As someone else said, disabling accounts means that anyone can go around disabling anyone's account by just entering their username and some bad passwords. Disabling is not the answer.... just slow the attacker down. It doesn't even take much. Require a 1 second wait between authentications for the same user. Bam, done. Now even a crappy password will take forever to crack.

You also missed the #1 most common attack vector these days - password databases. Someone hacks into a popular server, gets the hashed passwords of everyone on the machine, and sends their cracker at it directly. There's no website to automatically disable their account now. This is why websites need to use slow hashes that take a long time regardless of what surrounding code you have. scrypt seems to be the reigning champion.

Finally, two factor authentication makes all the password cracking in the world nearly useless. Without the keyfob to my work's VPN, I can tell you my username and password, and you still wouldn't be able to get in. And that's the best kind of security against the kind of attacks most people suffer. Someone might get your password, but that same person is highly unlikely to also get your VPN token or cellphone needed for second factor.

Fazal Majid | Wed, 02 Jan 2013 15:35:47 UTC

Disabling an account on repeated login failures is problematic, as it creates a denial of service vector.

Wouter Blom | Wed, 02 Jan 2013 14:43:10 UTC

What do you think of alternatives like authentication using twitter or openID or facebook?

only remember 1 password, which could me complex. And additional authentication (first time in new browser, check of IP adres, check what country you are logging in from etc.) and the 2-step verification that google has implemented?

Dmitriy Likhten | Wed, 02 Jan 2013 14:35:39 UTC

Ideally, we would have the following system:

1) Login to a dedicated service for authentication

2) Use that service for everything.

This way you are not prey to the google TOS where google can disable your account or anything, and there is literally one service to remember to login with.


Use a password store (what I do). I need a 2-factor to log into it. And furthermore, I don't even know my 32 character random bank password, nor do I care what it is.

But most people don't use password stores, idk why.

Leave this field empty

Post a Comment:

© 2018 ACM, Inc. All Rights Reserved.