Slashdot Mirror

← Back to Stories (view on slashdot.org)

Password Security Panned

Posted by CmdrTaco on from the trustno1-is-a-bad-password dept.

museumpeace writes "Considering we just discussed passwords yesterday, is an uncanny coincidence that Technology Review runs an article today in which Michael Schrage quotes a couple of security experts as being of the opinion that passwords are useless, with many negatives [the tougher rules only make them harder for users to remember, not harder for hackers to guess] But Shrage's suggestion that passwords are a weak bandage where system security admins and developers need to institute deeper security mechanisms such as "suspicion engines" has problems too. Any hidden filter meant to compare traffic on your account against profile of "normal" usage strikes me as both an invasion of privacy and a sure fire way to multiply calls to the help desks when a false alarm tosses out a legitimate user."

3 of 387 comments (clear)

  1. So... by eln · · Score: 5, Insightful

    So what you're saying is passwords are a crappy form of security, but other forms of security suck just as much or worse?

    Passwords are good security because, if chosen well, they're fairly hard to crack, and fairly simple for legitimate users to use. Other forms of security tend to either be too easy to crack, or so cumbersome that legitimate users find ways around them rather than deal with the hassle.

    Passwords are also superior to things such as biometric scanning on things like Internet sites, because they place a limit on how much trust you have on that site. Unlike biometrics, passwords can be easily changed if, say, you use the same password on multiple sites but find out that one of them has been using peoples' passwords to crack into their accounts on other sites.

    These days, if you have a well chosen password, you're far more likely to get cracked because of some other undetected vulnerability in your system rather than someone guessing your password.

  2. Physical keys by ch-chuck · · Score: 5, Insightful

    When Mr. Joe Sixpack opens the house door, he doesn't have to remember, "tumbler one is 13, tumbler 2 is 25, tumbler three is 10, etc.". He just puts a key in an moves on. Same with car, bank safe deposit box, etc. That's the way it will have to be with IT, a key card, something physical they carry around for access. Sure there are people who lose keys, lock them in their car, etc, but it's a 'metaphor' any adult can relate to. You go to work, they hand you a key-card to access your account, you don't have it you can't get in and it'll cost extra for someone to help you if you lose it, just like for the real thing. Fingerprints are for criminals and can spread illness, voice prints and retina scans are weird sci-fi stuff. Just give 'em a key.

    --
    try { do() || do_not(); } catch (JediException err) { yoda(err); }
  3. Re:Password alternative by kzinti · · Score: 5, Insightful

    To paraphrase Bruce Schneier, a system can authenticate you with one of three things: something you know, something you have, something you are, or some combination of those somethings. The author of that article says we should wean ourselves from passwords, but doesn't offer any realistic alternatives other than "suspicion engines", which don't meet any of Schneier's criteria, although they sound like a weak attempt to add a new one: "Something you do". Would anyone here feel comfortable trusting their bank account or Paypal account to a suspicion engine? Thanks, but no thanks.