Moore´s curse on textual passwords

Background: Passwords are still the predominant way of authentication in information systems, and are mostly at user´s responsibility. They conceive, use, re-use, abuse and forget passwords. In absence of strict password policies and at minimum required user training, passwords tend to be short, easy to remember, connected to the user´s personal or professional life and consequently easy to break. The additional problem with passwords is their aging: Moore´s law is affecting the available computing power to crack passwords and those deemed secure today may easily be broken in the near future. Objective: The aim of this paper is to study various scenarios of the effect the Moore´s law is having on passwords and their security. In addition, advancements in other fields, e.g. quantum computing and Internet of Things, are taken into the account. Method: We analyzed various password types and the lengths required to withstand an off-line brute-force attack. The analysis was performed under various scenarios and combinations thereof: the Moore´s law will continue to be in the effect for years to come with varying parameters, quantum computing will become feasible, improvements in hash tables computations will speed up the cracking process, and others. Results: The paper shows the minimum password length in characters for each password type under various scenarios. Even the most optimistic scenario shows that the minimum required password length today should be of 11 randomly drawn characters, rendering most of the passwords inappropriate due to their poor memorability. Conclusion: The current textual passwords are cursed by the Moore´s law and other advancements in the field. Soon, classical textual passwords will need to be replaced by other mechanisms, which are, fortunately, already emerging.