Slashdot Mirror

← Back to Stories (view on slashdot.org)

Moving Beyond Passwords For Security

Posted by Soulskill on from the asdf1234 dept.

Naturalist writes with an excerpt from a New York Times story about the need for a more secure method for identification than the password-based system almost everyone currently uses. The article also discusses the weaknesses of the OpenID initiative to simplify the process. "The solution urged by the experts is to abandon passwords -- and to move to a fundamentally different model, one in which humans play little or no part in logging on. Instead, machines have a cryptographically encoded conversation to establish both parties' authenticity, using digital keys that we, as users, have no need to see. ...OpenID offers, at best, a little convenience, and ignores the security vulnerability inherent in the process of typing a password into someone else's Web site. Nevertheless, every few months another brand-name company announces that it has become the newest OpenID signatory."

7 of 235 comments (clear)

  1. Yes, we know. by Anonymous Coward · · Score: 5, Insightful

    The solution is public key cryptography. The problem with that solution is that it only works as "something you have", not "something you know", which is the authentication mode of passwords. You can't leave "what you know" at home, but will you always have your smart card with you? Another problem is that secure public key cryptography requires a complete terminal under the control of the user, not just a card. The private key can never leave the user's control and the user must always know what it is used for. That requires a display and keyboard. Not something people want to have on them whenever they need to authenticate.

    1. Re:Yes, we know. by Kjella · · Score: 4, Insightful

      Yes, if you're always where there's phone coverage and you got battery. However, it doesn't solve the problem of a compromised terminal. That was what a bank virus did not that long ago, waited for the user to authenticate then sent money elsewhere "behind the scenes". Sure it might not get your email password but if it silently downloads your inbox compromising every password mail you ever got, well gee that's nice.

      --
      Live today, because you never know what tomorrow brings
  2. Convenience vs security vs stupidity ... by blahplusplus · · Score: 4, Insightful

    Passwords can still play a role, the problem has always been user stupidity and convenience vs security. We always love to save time and anything that requires less effort = good for us, but at the expense of being less secure. Moving security to invisible layers is just asking for abuse by authorities, as if they didn't have enough power already via MAC address + ip binding in being able to track down and identify users by merely tooling around with the equipment right at the ISP end.

    My bank uses multiple authentication using personal questions which I would only know the answer to and if you get the question wrong just once, it flags the account. The big problem is the amount of retries, you can't guess or brute force passwords on accounts that will lock after the first few failed attempts.

    In my opinion it's probably best if we moved to gesturing, I find an interesting site here -
    http://www.dontclick.it/

    It could serve as an interesting basis for security, i.e. gesturing and opening the correct doors in a maze.

  3. PEBKAC by at10u8 · · Score: 4, Insightful

    Problem exists between keyboard and chair, and the article does not address that aspect nor give any good workaround.

    1. Re:PEBKAC by houghi · · Score: 4, Insightful

      Indeed PEBCAK, because it is my fault that I have all these logins that I need to remember.
      Let me see? I have about 12 different logins that I was not allowed to select myself. Of those there are 6 that I can not change the password. These are just the ones I use at work and do not include the once that are not personal, but are group login and passwords.
      The other 6 I must change every month and to nt get mixed up, I use something easy to remember. And I have worked in worse places. One where I needed to change my password each week for certain access. So I started to write them down.

      If that is PEBCAK, then so be it. It might just be my naive idea that if many people have an issue with e.g. a procedure, then it is not the people who need to change, but the procedure.

      If you see that nobody can reach the peddles on his bycicle, don't ask for taller people, start making smaller bycicles.

      --
      Don't fight for your country, if your country does not fight for you.
  4. OpenID by Cyberax · · Score: 4, Insightful

    OpenID is _PERFECTLY_ compatible with passwordless authentication. For example, my OpenID provider uses Kerberos authentication.

    I too feel that passwords are too weak. Something like special hardware tokens are much better, but there's no infrastructure for their distribution.

  5. My reply, directly to the author: by SanityInAnarchy · · Score: 4, Insightful

    I felt I had to respond to your article about passwords. It's been Slashdotted here:

    http://it.slashdot.org/article.pl?sid=08/08/10/186203

    But I felt it was important enough to write directly, and concisely, because you seem to have missed a fundamental point of OpenID.

    OpenID promotes "Single Sign-On": with it, logging on to one OpenID Web site with one password will grant entrance during that session to all Web sites that accept OpenID credentials.

    OpenID supports single-sign-on. There is nothing about it which requires you to use the same identity everywhere -- or even the same provider.

    But more importantly:

    OpenID offers, at best, a little convenience, and ignores the security vulnerability inherent in the process of typing a password into someone else's Web site.

    Nothing about OpenID requires a password.

    I'll say that again: NOTHING about OpenID requires a password.

    What OpenID does is, in proper implementations, it allows us to sign in with any provider we choose. I could choose my own server as a provider -- thus, it's not necessarily "someone else's web site". And I don't have to use passwords -- I can use a password and a "security question", I can use public-key cryptography, or I can hire a secretary to sit at the server in question and only authorize requests when she receives a phone call from me.

    Even if we assume everyone continues to use the same password, with the same account, everywhere, it's still better than a conventional login. With the conventional login, every site I log into could steal my password and use it to login as me elsewhere. With OpenID, only my OpenID provider can do that.

    One single-point-of-failure is better than N single-point-of-failure.

    You can't use Microsoft-issued OpenID at Yahoo, nor Yahoo's at Microsoft.

    If true, that seems about on par for a technology in its infancy. Remember email? Used to be, you could only send mail to other people with the same ISP. Now, I can send mail to anyone, on any ISP, so long as I have their address.

    So that says more about Yahoo and Microsoft's understanding of the technology than it says about the technology itself.

    --
    Don't thank God, thank a doctor!