Slashdot Mirror
Bill Gates Proclaims End of Passwords
KrazyK writes "Bill Gates has just proclaimed the end of passwords. There's only one drawback - you have to use .Net (well, what else would you expect?). However, the smart card that is at the centre of it - made by Axalto - is still a great bit of technology. How long before we can get an open-source version of this?"
So, years ago, Bill Gates proclaimed the software was better, now he gets back to some hardware key...
But what about biometrics ?
Trolling using another account since 2005.
This has been in Mac OS for awhile... as Keychains... mine is on my USB thumb drive...
Nothing for you to see here, Please move along.
This doesn't sound like anything really new to me, I remember logging on to my W2K workstation with a smart card in 2001 if I remember correctly, what's new here (the techworld article didn't want to respond to me so I can't RTFA)?
Being a member of MySony, they sent me an email and had me take a short survey, then decided to give me a free "wavecard" which is a Smart card with Felica technology. This is the contactless tech mentioned in the article. It requires software provided by Sony, and since I had the .NET runtimes installed already, I can't tell if .NET is really needed , I can say MS wasn't the first.
- I got my free iPod and a free Nintendo DS....why not
I actually like my password encrusted life. If I lose it all I have to do request another be emailed. If I forget my email password I just call my provider and anwser a slew of questions to prove my identity. Things are quick. Now, if my wife gets hold of a password "key" of any kind she will just lose it like she loses her ATM card 2-3 times per year. No thanks.
"Capital punishment makes the state into a murderer. Imprisonment makes the state into a gay dungeon-master"
Hardware security solutions require software to work, software can be cracked, therefore hardware solutions don't work.
Look at dongles and other systems, they tend to be cracked. As long as you can snoop what's going on in the PC you can generally find a way of reading and injecting the required code.
Also what happens if your server in another country goes down and you can't get an engineer to sort it out as there's no local smartcard? why you use remote login with a smartcard. Therefore your access code will be sent down the Internet/VPN.
Bill needs to do some proper R&D instead of spouting obvious potential developments.
It's simple, here we go:
I predict the end of magnetic media.
The mouse will be replaced.
We will get tables where the whole surface is a touchscreen.
Keyboards with changing key caps, the keys alter to suit the application.
etc..
What happens when you use your card on a PC that's pwn3d by dozens of pieces of spyware? Does the card use VPN or some kind of encryption wrapper that protects the link between the card and the other end even from a haxored PC?
One line blog. I hear that they're called Twitters now.
...but predicting the future isn't one of them. He does have a talent for molding the present to suit him, but he's more miss than hit when it comes to being an oracle of progress.
He's of course thinking about public/private keys and such, but they're overkill for almost all web-based applications that don't require money. Do you really want to use a public/private keyshare to log on to like, well for example Slashdot, just so you can post how wrong Bill Gates is?
I know I wouldn't. Fhew!
Luck favors the prepared, darling.
Dictionary attacks were difficult in the olden days, because password hashes were expensive to compute (on the order of a second each). Hardware has caught up, so that hundreds of candidates can be tested per second.
Password strengthening is a scheme that adds a significant amount of random salt to the password. To use the password, you have to brute force the salt. This slows down legitimate authentication, but it also slows down a dictionary attack.
Stretching is a special case of this scheme that uses repeated hashing, instead of random salt. Instead of storing the hash of a password, store the hash after a couple thousand iterations. If the algorithm is good, there is no shortcut to the end hash value.
If it hasn't been done already, I imagine it would be a simple matter to implement as a PAM module.
One of the assumptions of a smart card solution (or a USB solution or a biometrics solution) is that the user has access to a computer that supports such a solution. In my business, I deal with mobile professionals that use many computers and other devices, many of which they do not control and could not install hardware or software on to support those types of authentication tokens, even if they were technically capable of it. For those types of applications, standalone keyfob type tokens (Secure Computing, RSA, etc.) still seem to be the best choice.
We already have this for net banking. My debit card has a chip on it (which is also used for stored value smart card stuff) and to authenticate to the banks website, I use a reader supplied by the bank.
The process works like this:
Using basic public key signing, the bank now knows that it's me. In accordance with good crypto practice, all the security is in the key so I can use anyone's widget for the operation. Since it's a separate widget, I don't even have to trust my computer not to steal the pin - the computer only gets to see the one time challenges and responses
Instead of using plain card authorization, I'm using third party software from inflexpoint, which offers usb key login.
This software allows me to embed user accounts to certain usb mass storage and if the usbkey is removed from the port, the machine automatically logs out current user and refuses to login another unless the correct drive assigned to the account is connected to the machine.
In addition to the token+password login, I'm using the EFS which is built-in to xp, which encrypts all my files with aes-256 on the fly.
Only downside is that currently the software doesn't support domain logins properly, so I have to manually mount all network drives but that's rather small annoyance for the cheap security it provides.
There are no atheists when recovering from tape backup.
Smart cards are a good thing for multifactor identification -- if you have not only the username and password but also a smartcard, authenticity is pretty good. Toss in a biometric and you can be almost certain of who's logging in.
But a common pickpocket can take your smart card, and if you don't realize right away (or can't report it quickly enough) you won't get it deactivated in time to prevent compromise. Coupled with a password, though, the amount of time needed to break a decent password will give you the time you need to change out the card anyhow.
Comment removed based on user account deletion
When I was in college, a guy I knew was working on a software authentication scheme for this senior project. Here is how it works. As a new account, you select your user name. You go through a login trainer session, where you have to type that login name about 10 times, while it reads and stores the time intervals between the characters you enter. If you haven't established a certain degree of consistency, it will ask you to enter it a few more times. So that parameter of the natural rhythm with which you type your login name is stored in the system as your "password".
So that sounds like it wouldn't work, right? People know your username so they can duplicate your login, right? Actually, it was really tight. He already had a working version that we all(in the senior design project class) got to try. We never could fool the thing. You could tell someone what your login name was and they would try and try and never could successfully login as you. The main reason this works is that you are typing your own name. If it were a generic word that most people don't have to type very often, there would probably be a lot more similarity in the way different people type it and the system wouldn't work well, but being your own name that you are used to typing, there is some muscle-memory developed that makes it flow out effortlessly and consistently, which no one else can match.
We may experience some slight turbulence and then...explode. -Capt. Mal Reynolds
Anything so entrenched can never be said to be heading the way of the Dodo. Things last, for better for for worse, things stick around:
floppy disks
command line interface (if this dies, I quit computers)
serial ports(also, on my own list)
ps/2 keyboards and mice
analog modems
Technically, all of these can be replaced, but they haven't been, for one reason or another, they still exist. You cannot dictate change in this industry, you just sort of have to create oppurtunity for change, and flow with it.
From the other side, people use floppies, people use their favorite keyboard into keyboard death, then buy the same one as a replacement. People hate passwords. No one who writes the admin password for their xp box on a postit note under the keyboard will ever miss passwords. If people find it easier, they might switch. But don't bet too much on it. Not that you venture capitalists will listen.
I'm pretty sure passwords will end up on that list someday and I will personally stand in the way of their demise. Why? Because I do not trust PKI's, especially dotNet.
--Nuintari
slashdot : where an opinion can be wrong.
That brings us to a far better idea.
Genital-prints! Everyone hoo-ha and wingwang are unique, like snowflakes. The wrinkles, bumps, and lumps we all love so much can protect us from identity thieves!
i use linux and windows oh god how can i have an opinion
You love this phrase, "security through obscurity". I've never met a security expert who would consider dual private key challenge response encryption schemas security through obscurity
That's funny, because I've never met an actual security expert who didn't understand that all security is based on obscurity (i.e., it's the very nature of keeping things secret). I guess we must know very different manner of experts, but I must say your talk doesn't instill me with confidence in yours being able to get the job done right. If it seems I use the "security through obscurity" phrase more than necessary, it's because it is a favorite on Slashdot and I'm not above pandering to the crowd. The key difference, though, is that the obscurity that people around here harp on is kind that leaves unintended access holes, not the kind that are understood imperfections.
Deployed smartcard authentication systems are generally only vulnerable to key spoofing (which is a failure of the algorythm behind the authentication, NOT of the key storage mechanism) and vulnerable to physical decoding if the card is stolen, a point which even the PR guys in most smartcard vendors will stipulate. Are they perfect? No. But there exists no perfect security system in the IT world.
Right, which is why you shouldn't be so aggressively trying to defend smart cards when in reality they offer little beyond what a manual one-time password offers, yet come with oh-so-many-more holes. It's like you're trying to argue that a fair algorithm is better than a shitty one-time pad, so people should stop using pads. That might be convincing to people without real secrets to protect, but I know bettter, and I'll take a fair one-time pad over any shitty smart card, and I have to assume it's shitty because the operation is usually completely black boxed.
So let me rephrase what I said before - Given proper implementation, I KNOW its a level of security far above and beyond simple passwords.
That is by no means a given, and that is why I consider your viewpoint to be so dangerous.
But it is a battle-tested approach that's been very successful in deployment, and continues to be a favored system of authentication at the NSA and the Pentagon, two institutions who've spent quite a bit more brain cycles thinking about this problem then I'm sure you or I have.
More importantly, they're the types of organizations that don't take anything as a given. If they use a smart card, you can damn well bet it is built to their specification. The rest of us are stuck with off-the-shelf stuff we really, really can't trust if we want to be honest about a system's security.