Slashdot Mirror

← Back to Stories (view on slashdot.org)

Moving Beyond Passwords For Security

Posted by Soulskill on from the asdf1234 dept.

Naturalist writes with an excerpt from a New York Times story about the need for a more secure method for identification than the password-based system almost everyone currently uses. The article also discusses the weaknesses of the OpenID initiative to simplify the process. "The solution urged by the experts is to abandon passwords -- and to move to a fundamentally different model, one in which humans play little or no part in logging on. Instead, machines have a cryptographically encoded conversation to establish both parties' authenticity, using digital keys that we, as users, have no need to see. ...OpenID offers, at best, a little convenience, and ignores the security vulnerability inherent in the process of typing a password into someone else's Web site. Nevertheless, every few months another brand-name company announces that it has become the newest OpenID signatory."

16 of 235 comments (clear)

  1. Yes, we know. by Anonymous Coward · · Score: 5, Insightful

    The solution is public key cryptography. The problem with that solution is that it only works as "something you have", not "something you know", which is the authentication mode of passwords. You can't leave "what you know" at home, but will you always have your smart card with you? Another problem is that secure public key cryptography requires a complete terminal under the control of the user, not just a card. The private key can never leave the user's control and the user must always know what it is used for. That requires a display and keyboard. Not something people want to have on them whenever they need to authenticate.

    1. Re:Yes, we know. by Kjella · · Score: 4, Insightful

      Yes, if you're always where there's phone coverage and you got battery. However, it doesn't solve the problem of a compromised terminal. That was what a bank virus did not that long ago, waited for the user to authenticate then sent money elsewhere "behind the scenes". Sure it might not get your email password but if it silently downloads your inbox compromising every password mail you ever got, well gee that's nice.

      --
      Live today, because you never know what tomorrow brings
    2. Re:Yes, we know. by Anonymous Coward · · Score: 1, Insightful

      That is a not so novel yet still good idea, but a cellphone which is capable of running such software is not quite trustworthy, because it is too complex to be secure: Bluetooth vulnerabilities, trojaned games, etc. Even if the actual secret is isolated in a smart card (such as the SIM), a compromised terminal can enable an attacker to use "what you have" remotely. At the very least the phone hardware would have to be designed such that the smart card could request exclusive access to the keypad, and the user would have to be able to recognize that mode (differently colored background light, for example), all without the possibility of software interfering.

      I'm looking forward to smart cards with integrated display, keypad and RF or IR interface.

  2. "Beyond Passwords" by apoc.famine · · Score: 3, Insightful
    I do not know that this is an accurate title.

    Users on shared systems can easily set up a simple PIN code to protect any card from use by other users...

    That almost sounds like a....password...

    Really, this is an article about using things instead of passwords....which function like passwords....and using passwords when those wouldn't be secure enough. What a stupid fucking article.

    --
    Velociraptor = Distiraptor / Timeraptor
    1. Re:"Beyond Passwords" by Anonymous Coward · · Score: 1, Insightful

      Perhaps, but it's still at a higher level than most companies are thinking. Lately the trend I've been seeing is for financial institutions to not just ask for, but require you to select from a list of security questions that can be used for access to your account with them. One of my brokerages is even threatening to suspend my account if I don't choose a set of security questions.

      It's offensive to me that the companies require you to provide not only an additional and unnecessary route for access to your account, but that it's based on plain text answers relying on information that few to none of its customers consider to be private information. The questions also are often not easily changed, so I can't just used an additional (though plain text) password for them unless I want it to be permanent; with that the case I'd want to use different passwords for every such account I have - which means I'd probably end up writing down parts of each to remember them.

  3. Convenience vs security vs stupidity ... by blahplusplus · · Score: 4, Insightful

    Passwords can still play a role, the problem has always been user stupidity and convenience vs security. We always love to save time and anything that requires less effort = good for us, but at the expense of being less secure. Moving security to invisible layers is just asking for abuse by authorities, as if they didn't have enough power already via MAC address + ip binding in being able to track down and identify users by merely tooling around with the equipment right at the ISP end.

    My bank uses multiple authentication using personal questions which I would only know the answer to and if you get the question wrong just once, it flags the account. The big problem is the amount of retries, you can't guess or brute force passwords on accounts that will lock after the first few failed attempts.

    In my opinion it's probably best if we moved to gesturing, I find an interesting site here -
    http://www.dontclick.it/

    It could serve as an interesting basis for security, i.e. gesturing and opening the correct doors in a maze.

  4. PEBKAC by at10u8 · · Score: 4, Insightful

    Problem exists between keyboard and chair, and the article does not address that aspect nor give any good workaround.

    1. Re:PEBKAC by houghi · · Score: 4, Insightful

      Indeed PEBCAK, because it is my fault that I have all these logins that I need to remember.
      Let me see? I have about 12 different logins that I was not allowed to select myself. Of those there are 6 that I can not change the password. These are just the ones I use at work and do not include the once that are not personal, but are group login and passwords.
      The other 6 I must change every month and to nt get mixed up, I use something easy to remember. And I have worked in worse places. One where I needed to change my password each week for certain access. So I started to write them down.

      If that is PEBCAK, then so be it. It might just be my naive idea that if many people have an issue with e.g. a procedure, then it is not the people who need to change, but the procedure.

      If you see that nobody can reach the peddles on his bycicle, don't ask for taller people, start making smaller bycicles.

      --
      Don't fight for your country, if your country does not fight for you.
  5. OpenID by Cyberax · · Score: 4, Insightful

    OpenID is _PERFECTLY_ compatible with passwordless authentication. For example, my OpenID provider uses Kerberos authentication.

    I too feel that passwords are too weak. Something like special hardware tokens are much better, but there's no infrastructure for their distribution.

    1. Re:OpenID by Colin+Smith · · Score: 2, Insightful

      Something like special hardware tokens are much better, but there's no infrastructure for their distribution.

      They're also not cheap.
       

      --
      Deleted
    2. Re:OpenID by Cyberax · · Score: 2, Insightful

      For most applications "something held" (maybe with a simple PIN-protection) is perfectly fine. Like your keys, for example.

      Good key revocation system is essential in this scenario, however.

      Passwords are much overrated, anyway. Most users inevitably either choose weak passwords or just write them down somewhere.

    3. Re:OpenID by hackstraw · · Score: 2, Insightful

      Something like special hardware tokens are much better, but there's no infrastructure for their distribution.

      USB thumbdrive, passphrase protected private key.

      Once sshd can tell if a private key has a passphrase and its authorized keys can be centrally managed, then there is never a reason a user should ever type a password. Just unlock the private key locally, and you can go wherever you are already authorized to go.

      I just think its so stupid that we have to type usernames and passwords all the time. The burden is backwards. Its up to the server to say yes/no, it already knows who is allowed on the system, and their capabilities (roles, authorization, whatever), all the user needs to do is say here is my ID, is it OK for me to come in?

      I mean this is the way credit cards work. No password whatsoever, and I can present my card, and a purchase is made, no password ever.

      Now, with password security, since they are insecure by design, then you have to change them, to ensure they are secure again, thus placing a burden on the user and sysadmins and help desk people.

      I mean, I don't use a username/password to enter my $500,000 house, or to drive my $100,000 car, or to enter my workplace where there is many millions of dollars of equipment and data. Why do I have to enter a username/password just to go onto a computer that already knows I'm ok to be on the system?

  6. This could just be my ignorance- by FlyingSquidStudios · · Score: 3, Insightful

    But doesn't this restrict people to using secure sites only from their own machines? I have encountered situations where I was at friends' houses, relatives' houses or even a work computer where I want to do something somewhat security-sensitive like checking e-mail. Wouldn't this sort of security measure make that far more difficult?

    --
    http://twitter.com/OLDTELEGRAM
  7. My reply, directly to the author: by SanityInAnarchy · · Score: 4, Insightful

    I felt I had to respond to your article about passwords. It's been Slashdotted here:

    http://it.slashdot.org/article.pl?sid=08/08/10/186203

    But I felt it was important enough to write directly, and concisely, because you seem to have missed a fundamental point of OpenID.

    OpenID promotes "Single Sign-On": with it, logging on to one OpenID Web site with one password will grant entrance during that session to all Web sites that accept OpenID credentials.

    OpenID supports single-sign-on. There is nothing about it which requires you to use the same identity everywhere -- or even the same provider.

    But more importantly:

    OpenID offers, at best, a little convenience, and ignores the security vulnerability inherent in the process of typing a password into someone else's Web site.

    Nothing about OpenID requires a password.

    I'll say that again: NOTHING about OpenID requires a password.

    What OpenID does is, in proper implementations, it allows us to sign in with any provider we choose. I could choose my own server as a provider -- thus, it's not necessarily "someone else's web site". And I don't have to use passwords -- I can use a password and a "security question", I can use public-key cryptography, or I can hire a secretary to sit at the server in question and only authorize requests when she receives a phone call from me.

    Even if we assume everyone continues to use the same password, with the same account, everywhere, it's still better than a conventional login. With the conventional login, every site I log into could steal my password and use it to login as me elsewhere. With OpenID, only my OpenID provider can do that.

    One single-point-of-failure is better than N single-point-of-failure.

    You can't use Microsoft-issued OpenID at Yahoo, nor Yahoo's at Microsoft.

    If true, that seems about on par for a technology in its infancy. Remember email? Used to be, you could only send mail to other people with the same ISP. Now, I can send mail to anyone, on any ISP, so long as I have their address.

    So that says more about Yahoo and Microsoft's understanding of the technology than it says about the technology itself.

    --
    Don't thank God, thank a doctor!
  8. something you have? by Anonymous Coward · · Score: 1, Insightful

    You can't prove you have the "something you have" as in reality anything can be copied and thus you might just have a copy. Most of the token "things" are really a case of "something (something you have) knows" which isn't much better than "something you know".

    Right?

  9. OpenID Isn't Tied to Passwords by Daveman692 · · Score: 2, Insightful

    There seems to be a slight misconception in the NY Times article around OpenID being tied to passwords. OpenID does not specify the authentication mechanism for the user to their OpenID Provider which means that we've seen many companies (including Microsoft) experiment with alternative authentication mechanisms atop OpenID. The big benefit OpenID then provides them is that they're instantly able to start letting users use their new authentication mechanism at any site which accepts OpenID logins. More about this over at http://openid.net/2008/08/10/challenges-facing-openid/.