Slashdot Mirror
Password Security Panned
museumpeace writes "Considering we just discussed passwords yesterday, is an uncanny coincidence that Technology Review runs an article today in which
Michael Schrage quotes a couple of security experts as being of the opinion that passwords are useless, with many negatives [the tougher rules only make them harder for users to remember, not harder for hackers to guess] But Shrage's suggestion that passwords are a weak bandage where system security admins and developers need to institute deeper security mechanisms such as "suspicion engines" has problems too. Any hidden filter meant to compare traffic on your account against profile of "normal" usage strikes me as both an invasion of privacy and a sure fire way to multiply calls to the help desks when a false alarm tosses out a legitimate user."
is "god", because I heard from a good source that only the most "1337" admins use that!
If thou see a fair woman pay court to her, for thus thou wilt obtain love
...but when my mother comes over I thank god that my machine sets up passwords and partitions off users pretty well.
Beep beep.
... it's easier for the user to remember his/her own password than somebody who never knew the password in the first place?
Seems to me that's the main point of a password. They may not be the end-all of security, but they sure make a decent first line of defense.
Sounds like a great idea. I'll also throw away the keys to my house and just install video cameras that track the movements of people approaching my home. If those movements are consistent with my routine behavior (come home from work, slam car door, pick up mail, etc etc) the door unlocks. Otherwise, my house becomes tighter than Fort Knox.
Those keys were starting to be a bother in my pocket.
Of course passwords and keys can be bypassed, just as a locked door can be. But it's the fact that there's a locked door there that keeps a good percentage of casual villians out of your life.
-Teiresias
There are lots of alternatives to passwords that have really been around a long time. Lots of companies, for instance, offer products like USB security keys. IMO, what the world needs is a really good key standard to get behind, and a killer ap to champion it. If MSN, Yahoo! and Google all supported a new key standard for authentication, it would go a long way towards universal adoption.
MakePassword.com Mp3 Blog
Maybe I'm missing something. If you are going to compare usage of the system to see if the user is doing something unusual, don't you have to let them use the computer for a little while before you can make that call? If a malicious user was logged into someone elses account, they would still have plenty of time to do harm before an algorithm could definitively say they weren't who they said they were. Am I wrong?
-dave
http://millionnumbers.com/ - own the number of your dreams
There are several systems we have, each with different passwords, and with different protection schemes. Users have a hard enough time remembering easy passwords, and don't remember how many times an incorrect leg in will lock them out, either indefinitely until they call the help desk, or temporarily. Most of our systems are behind a firewall, and we haven't had too many intrusion problems, but It still could be out there.
In other words, people get locked out by stupidity. Something that looks for abnormal behavior would be great, esp when people have idiotic passwords, and suddenly a methodical password attempt to login occurs.
"This is you left and that's your left. This is your right and that's your right. You're gonna die!
In the future, we'll have smart cards that will act like our Social Security numbers/national IDs work today. Cash, credit, verification and signing will all be possible using one card or perhaps even an embedded chip, and we can once and for all eliminate this nonsense about having to remember a different password for each service or the concern about identity theft.
Try not. Do or do not, there is no try.
-- Dr. Spock, stardate 2822-3.
In order to compare current usage against "normal" usage, the system has to record what "normal" usage is.
So, if you habitually browse armadillo porn, the system will know about it. And if you go a day *without* browsing armadillo porn, the system will think something's up and lock you out.
But do you really want the system to record the fact that you browse armadillo porn?
So what you're saying is passwords are a crappy form of security, but other forms of security suck just as much or worse?
Passwords are good security because, if chosen well, they're fairly hard to crack, and fairly simple for legitimate users to use. Other forms of security tend to either be too easy to crack, or so cumbersome that legitimate users find ways around them rather than deal with the hassle.
Passwords are also superior to things such as biometric scanning on things like Internet sites, because they place a limit on how much trust you have on that site. Unlike biometrics, passwords can be easily changed if, say, you use the same password on multiple sites but find out that one of them has been using peoples' passwords to crack into their accounts on other sites.
These days, if you have a well chosen password, you're far more likely to get cracked because of some other undetected vulnerability in your system rather than someone guessing your password.
It's inherently immoral to deny access to your data to anyone who wants to see it. All that information wants to be free! How dare you lock it behind passwords, and try to find even more oppressive methods of keeping it in chains?
Don't blame me; I'm never given mod points.
I went to help a user this morning with their voicemail. I push the "Voice Mail" button on their phone and it asks their password. He pulls out a notepad from his top, always unlocked, desk drawer. This notepad has ALL of his passwords written on it. He has access to some pretty important stuff, too.
I couldn't believe my eyes...
Then some of my other users have started using "asdfg" and "qwerty" because I make them change it too often (every 90 days). I guess that's a little better than using their last name.
I agree that passwords ARE useless.
When Mr. Joe Sixpack opens the house door, he doesn't have to remember, "tumbler one is 13, tumbler 2 is 25, tumbler three is 10, etc.". He just puts a key in an moves on. Same with car, bank safe deposit box, etc. That's the way it will have to be with IT, a key card, something physical they carry around for access. Sure there are people who lose keys, lock them in their car, etc, but it's a 'metaphor' any adult can relate to. You go to work, they hand you a key-card to access your account, you don't have it you can't get in and it'll cost extra for someone to help you if you lose it, just like for the real thing. Fingerprints are for criminals and can spread illness, voice prints and retina scans are weird sci-fi stuff. Just give 'em a key.
try { do() || do_not(); } catch (JediException err) { yoda(err); }
No password length can match a biometric, especially mine.
Help me out, are you dissing the security of your own password, or are you bragging about the size of your biometric?
Accountability on the heads of the powerful.
Power in the hands of the accountable.
It would certainly be easy for any on-line system to recognize a dictionary attack and distinguish it from user error or just a user who had forgotten his password. For example, a large number such as 25-30 hits against a small dictionary of vastly different but common words or passwords, without ever coming close to the actual password, should certainly trigger recognization of an attempt to break into an account and take appropriate steps (perhaps imposing a delay on the account, perhaps locking out the offending IP address, perhaps locking the account until there was human action, or some other action appropriate to the particular circumstances).
Users should always be advised of any failed attempts to gain access to the account after a sucessful login, a feature that is lacking from most current systems.
I'm an American. I love this country and the freedoms that we used to have.
From TFA:
Somehow, the world's ATM banking systems have managed to get by with a bare minimum of fraud for more than 20 years by relying upon only four-digit codes. So what do the banking geeks grasp about password management?
While the article continues to say that simple passwords are good, it overlooks the other half of the equation: the ATM card. Without both, no access is granted which seems to be the strength of the ATM.
The prevelence of password only authentication seems to be a hardware problem. Everyone has a keyboard, but almost no one has ( for instance ) a securid token.
A USB dongle might be the easiest solution, although standardization is obviously a problem. Gawd knows I wouldn't want to have one USB dongle for yahoo, one for NYTimes, one for my bank, et. al.
A Human Right
So, if you habitually browse armadillo porn, the system will know about it. And if you go a day *without* browsing armadillo porn, the system will think something's up and lock you out.
But do you really want the system to record the fact that you browse armadillo porn?
More importantly do you want to feel compelled to compulsively look at armadillo porn daily out of fear that if you don't it'll raise a red flag and you'll be "caught with your pants down"
That's a funny phrase to use here considering that you're getting caught for NOT looking at porn...
I am disrespectful to dirt! Can you see that I am serious?!
The author of the article compares complicated and difficult passwords to 4 digit pins for ATM machines and points to the lack of fraud in the ATM situation. There is a significant difference between the two scenarios - with ATM access you need a card in addition to your pin - this is referred to as two-factor authentication.
Sidebar
Factors are things you need to prove your identity and there are three types -
"what you know" - typically a password
"what you have" - typically a card, token, key fob, or digital certificate
"what you are" - typically biometrics
End Sidebar
The ATM example is 2-factor, which is inherently more secure than a password which is single factor
A far more secure approach would be to implement a two-factor authentication mechanism, however this increases cost and overhead (AOL is now offering this as an option - for a fee or course). Some other options are one-time password schemes where the password changes after each use, or graphical based passwords.
While in theory and practice passwords are not very secure, it must be pointed out that the other options are more expensive and more difficult to manage. Imagine having to carry 20-30 key fobs or a disk with a digital certificate everywhere you go.
Where oh where has my Underdog gone?
Use Bruce Schneier's Password Safe if you cannot remember passwords, but saying that passwords are useless when they are hard to guess because they are hard to remember, so we should use no passwords at all so there won't be anything to guess in the first place is the most stupid thing I have ever heard. If not using secrets that people can remember than what? Biometrics? Oh please... From the article: "79 percent of people questioned on the streets of London revealed such desirable security-sensitive data as mother's maiden name and birth date." Really? People revealed such secrets as their birth date? Let us all stop using passwords then! This is just laughable.
Sincerely,
Pan Tarhei Hosé, PhD.
"Homo sum et cogito ergo odi profanum vulgus et libido."
And if your system's security is ever compromised, then the *attacker* will know about it, too. This would result in two things:
Has anyone set up a Linux/Windows or other system so that you don't have to use passwords (only as a last resort of the admin howerver) but rather had a usb thumbdrive (keychain drive, whatever) so that when you plugged it in, it automatically mounted & authenticated you with a private "sub-key" that was signed by your private key with an "unlock" flag from your gpg keyring?
Or something similar. I'm looking to get rid of passwords altogether on my systems with something that's tested to work.
Any ideas if something like this works at all or anything like it that might be of some use?
This statement sounds very tinfoil hattish to me. There are many people who believe that a computer creating any sort of trace log is a violation of privacy. Personally, I find it good practice to record information about computer usage. For example, I usually record the incoming IP address of everyone who logs into a system. When dealing with critical information such as financial records or personnel files, I will keep a robust history of everyone who accessed a given record.
In one case, I designed a program for a call center. The call center would allow customer service agents access to a customer's credit card number. I recorded every time a customer service rep accessed a card number along with information on the call they were handling. The computer would report any abnormal behavior in the credit card number access to a supervisor.
Often the best way to improve your security is simply to provide your auditing information to your end users. For example, let's say I see a change in a behavior of a user...such as logging in from a different IP. I might make a program that informs the end user of this event. For example, if a person who usually logs in from Albany logs in from Kuala Lumpur, then I inform them of the event. IF they cannot remember traveling abroad recently, the change in behaviour just might be a security breach, requiring further investigation.
Imagine if your work computer reported the time from your last log in each time you accessed the system. So, you come in Monday morning and the system warns that you logged in during the weekend. Most workers would take something like this seriously as it implies someone was stealing their identity. Tin foil hatters would be livid that the system recorded the activities of the person who stole their identity.
A couple of years ago a friend of mine was backpacking in the middle east. Like a lot of backpackers, she had travellers cheques for emergencies but relied on her credit card for everything else.
Then all of a sudden, it stopped working. On the weekend.
When Monday finally rolled around she rang up the credit card company to find out what was wrong and was informed that her card had been used in a number of suspicious places - several different countries in a short space of time in a dodgy part of the world, and had automatically been stopped.
Yes she said - I'm doing a whirlwind backpacking tour of said dodgy part of the world. All that usage is legitimate. The card was re-enabled - but the process would take a couple of days during which she had to borrow money from her travelling companions.
A week later, now in some other middle eastern country (I forget where), the same thing happened.
My point? People don't always behave consistently. Life is not always stable. The real kicker is that usually when people are behaving differently than they normally do it's because they are outside of their comfort zone and really need as many things as possible to go smoothly.
A suspicion engine can prevent legitimate use of a system in these situations.