Slashdot Mirror

← Back to Stories (view on slashdot.org)

Moving Beyond Passwords For Security

Posted by Soulskill on from the asdf1234 dept.

Naturalist writes with an excerpt from a New York Times story about the need for a more secure method for identification than the password-based system almost everyone currently uses. The article also discusses the weaknesses of the OpenID initiative to simplify the process. "The solution urged by the experts is to abandon passwords -- and to move to a fundamentally different model, one in which humans play little or no part in logging on. Instead, machines have a cryptographically encoded conversation to establish both parties' authenticity, using digital keys that we, as users, have no need to see. ...OpenID offers, at best, a little convenience, and ignores the security vulnerability inherent in the process of typing a password into someone else's Web site. Nevertheless, every few months another brand-name company announces that it has become the newest OpenID signatory."

17 of 235 comments (clear)

  1. Yes, we know. by Anonymous Coward · · Score: 5, Insightful

    The solution is public key cryptography. The problem with that solution is that it only works as "something you have", not "something you know", which is the authentication mode of passwords. You can't leave "what you know" at home, but will you always have your smart card with you? Another problem is that secure public key cryptography requires a complete terminal under the control of the user, not just a card. The private key can never leave the user's control and the user must always know what it is used for. That requires a display and keyboard. Not something people want to have on them whenever they need to authenticate.

    1. Re:Yes, we know. by ratnerstar · · Score: 5, Funny

      It can work as "something you know," all you have to do is memorize your private key. Kids these days; they want everything to be easy.

      --
      Just because you sold your soul to the devil that needn't make you a teetotaler. --The Devil and Daniel Webster
    2. Re:Yes, we know. by Kjella · · Score: 4, Insightful

      Yes, if you're always where there's phone coverage and you got battery. However, it doesn't solve the problem of a compromised terminal. That was what a bank virus did not that long ago, waited for the user to authenticate then sent money elsewhere "behind the scenes". Sure it might not get your email password but if it silently downloads your inbox compromising every password mail you ever got, well gee that's nice.

      --
      Live today, because you never know what tomorrow brings
    3. Re:Yes, we know. by jd · · Score: 5, Interesting

      The US Government uses this method, except via smart cards. This started with the NMCI initiative. I was not keen on NMCI, as it used Citrix and centralized application serving. This creates a single point of failure (which quite often failed at the beginning) and a single, all-powerful account on a system (there's no other way of having a central system responsible for all privileges otherwise) on an operating system that probably isn't going to be in the Trusted class (ie: it ran Windows - and I am using the Trusted class in the Orange Book sense, not in any "popular" sense of whether people actually trust it).

      PKI is a very sensible approach, but should not be used in isolation. This was discussed only a short time ago on Slashdot regarding "secure locks" - there should always be multiple layers of security, a reliance on a single layer is always going to be a disaster waiting to happen.

      Passwords as a "bootstrapping" mechanism to enable the rest of the security sounds fine. It's something we already do with regards GnuPG/PGP keys, Kerberos, etc. They're weak, but bootstraps don't need to be that strong if you're using them in a multi-layer system. They're supposed to make it hard for anyone to tell if they've broken the other layers. That is sufficient.

      There is, however, almost nothing else you can use. Biometrics are not safe (Slashdot has covered the breaking of many such systems) and not guaranteed to work (Slashdot has covered chimeras and other biological weirdness in the past). Two physical electronic keys won't give you significantly more security than one with twice the quality of encryption and just give you more you can lose. Call-back mechanisms are vulnerable to social engineering (if involving people) or replay attacks (if automated) since such methods have to use extremely primitive security as they are prior to authentication.

      --
      It's a small world and it smells funny; I'd buy another if it wasn't for the money; Take back what I paid (SoM)
  2. Convenience vs security vs stupidity ... by blahplusplus · · Score: 4, Insightful

    Passwords can still play a role, the problem has always been user stupidity and convenience vs security. We always love to save time and anything that requires less effort = good for us, but at the expense of being less secure. Moving security to invisible layers is just asking for abuse by authorities, as if they didn't have enough power already via MAC address + ip binding in being able to track down and identify users by merely tooling around with the equipment right at the ISP end.

    My bank uses multiple authentication using personal questions which I would only know the answer to and if you get the question wrong just once, it flags the account. The big problem is the amount of retries, you can't guess or brute force passwords on accounts that will lock after the first few failed attempts.

    In my opinion it's probably best if we moved to gesturing, I find an interesting site here -
    http://www.dontclick.it/

    It could serve as an interesting basis for security, i.e. gesturing and opening the correct doors in a maze.

    1. Re:Convenience vs security vs stupidity ... by Saishu_Heiki · · Score: 5, Interesting

      Security versus convienience has been a large issue here at the hospital where I work in the IS department. Because all of the pharmacy orders are done in our clinical application, the state pharmacology board mandated that another layer of security be added beyond the physician's username/password. The result is a list of 60 person questions (hometown, number of brothers, country of birth, etc) that is drawn from randomly to ensure the person ordering the drugs is the one who is logged in and authorized. The problem was, doctors were answering "1" to all 60 questions so they would not have to remember the answers or be bothered actually reading the questions. If they had to use their ID badges instead, it would be an even bigger nightmare. They want speed and ease of use, but are reckless because data security is "my concern". Sometimes it is hard to stop the person with the gun to their head from killing themselves, regardless of whose responsibility it is.

  3. PEBKAC by at10u8 · · Score: 4, Insightful

    Problem exists between keyboard and chair, and the article does not address that aspect nor give any good workaround.

    1. Re:PEBKAC by houghi · · Score: 4, Insightful

      Indeed PEBCAK, because it is my fault that I have all these logins that I need to remember.
      Let me see? I have about 12 different logins that I was not allowed to select myself. Of those there are 6 that I can not change the password. These are just the ones I use at work and do not include the once that are not personal, but are group login and passwords.
      The other 6 I must change every month and to nt get mixed up, I use something easy to remember. And I have worked in worse places. One where I needed to change my password each week for certain access. So I started to write them down.

      If that is PEBCAK, then so be it. It might just be my naive idea that if many people have an issue with e.g. a procedure, then it is not the people who need to change, but the procedure.

      If you see that nobody can reach the peddles on his bycicle, don't ask for taller people, start making smaller bycicles.

      --
      Don't fight for your country, if your country does not fight for you.
  4. OpenID by Cyberax · · Score: 4, Insightful

    OpenID is _PERFECTLY_ compatible with passwordless authentication. For example, my OpenID provider uses Kerberos authentication.

    I too feel that passwords are too weak. Something like special hardware tokens are much better, but there's no infrastructure for their distribution.

  5. Re:Speaking of passwords by YttriumOxide · · Score: 5, Funny

    Surely that can't work... if it hides your ******** whenever you type it, then it would make it really obvious what your ******** is if it's a standard dictionary word when you use it in a sentence. I don't think it masks ********s at all.

    --
    My book about LSD and Self-Discovery
    Also on facebook as: DroppingAcidDaleBewan
  6. totally safe authentication method! by ocularDeathRay · · Score: 5, Funny

    Jean-Luc Picard: Begin auto-destruct sequence, authorization Picard-four-seven-alpha-tango.

    Beverly Crusher: Computer, Commander Beverly Crusher. Confirm auto-destruct sequence, authorization Crusher-two-two-beta-Charlie.

    Worf: Computer, Lieutenant Commander Worf. Confirm auto-destruct sequence. Authorization Worf-three-seven-gamma-echo.

    Computer: Command authorization accepted. Awaiting final code to begin auto-destruct sequence.

    --
    Obama is a twitter sock puppet
  7. its not that hard by circletimessquare · · Score: 4, Funny

    i have trouble keeping track of all my usernames and passwords like everyone else

    so i put it in passwords.txt in my shared emule folder, so i can access it anywhere in the world ;-)

    smart, huh?

    --
    intellectual property law is philosophically incoherent. it is your moral duty to ignore it or sabotage it
  8. Kerberos did that years ago. by khasim · · Score: 5, Interesting

    With Kerberos, your password never leaves your machine.

    The machine you're trying to log on to sends you a random string that is encrypted with your password.

    Your machine uses the password you typed in to decrypt that string. Which also contains instructions on how to continue the connection.

    Your password never goes across the wire.

  9. My reply, directly to the author: by SanityInAnarchy · · Score: 4, Insightful

    I felt I had to respond to your article about passwords. It's been Slashdotted here:

    http://it.slashdot.org/article.pl?sid=08/08/10/186203

    But I felt it was important enough to write directly, and concisely, because you seem to have missed a fundamental point of OpenID.

    OpenID promotes "Single Sign-On": with it, logging on to one OpenID Web site with one password will grant entrance during that session to all Web sites that accept OpenID credentials.

    OpenID supports single-sign-on. There is nothing about it which requires you to use the same identity everywhere -- or even the same provider.

    But more importantly:

    OpenID offers, at best, a little convenience, and ignores the security vulnerability inherent in the process of typing a password into someone else's Web site.

    Nothing about OpenID requires a password.

    I'll say that again: NOTHING about OpenID requires a password.

    What OpenID does is, in proper implementations, it allows us to sign in with any provider we choose. I could choose my own server as a provider -- thus, it's not necessarily "someone else's web site". And I don't have to use passwords -- I can use a password and a "security question", I can use public-key cryptography, or I can hire a secretary to sit at the server in question and only authorize requests when she receives a phone call from me.

    Even if we assume everyone continues to use the same password, with the same account, everywhere, it's still better than a conventional login. With the conventional login, every site I log into could steal my password and use it to login as me elsewhere. With OpenID, only my OpenID provider can do that.

    One single-point-of-failure is better than N single-point-of-failure.

    You can't use Microsoft-issued OpenID at Yahoo, nor Yahoo's at Microsoft.

    If true, that seems about on par for a technology in its infancy. Remember email? Used to be, you could only send mail to other people with the same ISP. Now, I can send mail to anyone, on any ISP, so long as I have their address.

    So that says more about Yahoo and Microsoft's understanding of the technology than it says about the technology itself.

    --
    Don't thank God, thank a doctor!
  10. OpenID and Multi-Factor Authentication by master_runner · · Score: 4, Informative

    Although the password is still there, many OpenID providers are moving towards advanced multi-factor authentication. For example, when I (or anyone else) attempt to log in to my OpenID account, the account provider calls my cellular phone. I must answer the call and confirm (by pressing the # key) in order to log in. This means that in order for an intruder to gain access to my account, they must have my password and my mobile phone, and if anyone else tries to log in to my account the unexpected call will alert me to this fact. I also know that other OpenID providers support the hardware key popularized by PayPal that generates a one-time password for each login. Other OpenID providers (including mine) support authentication via SSL certificates. There's a whole range of alternative and multi-factor authentication schemes offered by today's OpenID providers, and over time more and more methods are being introduced. OpenID allows users to choose an authorization service based on the security that they offer rather than based on what website they want to log in to.

    --
    I might be stupid, but that's a risk we're going to have to take.
  11. Re:the real solution! by Anonymous Coward · · Score: 4, Funny

    We already tried that. It's called 4chan.
    It did not work that well though...

  12. Re:something you have? by ratnerstar · · Score: 5, Funny

    You can't prove you have the "something you have" as in reality anything can be copied and thus you might just have a copy. Most of the token "things" are really a case of "something (something you have) knows" which isn't much better than "something you know".

    Right?

    Right. Moreover, given a good hacksaw, biometrics can easily move from "something you are" to "something I have."

    --
    Just because you sold your soul to the devil that needn't make you a teetotaler. --The Devil and Daniel Webster