Slashdot Mirror
Bill Gates Proclaims End of Passwords
KrazyK writes "Bill Gates has just proclaimed the end of passwords. There's only one drawback - you have to use .Net (well, what else would you expect?). However, the smart card that is at the centre of it - made by Axalto - is still a great bit of technology. How long before we can get an open-source version of this?"
So, years ago, Bill Gates proclaimed the software was better, now he gets back to some hardware key...
But what about biometrics ?
Trolling using another account since 2005.
This has been in Mac OS for awhile... as Keychains... mine is on my USB thumb drive...
Nothing for you to see here, Please move along.
Nice!
This doesn't sound like anything really new to me, I remember logging on to my W2K workstation with a smart card in 2001 if I remember correctly, what's new here (the techworld article didn't want to respond to me so I can't RTFA)?
So how do you 'unlock' the smart card to prove its you (and still you) at the keyboard...???
.NET to quickly build applications.
an PIN number...
a fingerprint...
Authentication is based around something you have (userid/smartcard/finger...) and something you know (password/PIN/....)
No change since the Secuure Single Sign On days of the mid 1990's. All they are doing is bringing it upto date using
Seriously, who cares about passwords when you can exploit all the flaws MS systems have ?
They'd better fix their software first.
Reading the Axalto press release they talk about their cards as an additional form of security, not a password replacement. I've used smart cards for a few things and each of them has been protected by a password too. You enter the smart card and are then asked for a PIN to ensure you have the right to be using that smart card. As another poster said, if there's no password all they have to do is get to your wallet if they want to Get Root. Hopefully if we do see an open source implimentation it won't be passwordless!
Isn't the best way to secure data *both* something you have (e.g. key) and something you know (e.g. password)? Something I know is also less likely to get stolen, so long as noone has a keylogger installed on my computer. Last time I checked, it's also a whole lot easier to change my password than it is to change the locks on my doors.
Its similar to the national identity card.. What if your card gets stolen. Any idiot can probably use it to connect to all of your accounts, without effort. Even worse, its a very poor idea to base your systems on a completely centralised system like passport authentication. It only takes 1 person at microsoft to trip on a cable then for all of your logins to fail.
.net because unlike a keylogger, the answer wont be obfuscated, you can just monitor the smartcard port, capture all the details sent, and you dont even need the smartcard.. You just emulate the smartcard hardware and fake the connection to the card, easy.
.NET are now mostly gone. This is nothing more then a publicity act that only stops people who tell others their passwords, and even then, they will just be able to borrow the smartcard.
.NET authentication, or you are putting yourself in a terrible position (it costs money anyway, so I think its time us as a programming community should get together and get jabber up to the point the same thing is possible in a decentralised way).
Finally, it offers no protection still. Bill gates is assuming you cant capture the password in memory. It is in fact even easier with
This system offers much less security then now, and the last few drops of respect I had for
Smartcards and MS passport also make a great way of tracking people. No one can tell me that Microsoft wont abuse this to improve their search engine
It will take only 1 more DNS mess-up for everything to fall apart, and is nothing more then a marketting Act. I beg of the mono people to offer a proper decentralised authentication system instead, like one based on jabber where any login method is possible anyway if the server supports the authentication type. PLEASE.. Do not use
Dyslexia finally made sense to me...
www.weberseite.at
I actually like my password encrusted life. If I lose it all I have to do request another be emailed. If I forget my email password I just call my provider and anwser a slew of questions to prove my identity. Things are quick. Now, if my wife gets hold of a password "key" of any kind she will just lose it like she loses her ATM card 2-3 times per year. No thanks.
"Capital punishment makes the state into a murderer. Imprisonment makes the state into a gay dungeon-master"
You can always get a new smartcard, you can't get new fingerprints (or retinas, or whatever).
HAND.
See this page:
http://www.ibutton.com/ibuttons/java.html
I've had one of these Java-powered iButtons since 2001. If you have the PKI in place it's a very easy technology to use. If you don't, it just gives you bragging rights in the my-computer-is-smaller wars.
Both good.
Phil
I guess today is a passable day to die.
End of passwords? Umm, so, what is the other factor then?
Cig? No, thank you.
you, like many others, assume that all criminals are psychos and will stop at nothing to commit a crime.
that is bullshit. a large ammount of crime is opprtunistic. if you leave your window open, they'll climb in. if you close it, they might smash it IF the house is empty and secluded. but it's not an arms race. if you install CCTV and alarms, they don't come back dressed in black with night vision goggles and a set of expensive tools to disable your security, they just go next door to the guy who HAS left his window open.
The Java ring was a Dallas Semiconductor DS1955A iButton in a signet ring holder. The 1955A could only hold one key. The 1955B is a bit more useful, as it can hold about 30 keys. I have the dog-tag holder for it, but I wish I'd gone for the USB fob.
Don't waste your time by getting the parallel-port adapter, as most modern machines seem to have trouble providing enough power to the iButton for the compute-intensive parts of the process. On the last 3 machines I've had it's been impossible to generate keys because the parallel port can't deliver the necessary oomph.
The serial adapter is probably the best bet for iButtons if you want to use them from Unix/Linux.
Phil
I guess today is a passable day to die.
A classic case of Billy boy announcing something everyone else has. I saw a demo by Sony about 2.5 years ago now which demonstrated smart card + biometrics as an authentication mechanism.
Something like 98% of the world's new smart cards run Java as their programming language, and there are defined standards for security around it. This stuff is already being used in the wild, for instance by the DoD. Oh and if you have one of those "Blue" or clear Amex credit cards... its running Java too.
Or of course you could wait for Longhorn.
In terms of open source, you can do this in Java (which is published and the source is accessible), today.
I love Microsoft, "yesterday's technology, tommorow".
An Eye for an Eye will make the whole world blind - Gandhi
What happens when you use your card on a PC that's pwn3d by dozens of pieces of spyware? Does the card use VPN or some kind of encryption wrapper that protects the link between the card and the other end even from a haxored PC?
One line blog. I hear that they're called Twitters now.
So it is an arms race. Just not with the criminal, but with your neighbour.
Be wary of any facts that confirm your opinion.
Dictionary attacks were difficult in the olden days, because password hashes were expensive to compute (on the order of a second each). Hardware has caught up, so that hundreds of candidates can be tested per second.
Password strengthening is a scheme that adds a significant amount of random salt to the password. To use the password, you have to brute force the salt. This slows down legitimate authentication, but it also slows down a dictionary attack.
Stretching is a special case of this scheme that uses repeated hashing, instead of random salt. Instead of storing the hash of a password, store the hash after a couple thousand iterations. If the algorithm is good, there is no shortcut to the end hash value.
If it hasn't been done already, I imagine it would be a simple matter to implement as a PAM module.
Nope, this won't end passwords. For security, you have the following 3 options: something you have (smart card, signature), something you know (password, passphrase, PIN) and something you are (fingerprint, retina scan). For non-vital information (your hotmail account), choose one. For important information (medical, financial) choose two. For vital information (mission-critical applications, firing mechanisms, creating a will) use all 3.
Full-Featured GPL Web Hosting Control Panel
yeah, he's made a lot of proclamations.
Find a job you like and you will never work a day in your life.
Linux already has this sort of technology, it is even interoperable with Windows, Solaris, UNICOS and AIX. It is called Kerberos.
Most of the French crypto restrictions were removed in 1999. E.g. see http://www.sobco.com/nww/1999.edited/04-crypto.htm l
and some of the other articles found by googling for "france encryption restrictions relaxed" or similar
A group of students are working on a neural net project. It comes time to decide what weight to put on the initial connections. One student says, "Set them all to 0 to start." Another student says, "No, that will introduce bias. We should set them all randomly." The smart professor replies, "You'll still have bias, only you won't know what it is."
:-)
So to Mr. Gates I'd like to reply: You'll still have a password, only you won't know what it is. Makes sense from a "security through obscurity" standpoint, though!
Im doing a uni course on security at the moment..
What they are teaching is that there are three main type of authentication:
Something you have - A smartcard, something physical.
Something you are - a fingerprint, biometrics.
Something you know - a password in ya head.
The whole idea is that you combine these for stronger protection.
To say that passwords are towards the end of their life is like saying they (M$) will be ignoring one possible type of authenitication. Sure you can just use smart cards, but its always better to have a combo of types and passwords are still handy to add that extra layer.
Live in your skin. Keep changing the scenery.
Smart cards are a good thing for multifactor identification -- if you have not only the username and password but also a smartcard, authenticity is pretty good. Toss in a biometric and you can be almost certain of who's logging in.
But a common pickpocket can take your smart card, and if you don't realize right away (or can't report it quickly enough) you won't get it deactivated in time to prevent compromise. Coupled with a password, though, the amount of time needed to break a decent password will give you the time you need to change out the card anyhow.
When I was in college, a guy I knew was working on a software authentication scheme for this senior project. Here is how it works. As a new account, you select your user name. You go through a login trainer session, where you have to type that login name about 10 times, while it reads and stores the time intervals between the characters you enter. If you haven't established a certain degree of consistency, it will ask you to enter it a few more times. So that parameter of the natural rhythm with which you type your login name is stored in the system as your "password".
So that sounds like it wouldn't work, right? People know your username so they can duplicate your login, right? Actually, it was really tight. He already had a working version that we all(in the senior design project class) got to try. We never could fool the thing. You could tell someone what your login name was and they would try and try and never could successfully login as you. The main reason this works is that you are typing your own name. If it were a generic word that most people don't have to type very often, there would probably be a lot more similarity in the way different people type it and the system wouldn't work well, but being your own name that you are used to typing, there is some muscle-memory developed that makes it flow out effortlessly and consistently, which no one else can match.
We may experience some slight turbulence and then...explode. -Capt. Mal Reynolds
One of the things such sensors check for is blood flow. So naturally they'll just have to kill you afterwards, but you won't be needlessly mutilated.
Yes. Some biometric sensors can be tricked with dead tissue or a photocopied fingerprint, but the good ones detect life signs. (This is the case for both good fingerprint sensors, reading electric impulses instead of light, and retinal scans that measure blood flow.)
Some sensors are even active, checking how the body reacts to stimuli, for example how the iris reacting to light, comparing it with a recorded sample.
Irene KHAAAAAAN!
The underside of everyone's tongue is different. I verified this using basic research techniques over a series of weekends while I was in college. After obtaining a more permanent research assistant, I was unable to proceed with further "comparison-" however, I do encourage others to carry on my work in the spirit of cooperative science.
The beauty of this approach is that you could integrate the tongue reader with the computer's mouse. The user would insert his/her into an opening in the underside of the mouse, a laser light would illuminate the pattern of veins, and the resulting image would be captured and compared against the security database. The process is as simple as licking the filling out of a custard donut. In fact, in some companies I have worked for the users are so simple that care would be needed to ensure that they could tell the difference between a custard donut and a tongue reader or problems might occur. Utter panic ensues as user authentication fails at Dunkin' Donuts Wi-Fi access points... Well, you get the idea.
For those users on a low-carb diet, the process can be described as similar to that used for another research project I conducted while in college. One advantage of the tongue-reader biometric system is that computer mice, like research assistants, are much more responsive when properly lubricated. Some other method might be necessary when dealing with portable computers. Perhaps it would be possible to integrate a tongue reader with the touch-pad pointing device. Obviously, this would favor users with the ability to lick their own laptops. But isn't that already the case for much of life?
And in case anyone is wondering, yes this IS a tongue-in-cheek post.