Slashdot Mirror

← Back to Stories (view on slashdot.org)

Moving Beyond Passwords For Security

Posted by Soulskill on from the asdf1234 dept.

Naturalist writes with an excerpt from a New York Times story about the need for a more secure method for identification than the password-based system almost everyone currently uses. The article also discusses the weaknesses of the OpenID initiative to simplify the process. "The solution urged by the experts is to abandon passwords -- and to move to a fundamentally different model, one in which humans play little or no part in logging on. Instead, machines have a cryptographically encoded conversation to establish both parties' authenticity, using digital keys that we, as users, have no need to see. ...OpenID offers, at best, a little convenience, and ignores the security vulnerability inherent in the process of typing a password into someone else's Web site. Nevertheless, every few months another brand-name company announces that it has become the newest OpenID signatory."

8 of 235 comments (clear)

  1. Yes, we know. by Anonymous Coward · · Score: 5, Insightful

    The solution is public key cryptography. The problem with that solution is that it only works as "something you have", not "something you know", which is the authentication mode of passwords. You can't leave "what you know" at home, but will you always have your smart card with you? Another problem is that secure public key cryptography requires a complete terminal under the control of the user, not just a card. The private key can never leave the user's control and the user must always know what it is used for. That requires a display and keyboard. Not something people want to have on them whenever they need to authenticate.

    1. Re:Yes, we know. by ratnerstar · · Score: 5, Funny

      It can work as "something you know," all you have to do is memorize your private key. Kids these days; they want everything to be easy.

      --
      Just because you sold your soul to the devil that needn't make you a teetotaler. --The Devil and Daniel Webster
    2. Re:Yes, we know. by jd · · Score: 5, Interesting

      The US Government uses this method, except via smart cards. This started with the NMCI initiative. I was not keen on NMCI, as it used Citrix and centralized application serving. This creates a single point of failure (which quite often failed at the beginning) and a single, all-powerful account on a system (there's no other way of having a central system responsible for all privileges otherwise) on an operating system that probably isn't going to be in the Trusted class (ie: it ran Windows - and I am using the Trusted class in the Orange Book sense, not in any "popular" sense of whether people actually trust it).

      PKI is a very sensible approach, but should not be used in isolation. This was discussed only a short time ago on Slashdot regarding "secure locks" - there should always be multiple layers of security, a reliance on a single layer is always going to be a disaster waiting to happen.

      Passwords as a "bootstrapping" mechanism to enable the rest of the security sounds fine. It's something we already do with regards GnuPG/PGP keys, Kerberos, etc. They're weak, but bootstraps don't need to be that strong if you're using them in a multi-layer system. They're supposed to make it hard for anyone to tell if they've broken the other layers. That is sufficient.

      There is, however, almost nothing else you can use. Biometrics are not safe (Slashdot has covered the breaking of many such systems) and not guaranteed to work (Slashdot has covered chimeras and other biological weirdness in the past). Two physical electronic keys won't give you significantly more security than one with twice the quality of encryption and just give you more you can lose. Call-back mechanisms are vulnerable to social engineering (if involving people) or replay attacks (if automated) since such methods have to use extremely primitive security as they are prior to authentication.

      --
      It's a small world and it smells funny; I'd buy another if it wasn't for the money; Take back what I paid (SoM)
  2. Re:Speaking of passwords by YttriumOxide · · Score: 5, Funny

    Surely that can't work... if it hides your ******** whenever you type it, then it would make it really obvious what your ******** is if it's a standard dictionary word when you use it in a sentence. I don't think it masks ********s at all.

    --
    My book about LSD and Self-Discovery
    Also on facebook as: DroppingAcidDaleBewan
  3. totally safe authentication method! by ocularDeathRay · · Score: 5, Funny

    Jean-Luc Picard: Begin auto-destruct sequence, authorization Picard-four-seven-alpha-tango.

    Beverly Crusher: Computer, Commander Beverly Crusher. Confirm auto-destruct sequence, authorization Crusher-two-two-beta-Charlie.

    Worf: Computer, Lieutenant Commander Worf. Confirm auto-destruct sequence. Authorization Worf-three-seven-gamma-echo.

    Computer: Command authorization accepted. Awaiting final code to begin auto-destruct sequence.

    --
    Obama is a twitter sock puppet
  4. Re:Convenience vs security vs stupidity ... by Saishu_Heiki · · Score: 5, Interesting

    Security versus convienience has been a large issue here at the hospital where I work in the IS department. Because all of the pharmacy orders are done in our clinical application, the state pharmacology board mandated that another layer of security be added beyond the physician's username/password. The result is a list of 60 person questions (hometown, number of brothers, country of birth, etc) that is drawn from randomly to ensure the person ordering the drugs is the one who is logged in and authorized. The problem was, doctors were answering "1" to all 60 questions so they would not have to remember the answers or be bothered actually reading the questions. If they had to use their ID badges instead, it would be an even bigger nightmare. They want speed and ease of use, but are reckless because data security is "my concern". Sometimes it is hard to stop the person with the gun to their head from killing themselves, regardless of whose responsibility it is.

  5. Kerberos did that years ago. by khasim · · Score: 5, Interesting

    With Kerberos, your password never leaves your machine.

    The machine you're trying to log on to sends you a random string that is encrypted with your password.

    Your machine uses the password you typed in to decrypt that string. Which also contains instructions on how to continue the connection.

    Your password never goes across the wire.

  6. Re:something you have? by ratnerstar · · Score: 5, Funny

    You can't prove you have the "something you have" as in reality anything can be copied and thus you might just have a copy. Most of the token "things" are really a case of "something (something you have) knows" which isn't much better than "something you know".

    Right?

    Right. Moreover, given a good hacksaw, biometrics can easily move from "something you are" to "something I have."

    --
    Just because you sold your soul to the devil that needn't make you a teetotaler. --The Devil and Daniel Webster