Password Security Panned

museumpeace writes "Considering we just discussed passwords yesterday, is an uncanny coincidence that Technology Review runs an article today in which Michael Schrage quotes a couple of security experts as being of the opinion that passwords are useless, with many negatives [the tougher rules only make them harder for users to remember, not harder for hackers to guess] But Shrage's suggestion that passwords are a weak bandage where system security admins and developers need to institute deeper security mechanisms such as "suspicion engines" has problems too. Any hidden filter meant to compare traffic on your account against profile of "normal" usage strikes me as both an invasion of privacy and a sure fire way to multiply calls to the help desks when a false alarm tosses out a legitimate user."

Might not be useful to you

[Realistic_Dragon]

...but when my mother comes over I thank god that my machine sets up passwords and partitions off users pretty well.

Sounds like a great idea.

[teiresias]

Sounds like a great idea. I'll also throw away the keys to my house and just install video cameras that track the movements of people approaching my home. If those movements are consistent with my routine behavior (come home from work, slam car door, pick up mail, etc etc) the door unlocks. Otherwise, my house becomes tighter than Fort Knox.

Those keys were starting to be a bother in my pocket.

Of course passwords and keys can be bypassed, just as a locked door can be. But it's the fact that there's a locked door there that keeps a good percentage of casual villians out of your life.

Re:Sounds like a great idea.

[generic-man]

An IDS that tracks your usage patterns is not intended to replace passwords; it is intended to supplement them. Once you're in your house, to continue your analogy, there are certain things you do and certain ways in which you do them. For example, let's say you have cable television but you never watch Fox News. If someone who used your key comes into your living room and watches the Fox News channel for hours on end, that's a red flag.

Red flags do not trigger an immediate lockdown. They just suggest to an administrator that someone may be behaving in a way that you wouldn't, and that further investigation may be warranted.

IDSes are a great way to supplement the absolute uselessness of passwords, as long as administrators know how to use them effectively.

Password alternative

[dilvie]

There are lots of alternatives to passwords that have really been around a long time. Lots of companies, for instance, offer products like USB security keys. IMO, what the world needs is a really good key standard to get behind, and a killer ap to champion it. If MSN, Yahoo! and Google all supported a new key standard for authentication, it would go a long way towards universal adoption.

Password Lockout

[djtripp]

There are several systems we have, each with different passwords, and with different protection schemes. Users have a hard enough time remembering easy passwords, and don't remember how many times an incorrect leg in will lock them out, either indefinitely until they call the help desk, or temporarily. Most of our systems are behind a firewall, and we haven't had too many intrusion problems, but It still could be out there.
In other words, people get locked out by stupidity. Something that looks for abnormal behavior would be great, esp when people have idiotic passwords, and suddenly a methodical password attempt to login occurs.

He's right.

[Sheetrock]

No password length can match a biometric, especially mine. The level of detail a good scanner can pick up well exceeds a memorizable password, with of course the understanding that too perfect a read will make it impossible to scan twice the same way, and the technology is only getting better.

In the future, we'll have smart cards that will act like our Social Security numbers/national IDs work today. Cash, credit, verification and signing will all be possible using one card or perhaps even an embedded chip, and we can once and for all eliminate this nonsense about having to remember a different password for each service or the concern about identity theft.

Re:He's right.

[johnnyb]

The problem w/ biometrics is that it will wind up being way too easy to bypass (by just recording someone else's bits and replaying them to the hardware, or it will require too much money to secure the biometrics device.

I had heard of a password mechanism once that was based on facial recognition which seemed interesting. You chose a sequence of faces, and the computer asks you to choose a face from a selection. It sounded interesting. If anyone knows where the article is, I'd like to re-read on that topic.

Re:can you elaborate?

[rackhamh]

In order to compare current usage against "normal" usage, the system has to record what "normal" usage is.

So, if you habitually browse armadillo porn, the system will know about it. And if you go a day *without* browsing armadillo porn, the system will think something's up and lock you out.

But do you really want the system to record the fact that you browse armadillo porn?

But I wrote down all of my passwords...

[Eclipse5302]

I went to help a user this morning with their voicemail. I push the "Voice Mail" button on their phone and it asks their password. He pulls out a notepad from his top, always unlocked, desk drawer. This notepad has ALL of his passwords written on it. He has access to some pretty important stuff, too.

I couldn't believe my eyes...

Then some of my other users have started using "asdfg" and "qwerty" because I make them change it too often (every 90 days). I guess that's a little better than using their last name.

I agree that passwords ARE useless.

Re:Surely...

[tdemark]

My biggest beef with passwords is the myriad of different "rules" as to what makes a valid password at different sites.

I have a few great passwords ... no one is going to get them short of brute forcing (or, God forbid, key logging). However, every site seems to have different (read: REDICULOUS) parameters for passwords:

- must not start with a number
- must have both letters and numbers (symbols don't count)
- can only be [a-z][A-Z][0-9]

I would love to meet the asshats that come up with these randomly applied "rules" just so I could kick them squarely in the nuts.

I used to only need two passwords for EVERYTHING (one "weak" password for discussion sites (eg - Slashdot) and one "strong" password for the important stuff). Alas, that was too easy. Now I have to maintain around 10 passwords that, IMNSHO, are far weaker that the ones they replaced (not by my choice).

For example, one large credit card company recently changed its password policy. Since my old password didn't "fit" in their new policy, they simply set it to something else without telling me. Mind you, the new password I had to choose is orders of magnitude easier to crack than the old password because they removed a number of possible characters.

Which brings up a point, what's the point in LIMITING the characters that can be used in passwords? How horrible are these designers that their apps choke on '&Dkf*l,@a', but 'b4dp4ass' is OK? What could they be doing that would disallow a number as the first character?

In close, if you have anything to do with the authentication process of a website, before you start throwing on random rules for passwords, do us all a favor and DON'T.

- Tony

USB - gpg key?

[zoloto]

Has anyone set up a Linux/Windows or other system so that you don't have to use passwords (only as a last resort of the admin howerver) but rather had a usb thumbdrive (keychain drive, whatever) so that when you plugged it in, it automatically mounted & authenticated you with a private "sub-key" that was signed by your private key with an "unlock" flag from your gpg keyring?

Or something similar. I'm looking to get rid of passwords altogether on my systems with something that's tested to work.

Any ideas if something like this works at all or anything like it that might be of some use?