Your password can now be as short as you like and still be secure

SHORT passwords can be made as safe as more convoluted ones thanks to a new digital protocol that makes them impossible to crack. The protocol could be used with wireless devices such as cellphones.

Long passwords are difficult to remember, so most people tend to use short words like a pet's name. But short passwords are easily cracked simply by running through all the combinations with a high-speed computer.

To get around this problem, Rafail Ostrovsky at Telcordia Technologies in New Jersey and Jonathan Katz at Columbia University in New York have devised a simple scheme to make short passwords almost foolproof. Their protocol uses mathematical functions to convert a short password into a more complicated one.

If you want to check your bank account over the Internet, for example, you tap in your password. Your computer then uses a mathematical function to transform the password into a longer string. The protocol takes bits of this string and another mathematical function creates a new string that it sends to the bank. The bank performs the reverse mathematical operation on the message, checks the result with the password on its files and replies confirming your identity.

The strength of the system is that the password is never transmitted and the mathematical functions do not have to be kept secret because they can't be solved in reverse without knowing the answer. "The mathematics are based on an existing problem that has so far never been solved, so the system is very secure," says Katz, who is due to present the scheme this week at the Eurocrypt 2001 meeting in Innsbruck, Austria. However, the password will have to be set up in person when opening a bank account.

"This research provides the first highly efficient solution that is rigorously proven to be secure," says Oded Goldreich, a cryptographer at the Weizmann Institute of Science in Rehovot, Israel.

Catherine Zandonella