Slashdot Mirror


Bill Gates Proclaims End of Passwords

KrazyK writes "Bill Gates has just proclaimed the end of passwords. There's only one drawback - you have to use .Net (well, what else would you expect?). However, the smart card that is at the centre of it - made by Axalto - is still a great bit of technology. How long before we can get an open-source version of this?"

16 of 488 comments (clear)

  1. So now instead of torturing me... by SoTuA · · Score: 4, Insightful
    ... to get me to confess my password, all they have to do is get my wallet?

    Nice!

  2. Passwords? What for ? by yogikoudou · · Score: 3, Insightful

    Seriously, who cares about passwords when you can exploit all the flaws MS systems have ?
    They'd better fix their software first.

  3. Re:hard and soft by judmarc · · Score: 5, Insightful

    Think about this before assuming biometrics is the answer:

    • If someone steals an impression or picture of your fingerprint
    • If someone hacks the database linking your fingerprint or eyescan to your access authorizations for bank accounts, work, etc.

    - then how do you get your identity back?

  4. Correct me if I'm wrong, but. . . by UFNinja · · Score: 3, Insightful

    Isn't the best way to secure data *both* something you have (e.g. key) and something you know (e.g. password)? Something I know is also less likely to get stolen, so long as noone has a keylogger installed on my computer. Last time I checked, it's also a whole lot easier to change my password than it is to change the locks on my doors.

  5. I think this is the wrong approach by auzy · · Score: 3, Insightful

    Its similar to the national identity card.. What if your card gets stolen. Any idiot can probably use it to connect to all of your accounts, without effort. Even worse, its a very poor idea to base your systems on a completely centralised system like passport authentication. It only takes 1 person at microsoft to trip on a cable then for all of your logins to fail.

    Finally, it offers no protection still. Bill gates is assuming you cant capture the password in memory. It is in fact even easier with .net because unlike a keylogger, the answer wont be obfuscated, you can just monitor the smartcard port, capture all the details sent, and you dont even need the smartcard.. You just emulate the smartcard hardware and fake the connection to the card, easy.

    This system offers much less security then now, and the last few drops of respect I had for .NET are now mostly gone. This is nothing more then a publicity act that only stops people who tell others their passwords, and even then, they will just be able to borrow the smartcard.

    Smartcards and MS passport also make a great way of tracking people. No one can tell me that Microsoft wont abuse this to improve their search engine

    It will take only 1 more DNS mess-up for everything to fall apart, and is nothing more then a marketting Act. I beg of the mono people to offer a proper decentralised authentication system instead, like one based on jabber where any login method is possible anyway if the server supports the authentication type. PLEASE.. Do not use .NET authentication, or you are putting yourself in a terrible position (it costs money anyway, so I think its time us as a programming community should get together and get jabber up to the point the same thing is possible in a decentralised way).

  6. Um... no? by warrax_666 · · Score: 5, Insightful
    The same applies for a smartcard, doesn't it ?

    You can always get a new smartcard, you can't get new fingerprints (or retinas, or whatever).
    --
    HAND.
  7. The obvious question by Black+Noise · · Score: 3, Insightful

    End of passwords? Umm, so, what is the other factor then?
    Axalto's new .NET-based smart card is both a great solution to bring strong, two-factor authentication to the enterprise as well as yet another way for .NET developers to take advantage of their skills and code.
    --

    Cig? No, thank you.
  8. Re:.NET? by rokzy · · Score: 3, Insightful

    you, like many others, assume that all criminals are psychos and will stop at nothing to commit a crime.

    that is bullshit. a large ammount of crime is opprtunistic. if you leave your window open, they'll climb in. if you close it, they might smash it IF the house is empty and secluded. but it's not an arms race. if you install CCTV and alarms, they don't come back dressed in black with night vision goggles and a set of expensive tools to disable your security, they just go next door to the guy who HAS left his window open.

  9. Re:hard and soft by wertarbyte · · Score: 4, Insightful

    The same applies for a smartcard, doesn't it ?

    No, it doesn't. If your smart card gets compromised, destroy it and get a new card with a new key. If someone manages to steal your fingerprint, you cannot change the media or key you authenticate with: The person did not only steal a material token that is linked to your identity, an unchangable characteristic that should be uniquely assigned to you now is not referring only to your person, someone literally stole your identity; To the ATM machine, he's not only the one in posession of your ATM card anymore: He is you.

    --
    Life is just nature's way of keeping meat fresh.
  10. Re:.NET? by ComaVN · · Score: 4, Insightful

    So it is an arms race. Just not with the criminal, but with your neighbour.

    --
    Be wary of any facts that confirm your opinion.
  11. Re:hard and soft by Kjella · · Score: 5, Insightful

    I never figured out why you can't use the same system as you do with passwords. Password, hash and *drumroll* salt. No, not NaCl, crypthographic salt.

    If compromised, get a new device with a new salt. It is basicly like a new identity (you'd have to revalidate with every authentication you had). If the perp just got your salted code, it is worthless. If he got your fingerprint, he still needs to get your new device to get a valid biometric/salt *pair*.

    Now top it off with a PIN, and you have the holy grail. Something you are, something you have, something you know. Use any subset which is enough. In most cases, what you are/have (fingerprint/salt) should be enough. It'd certainly raise the bar another notch or two.

    Kjella

    --
    Live today, because you never know what tomorrow brings
  12. passwords will never go away by 241comp · · Score: 5, Insightful

    Nope, this won't end passwords. For security, you have the following 3 options: something you have (smart card, signature), something you know (password, passphrase, PIN) and something you are (fingerprint, retina scan). For non-vital information (your hotmail account), choose one. For important information (medical, financial) choose two. For vital information (mission-critical applications, firing mechanisms, creating a will) use all 3.

  13. Reminds of of an old AI story by droleary · · Score: 5, Insightful

    A group of students are working on a neural net project. It comes time to decide what weight to put on the initial connections. One student says, "Set them all to 0 to start." Another student says, "No, that will introduce bias. We should set them all randomly." The smart professor replies, "You'll still have bias, only you won't know what it is."

    So to Mr. Gates I'd like to reply: You'll still have a password, only you won't know what it is. Makes sense from a "security through obscurity" standpoint, though! :-)

  14. 3 different types... by xxx_Birdman_xxx · · Score: 3, Insightful

    Im doing a uni course on security at the moment..
    What they are teaching is that there are three main type of authentication:
    Something you have - A smartcard, something physical.
    Something you are - a fingerprint, biometrics.
    Something you know - a password in ya head.

    The whole idea is that you combine these for stronger protection.

    To say that passwords are towards the end of their life is like saying they (M$) will be ignoring one possible type of authenitication. Sure you can just use smart cards, but its always better to have a combo of types and passwords are still handy to add that extra layer.

    --
    Live in your skin. Keep changing the scenery.
  15. Re:hard and soft by sporty · · Score: 3, Insightful

    Or like me, someone who has a cut on their thumb that left a scar on their thumb. If this was during usage of a biometric system, I've just lost my password!

    --

    -
    ping -f 255.255.255.255 # if only

  16. Re:Man in the middle attacks? by pesc · · Score: 3, Insightful

    What happens when you use your card on a PC that's pwn3d by dozens of pieces of spyware? Does the card use VPN or some kind of encryption wrapper that protects the link between the card and the other end even from a haxored PC?

    A smart card contains a microprocessor that can sign stuff that the PC send to it. It contains a secret private key for signing that never leaves the silicon, so no PC can get at it.

    The viruses can't steal the identity in the smart card. The smart card will happily prove its identity to the viruses. The important thing to understand is that while the smart card can prove its identity, it can't prove that its owner is actually at the keyboard or that the IE session withdrawing funds is run by a human in charge of the transactions... There are smart cards with built-in keyboard/display for that. Or you use a Palladium PC...

    --

    )9TSS