Slashdot Mirror

← Back to Stories (view on slashdot.org)

Bill Gates Proclaims End of Passwords

Posted by CmdrTaco on from the trustno1-is-a-bad-password dept.

KrazyK writes "Bill Gates has just proclaimed the end of passwords. There's only one drawback - you have to use .Net (well, what else would you expect?). However, the smart card that is at the centre of it - made by Axalto - is still a great bit of technology. How long before we can get an open-source version of this?"

27 of 488 comments (clear)

  1. hard and soft by mirko · · Score: 4, Interesting

    So, years ago, Bill Gates proclaimed the software was better, now he gets back to some hardware key...
    But what about biometrics ?

    --
    Trolling using another account since 2005.
    1. Re:hard and soft by judmarc · · Score: 5, Insightful

      Think about this before assuming biometrics is the answer:

      • If someone steals an impression or picture of your fingerprint
      • If someone hacks the database linking your fingerprint or eyescan to your access authorizations for bank accounts, work, etc.

      - then how do you get your identity back?

    2. Re:hard and soft by darth_linux · · Score: 5, Funny

      Bill's right, though. He knows if you use M$ products you don't need passwords. You'll still get 0wn3d.

      --
      Power to the Penguin!
    3. Re:hard and soft by wertarbyte · · Score: 4, Insightful

      The same applies for a smartcard, doesn't it ?

      No, it doesn't. If your smart card gets compromised, destroy it and get a new card with a new key. If someone manages to steal your fingerprint, you cannot change the media or key you authenticate with: The person did not only steal a material token that is linked to your identity, an unchangable characteristic that should be uniquely assigned to you now is not referring only to your person, someone literally stole your identity; To the ATM machine, he's not only the one in posession of your ATM card anymore: He is you.

      --
      Life is just nature's way of keeping meat fresh.
    4. Re:hard and soft by Kjella · · Score: 5, Insightful

      I never figured out why you can't use the same system as you do with passwords. Password, hash and *drumroll* salt. No, not NaCl, crypthographic salt.

      If compromised, get a new device with a new salt. It is basicly like a new identity (you'd have to revalidate with every authentication you had). If the perp just got your salted code, it is worthless. If he got your fingerprint, he still needs to get your new device to get a valid biometric/salt *pair*.

      Now top it off with a PIN, and you have the holy grail. Something you are, something you have, something you know. Use any subset which is enough. In most cases, what you are/have (fingerprint/salt) should be enough. It'd certainly raise the bar another notch or two.

      Kjella

      --
      Live today, because you never know what tomorrow brings
    5. Re:hard and soft by JavaLord · · Score: 4, Funny

      Except, in many cases, "0wn3d" will mean that someone cuts off your thumb. That's a pleasant thought.

      So in Saudi Arabia, if you are caught stealing you will lose your password too! Or do they let you keep your hands after they cut them off?

    6. Re:hard and soft by Badfysh · · Score: 5, Funny
      or find that paper where you've written them all down

      NEVER stick your password post-it on the monitor! It goes under the keyboard...

      --

      I was conned by an old man in a cloak. It turns out those *were* the droids I was looking for.

  2. Hmmmm.... by keeleysam · · Score: 5, Interesting

    This has been in Mac OS for awhile... as Keychains... mine is on my USB thumb drive...

    --
    Nothing for you to see here, Please move along.
    1. Re:Hmmmm.... by isaaccp · · Score: 5, Informative

      Also available in Linux, check the USB PAM module: http://lists.debian.org/debian-mentors/2004/02/msg 00143.html

  3. So now instead of torturing me... by SoTuA · · Score: 4, Insightful
    ... to get me to confess my password, all they have to do is get my wallet?

    Nice!

    1. Re:So now instead of torturing me... by Trurl's+Machine · · Score: 4, Funny

      ... to get me to confess my password, all they have to do is get my wallet?

      Enjoy before you upgrade to biometricks. Then all they have to do is to cut your finger or your eyeballs.

    2. Re:So now instead of torturing me... by GreyPoopon · · Score: 4, Funny
      Ha! I'll use something nonobvious...like penis length. Oh wait, then they'd cut of....NOOOOO...

      That's brilliant. It doesn't work when cut off :)

      I could just see the cartoon on this one. The caption would read: "Bill discovers that since the new secretary started, he is no longer able to log in to his account."

      --

      GreyPoopon
      --
      Why is it I can write insightful comments but can't come up with a clever signature?

    3. Re:So now instead of torturing me... by wertarbyte · · Score: 5, Funny

      But how will women log in?

      Make the variable signed.

      --
      Life is just nature's way of keeping meat fresh.
  4. News? by tuomasr · · Score: 5, Interesting

    This doesn't sound like anything really new to me, I remember logging on to my W2K workstation with a smart card in 2001 if I remember correctly, what's new here (the techworld article didn't want to respond to me so I can't RTFA)?

    1. Re:News? by bgat · · Score: 5, Interesting

      The "new" bit is that the smart card has a .NET interpreter, rather than an 8051/PIC/AVR/? microprocessor running a documented, proprietary, standards-based, stable OS or even Java. Embrace and extend.

      --
      b.g.
  5. end of passwords - not by martin · · Score: 5, Informative

    So how do you 'unlock' the smart card to prove its you (and still you) at the keyboard...???

    an PIN number...
    a fingerprint...

    Authentication is based around something you have (userid/smartcard/finger...) and something you know (password/PIN/....)

    No change since the Secuure Single Sign On days of the mid 1990's. All they are doing is bringing it upto date using .NET to quickly build applications.

  6. Not a password replacement by Albanach · · Score: 4, Informative

    Reading the Axalto press release they talk about their cards as an additional form of security, not a password replacement. I've used smart cards for a few things and each of them has been protected by a password too. You enter the smart card and are then asked for a PIN to ensure you have the right to be using that smart card. As another poster said, if there's no password all they have to do is get to your wallet if they want to Get Root. Hopefully if we do see an open source implimentation it won't be passwordless!

  7. Passwords proclaim the end of Bill Gates by cwebb1977 · · Score: 5, Funny

    Dyslexia finally made sense to me...

    --
    www.weberseite.at
  8. Great another card to lose. by LabRat007 · · Score: 5, Interesting

    I actually like my password encrusted life. If I lose it all I have to do request another be emailed. If I forget my email password I just call my provider and anwser a slew of questions to prove my identity. Things are quick. Now, if my wife gets hold of a password "key" of any kind she will just lose it like she loses her ATM card 2-3 times per year. No thanks.

    --
    "Capital punishment makes the state into a murderer. Imprisonment makes the state into a gay dungeon-master"
  9. Um... no? by warrax_666 · · Score: 5, Insightful
    The same applies for a smartcard, doesn't it ?

    You can always get a new smartcard, you can't get new fingerprints (or retinas, or whatever).
    --
    HAND.
    1. Re:Um... no? by lee7guy · · Score: 5, Informative

      Also, you don't leave your smartcard at every place you visit, which is the case with fingerprints. You can easily make a gelatine film with fingerprints collected on everyday objects. No fancy equipment required either. When researches tested the technique at a recent show, every fingerprint reading device they were allowed to test, were fooled.

      Retinas at least doesn't leave traces everywhere, but then you still run the risk of data theft.

      --
      Ceterum censeo Microsoftem esse delendam
  10. And over in Java... by MosesJones · · Score: 5, Informative


    A classic case of Billy boy announcing something everyone else has. I saw a demo by Sony about 2.5 years ago now which demonstrated smart card + biometrics as an authentication mechanism.

    Something like 98% of the world's new smart cards run Java as their programming language, and there are defined standards for security around it. This stuff is already being used in the wild, for instance by the DoD. Oh and if you have one of those "Blue" or clear Amex credit cards... its running Java too.

    Or of course you could wait for Longhorn.

    In terms of open source, you can do this in Java (which is published and the source is accessible), today.

    I love Microsoft, "yesterday's technology, tommorow".

    --
    An Eye for an Eye will make the whole world blind - Gandhi
  11. Re:.NET? by ComaVN · · Score: 4, Insightful

    So it is an arms race. Just not with the criminal, but with your neighbour.

    --
    Be wary of any facts that confirm your opinion.
  12. passwords will never go away by 241comp · · Score: 5, Insightful

    Nope, this won't end passwords. For security, you have the following 3 options: something you have (smart card, signature), something you know (password, passphrase, PIN) and something you are (fingerprint, retina scan). For non-vital information (your hotmail account), choose one. For important information (medical, financial) choose two. For vital information (mission-critical applications, firing mechanisms, creating a will) use all 3.

    --
    Full-Featured GPL Web Hosting Control Panel
  13. Reminds of of an old AI story by droleary · · Score: 5, Insightful

    A group of students are working on a neural net project. It comes time to decide what weight to put on the initial connections. One student says, "Set them all to 0 to start." Another student says, "No, that will introduce bias. We should set them all randomly." The smart professor replies, "You'll still have bias, only you won't know what it is."

    So to Mr. Gates I'd like to reply: You'll still have a password, only you won't know what it is. Makes sense from a "security through obscurity" standpoint, though! :-)

  14. A different kind of password authentication by silicon+not+in+the+v · · Score: 4, Interesting

    When I was in college, a guy I knew was working on a software authentication scheme for this senior project. Here is how it works. As a new account, you select your user name. You go through a login trainer session, where you have to type that login name about 10 times, while it reads and stores the time intervals between the characters you enter. If you haven't established a certain degree of consistency, it will ask you to enter it a few more times. So that parameter of the natural rhythm with which you type your login name is stored in the system as your "password".

    So that sounds like it wouldn't work, right? People know your username so they can duplicate your login, right? Actually, it was really tight. He already had a working version that we all(in the senior design project class) got to try. We never could fool the thing. You could tell someone what your login name was and they would try and try and never could successfully login as you. The main reason this works is that you are typing your own name. If it were a generic word that most people don't have to type very often, there would probably be a lot more similarity in the way different people type it and the system wouldn't work well, but being your own name that you are used to typing, there is some muscle-memory developed that makes it flow out effortlessly and consistently, which no one else can match.

    --
    We may experience some slight turbulence and then...explode. -Capt. Mal Reynolds
  15. An open-source alternative... by tillerman35 · · Score: 4, Funny
    There should be a biometric unit that uses the pattern of veins on the underside of your tongue to uniquely identify individuals.

    The underside of everyone's tongue is different. I verified this using basic research techniques over a series of weekends while I was in college. After obtaining a more permanent research assistant, I was unable to proceed with further "comparison-" however, I do encourage others to carry on my work in the spirit of cooperative science.

    The beauty of this approach is that you could integrate the tongue reader with the computer's mouse. The user would insert his/her into an opening in the underside of the mouse, a laser light would illuminate the pattern of veins, and the resulting image would be captured and compared against the security database. The process is as simple as licking the filling out of a custard donut. In fact, in some companies I have worked for the users are so simple that care would be needed to ensure that they could tell the difference between a custard donut and a tongue reader or problems might occur. Utter panic ensues as user authentication fails at Dunkin' Donuts Wi-Fi access points... Well, you get the idea.

    For those users on a low-carb diet, the process can be described as similar to that used for another research project I conducted while in college. One advantage of the tongue-reader biometric system is that computer mice, like research assistants, are much more responsive when properly lubricated. Some other method might be necessary when dealing with portable computers. Perhaps it would be possible to integrate a tongue reader with the touch-pad pointing device. Obviously, this would favor users with the ability to lick their own laptops. But isn't that already the case for much of life?

    And in case anyone is wondering, yes this IS a tongue-in-cheek post.