Slashdot Mirror
Bill Gates Proclaims End of Passwords
KrazyK writes "Bill Gates has just proclaimed the end of passwords. There's only one drawback - you have to use .Net (well, what else would you expect?). However, the smart card that is at the centre of it - made by Axalto - is still a great bit of technology. How long before we can get an open-source version of this?"
So, years ago, Bill Gates proclaimed the software was better, now he gets back to some hardware key...
But what about biometrics ?
Trolling using another account since 2005.
This has been in Mac OS for awhile... as Keychains... mine is on my USB thumb drive...
Nothing for you to see here, Please move along.
Nice!
This doesn't sound like anything really new to me, I remember logging on to my W2K workstation with a smart card in 2001 if I remember correctly, what's new here (the techworld article didn't want to respond to me so I can't RTFA)?
So how do you 'unlock' the smart card to prove its you (and still you) at the keyboard...???
.NET to quickly build applications.
an PIN number...
a fingerprint...
Authentication is based around something you have (userid/smartcard/finger...) and something you know (password/PIN/....)
No change since the Secuure Single Sign On days of the mid 1990's. All they are doing is bringing it upto date using
Depends on how many patents Microsoft have quietly filed on the technology behind it
Brocklesby Park Cricket Club
Well, considering Sun has been using smart cards for user identification for YEARS, when Solaris 10's source is released under an open source license, open source will have the same capability (well, no need for .NET though).
We were all warned a long time ago that MS products sucked, remember the Magic 8 Ball said, "Outlook not so good"
How come there isn't an open source solution already?
If you were blocking sigs, you wouldn't have to read this.
Being a member of MySony, they sent me an email and had me take a short survey, then decided to give me a free "wavecard" which is a Smart card with Felica technology. This is the contactless tech mentioned in the article. It requires software provided by Sony, and since I had the .NET runtimes installed already, I can't tell if .NET is really needed , I can say MS wasn't the first.
- I got my free iPod and a free Nintendo DS....why not
Seriously, who cares about passwords when you can exploit all the flaws MS systems have ?
They'd better fix their software first.
Linux is missing an opportunity. Instead of writing software that insists that passwords be uncrackable, they should be innovating new technologies that make machines insensitive to dictionary attacks, or new technologies like the one described here that does away with the need for having passwords everywhere. Hmm, maybe Bill has some innovation in him afterall....
Laboratree - Scientific collaboration based on OpenSocial.
Reading the Axalto press release they talk about their cards as an additional form of security, not a password replacement. I've used smart cards for a few things and each of them has been protected by a password too. You enter the smart card and are then asked for a PIN to ensure you have the right to be using that smart card. As another poster said, if there's no password all they have to do is get to your wallet if they want to Get Root. Hopefully if we do see an open source implimentation it won't be passwordless!
Isn't the best way to secure data *both* something you have (e.g. key) and something you know (e.g. password)? Something I know is also less likely to get stolen, so long as noone has a keylogger installed on my computer. Last time I checked, it's also a whole lot easier to change my password than it is to change the locks on my doors.
None. Or if they did, Sun Microsystems has been using a similar system for years. Smart card readers are standard equipment on all currently available Sun workstations, and have been for the last 3-4 generations of workstations as well. Sun "deployed" this system at least 4 years ago when it introduced "Sun Rays" back in 2000-2001 timeframe. If MS tried to patent this, Sun is clearly prior art, and if it isn't, it should be construed as simply a logical progression of Sun's system, which means it should not be patentable, but then again, we are talking about people who have let though patents on the wheel in recent years...
We were all warned a long time ago that MS products sucked, remember the Magic 8 Ball said, "Outlook not so good"
Its similar to the national identity card.. What if your card gets stolen. Any idiot can probably use it to connect to all of your accounts, without effort. Even worse, its a very poor idea to base your systems on a completely centralised system like passport authentication. It only takes 1 person at microsoft to trip on a cable then for all of your logins to fail.
.net because unlike a keylogger, the answer wont be obfuscated, you can just monitor the smartcard port, capture all the details sent, and you dont even need the smartcard.. You just emulate the smartcard hardware and fake the connection to the card, easy.
.NET are now mostly gone. This is nothing more then a publicity act that only stops people who tell others their passwords, and even then, they will just be able to borrow the smartcard.
.NET authentication, or you are putting yourself in a terrible position (it costs money anyway, so I think its time us as a programming community should get together and get jabber up to the point the same thing is possible in a decentralised way).
Finally, it offers no protection still. Bill gates is assuming you cant capture the password in memory. It is in fact even easier with
This system offers much less security then now, and the last few drops of respect I had for
Smartcards and MS passport also make a great way of tracking people. No one can tell me that Microsoft wont abuse this to improve their search engine
It will take only 1 more DNS mess-up for everything to fall apart, and is nothing more then a marketting Act. I beg of the mono people to offer a proper decentralised authentication system instead, like one based on jabber where any login method is possible anyway if the server supports the authentication type. PLEASE.. Do not use
Dyslexia finally made sense to me...
www.weberseite.at
Is there no limit to Bill's powers of proclaimations of endings? (Okay, he still has a year to go on the spam, but it'll be ending any moment .. now. Now. Now! Any moment...)
One line blog. I hear that they're called Twitters now.
I actually like my password encrusted life. If I lose it all I have to do request another be emailed. If I forget my email password I just call my provider and anwser a slew of questions to prove my identity. Things are quick. Now, if my wife gets hold of a password "key" of any kind she will just lose it like she loses her ATM card 2-3 times per year. No thanks.
"Capital punishment makes the state into a murderer. Imprisonment makes the state into a gay dungeon-master"
1 billion GSM subscribers are using smart cards.
You may recall that RMS was strongly against passwords. We don't have to agree with everything he say or does - just the good stuff.
You can always get a new smartcard, you can't get new fingerprints (or retinas, or whatever).
HAND.
See this page:
http://www.ibutton.com/ibuttons/java.html
I've had one of these Java-powered iButtons since 2001. If you have the PKI in place it's a very easy technology to use. If you don't, it just gives you bragging rights in the my-computer-is-smaller wars.
Both good.
Phil
I guess today is a passable day to die.
And it was called the "Java Ring"?
End of passwords? Umm, so, what is the other factor then?
Cig? No, thank you.
Newer US Military ID cards (~last 2 years)have a 'chip' in them that allow instant login to DOD computer systems. It also stores the user's medical records.
I can't RTFA (it's been slashdotted), but this makes lots of sense, and there *are* open source solutions to this, like public/private key pairs in OpenSSH. I do need to know a passphrase to unlock my key, but then I can log in to a number of different machines with it. In fact, I have my machines set up to not accept password logins except at the console, remote users *must* use key pairs.
Currently I keep a key on my desktop machine and another one on my laptop, but if I was worried that those would be stolen I could switch to a USB key.
you, like many others, assume that all criminals are psychos and will stop at nothing to commit a crime.
that is bullshit. a large ammount of crime is opprtunistic. if you leave your window open, they'll climb in. if you close it, they might smash it IF the house is empty and secluded. but it's not an arms race. if you install CCTV and alarms, they don't come back dressed in black with night vision goggles and a set of expensive tools to disable your security, they just go next door to the guy who HAS left his window open.
Hardware security solutions require software to work, software can be cracked, therefore hardware solutions don't work.
Look at dongles and other systems, they tend to be cracked. As long as you can snoop what's going on in the PC you can generally find a way of reading and injecting the required code.
Also what happens if your server in another country goes down and you can't get an engineer to sort it out as there's no local smartcard? why you use remote login with a smartcard. Therefore your access code will be sent down the Internet/VPN.
Bill needs to do some proper R&D instead of spouting obvious potential developments.
It's simple, here we go:
I predict the end of magnetic media.
The mouse will be replaced.
We will get tables where the whole surface is a touchscreen.
Keyboards with changing key caps, the keys alter to suit the application.
etc..
The local Air Force base here went to full implementation of smart cards for logins (the cards double as their building IDs). It was a debacle...they were recognized by the readers about 20% of the time, and misread another 60%. They finally modified the login to allow them to Cancel the smart card scan and log in manually while they slinked off in defeat.
Mutant Freaks of Nature: "Frighteningly Addictive"
Axalto has developed a Java-based version of this card, too.
This post is displayed with recycled electrons
A classic case of Billy boy announcing something everyone else has. I saw a demo by Sony about 2.5 years ago now which demonstrated smart card + biometrics as an authentication mechanism.
Something like 98% of the world's new smart cards run Java as their programming language, and there are defined standards for security around it. This stuff is already being used in the wild, for instance by the DoD. Oh and if you have one of those "Blue" or clear Amex credit cards... its running Java too.
Or of course you could wait for Longhorn.
In terms of open source, you can do this in Java (which is published and the source is accessible), today.
I love Microsoft, "yesterday's technology, tommorow".
An Eye for an Eye will make the whole world blind - Gandhi
As usual, Gates has decided that the lowest common denominator of sophistication will dumb down computing for everyone. I don't want to have to carry around a smartcard, or anything else. Who wants to find their smartcard somehwere in their apartment early in the morning to check their email before their cup of coffee? Who wants their girlfriend to "borrow" it to check that email before that cup of coffee, before they wake up? How much identity theft will be perpetuated in the name of Gates' "convenience"?
The best access solution is a combination of HW token, biometrics and password. Two out of three should gain access to all but root, sending a message to the administrator (possibly attaching a picture, voiceprint and GPS). Too bad for Gates that this security architecture makes a mobile "phone" the best gatekeeper to cyberspace, where his Windows monopoly is most under threat. Too bad for us that his monopoly is in a position to derail even that engine of progress, making mobile phones as much a mess as Windows. Someone stop him before he destroys yet another dream of freedom!
--
make install -not war
What happens when you use your card on a PC that's pwn3d by dozens of pieces of spyware? Does the card use VPN or some kind of encryption wrapper that protects the link between the card and the other end even from a haxored PC?
One line blog. I hear that they're called Twitters now.
Something you have, something you know.
'Something you are' is just another form of 'something you have'. The limitation of biometrics is that 'something you are' cannot easily be decommissioned and reissued if it has been compromised.
The key to good security is to have the strength and number of controls increase as the value of the protected contents increases. A password alone may be perfectly appropriate to protect low value content.
Pluggable Authentication Modules Want a new method of authentication? Just write a PAM module!
Smart Card Module for J2SE:
http://www.gemplus.com/smart/r_d/publications/pdf/ GG00jaas.pdf
Cheers,
Tyler
So it is an arms race. Just not with the criminal, but with your neighbour.
Be wary of any facts that confirm your opinion.
...but predicting the future isn't one of them. He does have a talent for molding the present to suit him, but he's more miss than hit when it comes to being an oracle of progress.
He's of course thinking about public/private keys and such, but they're overkill for almost all web-based applications that don't require money. Do you really want to use a public/private keyshare to log on to like, well for example Slashdot, just so you can post how wrong Bill Gates is?
I know I wouldn't. Fhew!
Luck favors the prepared, darling.
Dictionary attacks were difficult in the olden days, because password hashes were expensive to compute (on the order of a second each). Hardware has caught up, so that hundreds of candidates can be tested per second.
Password strengthening is a scheme that adds a significant amount of random salt to the password. To use the password, you have to brute force the salt. This slows down legitimate authentication, but it also slows down a dictionary attack.
Stretching is a special case of this scheme that uses repeated hashing, instead of random salt. Instead of storing the hash of a password, store the hash after a couple thousand iterations. If the algorithm is good, there is no shortcut to the end hash value.
If it hasn't been done already, I imagine it would be a simple matter to implement as a PAM module.
It's in the archive
Nope, this won't end passwords. For security, you have the following 3 options: something you have (smart card, signature), something you know (password, passphrase, PIN) and something you are (fingerprint, retina scan). For non-vital information (your hotmail account), choose one. For important information (medical, financial) choose two. For vital information (mission-critical applications, firing mechanisms, creating a will) use all 3.
Full-Featured GPL Web Hosting Control Panel
I once talked to representatvies of a vendor/integrator of cryptographic smartcards.
;-)
I also talked about Linux/OpenSource with them and it's not that they hate Linux and love MSFT - it's just that for any serious use (read: digital signatures, use of the smart-card instead of your written signature), any "applets", any application, and any hardware has to be "certified" for a specific platform.
With this certification-process, the vendor testfies that the software and hardware work as advertised and no "unpleasant surprises" happen.
Unfortunately, this is time-consuming and thus very expensive - and must be re-done for every platform. Naturally, smartcard-vendors only certify for the platforms where they have sufficient demand (XP, W2K).
About the only chance that something like this is going to come to the OSS-world is that someone is putting forward a lot of money and essentially pay the vendor for the certification.
In Europe, usually the taxpayer does something like this, but in slashdot's home-country, I hear that the government spending money for "the common good" has recently escaped the mind of the general public who instead believes in privatization, tax-cuts and "trickle down".
You can probably imagine when such a thing will "trickle down" onto OpenSource-software
cheers,
Rainer
Windows 2000 - from the guys who brought us edlin
yeah, he's made a lot of proclamations.
Find a job you like and you will never work a day in your life.
One of the assumptions of a smart card solution (or a USB solution or a biometrics solution) is that the user has access to a computer that supports such a solution. In my business, I deal with mobile professionals that use many computers and other devices, many of which they do not control and could not install hardware or software on to support those types of authentication tokens, even if they were technically capable of it. For those types of applications, standalone keyfob type tokens (Secure Computing, RSA, etc.) still seem to be the best choice.
Instead of using plain card authorization, I'm using third party software from inflexpoint, which offers usb key login.
This software allows me to embed user accounts to certain usb mass storage and if the usbkey is removed from the port, the machine automatically logs out current user and refuses to login another unless the correct drive assigned to the account is connected to the machine.
In addition to the token+password login, I'm using the EFS which is built-in to xp, which encrypts all my files with aes-256 on the fly.
Only downside is that currently the software doesn't support domain logins properly, so I have to manually mount all network drives but that's rather small annoyance for the cheap security it provides.
There are no atheists when recovering from tape backup.
... or "Bill Gates Declares"
translation:
Bill Gates has some new thing he wants to sell, which might be able to replace some tried-and-true technology.
Linux already has this sort of technology, it is even interoperable with Windows, Solaris, UNICOS and AIX. It is called Kerberos.
To E-mail me, replace the first period in my domain with an @
Take a piece of paper and a paper envelope. Write your password onto the piece of paper and put it into the envelope. This provides the exact same security as a smartcard.
No it doesn't. There is no way of breaking the envelope and retrieving the passphrase. Smartcards (at least the ones I encountered) work by cryptographic challenges (think SSH key auth). The private key is stored on the card, and only/i> on the card. It is also locked by a PIN. Even with the PIN, you cannot retrieve the key: The crypto secret stays completely inside the card, and if your cardreader has got a numeric keypad, the PIN as well won't even leave the combo card/cardreader. The reader I got here for HBCI banking is also sealed by the company to avoid manipulation.
Life is just nature's way of keeping meat fresh.
Most of the French crypto restrictions were removed in 1999. E.g. see http://www.sobco.com/nww/1999.edited/04-crypto.htm l
and some of the other articles found by googling for "france encryption restrictions relaxed" or similar
A group of students are working on a neural net project. It comes time to decide what weight to put on the initial connections. One student says, "Set them all to 0 to start." Another student says, "No, that will introduce bias. We should set them all randomly." The smart professor replies, "You'll still have bias, only you won't know what it is."
:-)
So to Mr. Gates I'd like to reply: You'll still have a password, only you won't know what it is. Makes sense from a "security through obscurity" standpoint, though!
Im doing a uni course on security at the moment..
What they are teaching is that there are three main type of authentication:
Something you have - A smartcard, something physical.
Something you are - a fingerprint, biometrics.
Something you know - a password in ya head.
The whole idea is that you combine these for stronger protection.
To say that passwords are towards the end of their life is like saying they (M$) will be ignoring one possible type of authenitication. Sure you can just use smart cards, but its always better to have a combo of types and passwords are still handy to add that extra layer.
Live in your skin. Keep changing the scenery.
Smart cards are a good thing for multifactor identification -- if you have not only the username and password but also a smartcard, authenticity is pretty good. Toss in a biometric and you can be almost certain of who's logging in.
But a common pickpocket can take your smart card, and if you don't realize right away (or can't report it quickly enough) you won't get it deactivated in time to prevent compromise. Coupled with a password, though, the amount of time needed to break a decent password will give you the time you need to change out the card anyhow.
Comment removed based on user account deletion
No matter how bad a piece of his company's technology is - I'm refering to the desaster that was the original passport which was hacked with remarkable speed and spurned by the industry almost unanimoulsy - the man just does not give up. Every time he launches yet another piece of drivel guaranteed to fail, he simply puts it back in the marketing department which is tasked with bringing it back at some later date under another name with one or two improvements, which they will keep on doing in an endless loop until, even if its ten years later, it finally gains traction.
When I was in college, a guy I knew was working on a software authentication scheme for this senior project. Here is how it works. As a new account, you select your user name. You go through a login trainer session, where you have to type that login name about 10 times, while it reads and stores the time intervals between the characters you enter. If you haven't established a certain degree of consistency, it will ask you to enter it a few more times. So that parameter of the natural rhythm with which you type your login name is stored in the system as your "password".
So that sounds like it wouldn't work, right? People know your username so they can duplicate your login, right? Actually, it was really tight. He already had a working version that we all(in the senior design project class) got to try. We never could fool the thing. You could tell someone what your login name was and they would try and try and never could successfully login as you. The main reason this works is that you are typing your own name. If it were a generic word that most people don't have to type very often, there would probably be a lot more similarity in the way different people type it and the system wouldn't work well, but being your own name that you are used to typing, there is some muscle-memory developed that makes it flow out effortlessly and consistently, which no one else can match.
We may experience some slight turbulence and then...explode. -Capt. Mal Reynolds
One of the things such sensors check for is blood flow. So naturally they'll just have to kill you afterwards, but you won't be needlessly mutilated.
Yes. Some biometric sensors can be tricked with dead tissue or a photocopied fingerprint, but the good ones detect life signs. (This is the case for both good fingerprint sensors, reading electric impulses instead of light, and retinal scans that measure blood flow.)
Some sensors are even active, checking how the body reacts to stimuli, for example how the iris reacting to light, comparing it with a recorded sample.
Irene KHAAAAAAN!
Anything so entrenched can never be said to be heading the way of the Dodo. Things last, for better for for worse, things stick around:
floppy disks
command line interface (if this dies, I quit computers)
serial ports(also, on my own list)
ps/2 keyboards and mice
analog modems
Technically, all of these can be replaced, but they haven't been, for one reason or another, they still exist. You cannot dictate change in this industry, you just sort of have to create oppurtunity for change, and flow with it.
From the other side, people use floppies, people use their favorite keyboard into keyboard death, then buy the same one as a replacement. People hate passwords. No one who writes the admin password for their xp box on a postit note under the keyboard will ever miss passwords. If people find it easier, they might switch. But don't bet too much on it. Not that you venture capitalists will listen.
I'm pretty sure passwords will end up on that list someday and I will personally stand in the way of their demise. Why? Because I do not trust PKI's, especially dotNet.
--Nuintari
slashdot : where an opinion can be wrong.
The underside of everyone's tongue is different. I verified this using basic research techniques over a series of weekends while I was in college. After obtaining a more permanent research assistant, I was unable to proceed with further "comparison-" however, I do encourage others to carry on my work in the spirit of cooperative science.
The beauty of this approach is that you could integrate the tongue reader with the computer's mouse. The user would insert his/her into an opening in the underside of the mouse, a laser light would illuminate the pattern of veins, and the resulting image would be captured and compared against the security database. The process is as simple as licking the filling out of a custard donut. In fact, in some companies I have worked for the users are so simple that care would be needed to ensure that they could tell the difference between a custard donut and a tongue reader or problems might occur. Utter panic ensues as user authentication fails at Dunkin' Donuts Wi-Fi access points... Well, you get the idea.
For those users on a low-carb diet, the process can be described as similar to that used for another research project I conducted while in college. One advantage of the tongue-reader biometric system is that computer mice, like research assistants, are much more responsive when properly lubricated. Some other method might be necessary when dealing with portable computers. Perhaps it would be possible to integrate a tongue reader with the touch-pad pointing device. Obviously, this would favor users with the ability to lick their own laptops. But isn't that already the case for much of life?
And in case anyone is wondering, yes this IS a tongue-in-cheek post.
I think smart cards are the right way. Get the normal cryptoflex 32k egate card with a token connector, install openct and opensc (both http://www.opensc.org/), and use the opensc pam module for login, openssh for remote authentication, mozilla or firebird with the opensc pkcs#11 module for email signing and decryption, the opensc tools for initializing the card and diagnostics, openssl with the pkcs11 engine to create signed certificates, and so on.
:-)
you don't need microsoft to do that. opensc is available for linux and friends, mac os X and windows, and a CSP for windows is under development.
opensc supports cryptoflex, cyberflex, gemplus pk, siemens card os, telesec tcos, micardo, setec, ibm jcop, oberthur and openpgp smart cards. also the finnish, swedish, estonian and italian id cards are supported with full source code, the spanish linux user group has a special version with support for the spanish id card using a binary only plugin.
also note that opensc does not use a propriotory on card format (like most commercial alternatives), but implements the pkcs#15 standard.
disclosure: I'm one of the developers, doing some advertisement here