Slashdot Mirror
Let Your Theme Song be Your Password
An anonymous reader writes "The latest proposed solution to the fact humans suck at using passwords properly is to let people use digital objects, like mp3s, photos or videos instead. A file is hashed into a unique, secure string that acts as the real password. A paper on the idea was put forward in a recent Usenix conference on hot topics in security, and a Firefox extension that implements the idea is available too."
If you can use an MP3 as a "password" you may as well just go the whole nine yards and use a damn key file.
This is stupid and redundant.
There's no cure for user stupidity, so if users are encouraged to use songs as passwords there'll be lots of users that'll use their favorite song as their password even though they downloaded it from iTunes or an specific pirate group (i.e. lots of people can have the exact the same song with the exact same encoding) and announce to the world what is their favorite song in the social networking profile.
Instead, users should be encouraged to record whatever rubbish with their microphones and use it instead. Stuff like ambient noise and voice tone would make such signature unique even if the user puts very little effort in it. Heck, it could be a record of a fart.
It increases security because it potentially increase the password complexity and render it immune from dictionnary attack.
But using mp3 as a keyfile is, IMHO, dangerous: what if you re-tag your song ? Windows Media Player has a "feature" to update the tags automagicaly...
Think about one of your favourite songs, poems (e.g. "Hey Jude" by The Beatles)
Now take the first letters of the refrain or the first verse (e.g. "Hey Jude, don't make it bad") and you get "HJdmib"
If you like, translate it a little bit into "l33t speak": HJdm1b
And you have a great password that you can remember easily.
EDUCATE your users!
All security needs some way to identify a person to a computer, which should be as hard as possible to fake. Biometrics rely on unique (but not unfakeable) biological traits of a person, passwords rely on knowledge which hopefully nobody else has - they however rely on custom hardware to get this biological data (e.g. fingerprint scanners) - which makes them wholly unsuitable for the web.
One possible replacement for passwords is security keys, which now relies on not letting anybody else get access to a certain file. The fact that those, by themselves, are not secure enough (as getting a file once now opens up the whole world it's used on) is why most key-based authentication systems allow you to protect the key itself with a passphrase. It can still be more secure as you can prevent the servers from accepting passwords so they cannot be so easily brute-forced but if somebody gets the keyfile, bruteforcing the passphrase is perhaps even EASIER as he can do it on his own machine where it cannot be logged by the target.
Replacing the key with a picture or a sound file won't help much - unless you can protect access to the file... which leaves you right back where you started. Even if you just send a hash based on it (so it cannot be ripped from a server) anybody who gets the file (and knows what file to get) has all your access.
And now... there isn't even a pass phrase to protect it.
The fundamental problem of all security remains - the identifying information needs to be limited to a single person. Whether that is something in his head you try to stop others from guessing or brute-forcing, or something about his body or a file on his computer - there is still no real way to make sure it cannot be faked.
You could come up with a billion variations on the theme. KDE has the option to lock the screen if a bluetooth device is out of range, and unlock it if it comes back into range (I'm sure other desktops/OS's have similar tools) - now you rely on an object (like a cellphone) being owned by a certain user and hard to get without that person noticing - but you're back to why we don't use fingerprint scans to log onto websites. Users need trusted hardware for it to work (trusted by the service provider I mean) - the only way to prevent any old scanner with a picture of somebody's thumb (and who has never taken one of those by accident ?) - that are not common and are expensive. Even if you could make it trusted, when you cannot see the user, you cannot be sure his hardware isn't compromised. Even if you lock the hardware with a secret key (DRM style) you still cannot prevent it being fooled with a picture of somebody's thumb (and who hasn't taken a few of those by accident over the years ?)
Ultimately, we won't really have better security until we crack the problem of identifying a person who is somewhere else. Even the most draconian approaches won't work, if you require a webcam stream of the person - that won't be impossible to fake either, in fact since nobody could monitor all of them, all of the time, moving the cam or sending back a recording will be ridiculously easy.
In short this is just another attempt to come up with a better kind of keyfile - and frankly, it's not even as good as the ones we have - and nobody has really grokked a better way to solve the identity of a distant person problem yet.
Unicode killed the ASCII-art *
It actually does neither. Where you are mistaken is thinking the complexity lies with the created "secure string". It does not. If this unique hash were like a MD5 hash than the complexity of the hash is simply the range of characters raised to the power of 32, the length of a MD5 hash. MD5 is hexadecimal I think (off the top of my head here), so that would be 16 unique characters. So a MD5 hash has 16^32 permutations.
The problem however, is that the complexity of this new password IS NOT 16^32, or whatever the permutations of the "secure string" really is. It's complexity is the number of unique files on your computer. Create a "secure string" from every file on the system and you now have your dictionary that you referred to. The difference between this dictionary and a traditional dictionary attack is that there is a GUARANTEE that at least ONE of the entries in the dictionary is the right one.
Your observation about the tags though, is spot-on. Any changes to that file at all will render it useless as a password.
I think you're right. An attacker would just keep downloading music and video files from torrents to update a database of common hash values and use it for dictionary based attacks.
If one wants to create a really secure hash he should just use a file containing random data. But isn't easier to create a random password instead?
So this proposal looked good but it shouldn't have passed the brainstorming phase.
Because the user doesn't control the hashing algorithm used for passwords. If you do that on a typical Unix box with good old DES crypt, the hash is only on the first eight characters, and your password is no different from "H3y Jud3". And "H3y Jud3" is easily found using a dictionary attack -- in fact, john the ripper's out-of-the-box rules has "l/ese3[:c]" as one of the single crack rules, and "Hey Jude" is most definitely in cracker lists which tend to include all popular movies and songs.
Contrary to popular belief, substituting letters with numbers in 31337 speech doesn't do much to improve password security. It takes slightly longer to crack, but not enough so that you should feel much safer.
Though, if Mallory has the ability to hash every file on your computer, you probably have bigger problems than password security.
There are so many reasons this is a horrible idea...
Aside from all the normal vulnerabilities to phishing and such, first and foremost, a good authentication system requires 3 things, something you know (a password), something you have (an ident card), and with today's technology, something you are (biometric scan). Since everyone doesn't have an iris scanner on their laptops yet, we typically settle for the first two (though fingerprint scanners on laptops are becoming ubiquitous).
This proposal takes away the something that you know, leaving only the something that you have. It makes it essentially the same as key based authentication for ssh. It's secure, but I don't distribute my laptop's keys for a reason. If it gets stolen, your private key is compromised and you scramble to pick up the pieces. If it was used more frequently, and from multiple physical locations, that increases the likelihood of it being compromised since it's always got to be with you
I'm really fond of some of the two way authentication systems that some banks are using now. My bank is pretty lame, it just shows me a picture with some text that I've selected beforehand. I've read online where other banks will actually send an sms to your cell phone, and you have to enter that SMS to log in. The poor man's RSA token, if you will.
Check out my sysadmin blog!
I had a similar but reverse experience. Until the age of 15 I never really listened to music. I was a musician, and really enjoyed _playing_ music, but I owned very few CDs or cassettes and the ones I did own I only bought because people told me they were "cool." I wasn't interested in popular music at the time and I didn't know anything else.
Eventually, I rediscovered Jazz and my hunger for music just exploded. I even learned to appreciate some of the popular music that I had dismissed before. Though, I have to admit, finding radio music with merit (music that isn't produced with the sole purpose of making money) is a rare occurrence.
Trying to discover and enjoy music by listening to the radio is like trying to discover and enjoy gourmet cooking by going to McDonald's. Once in a while you'll stumble onto the McRib, but usually you're stuck with a Happy Meal(TM).
My point is, find what you like, and don't be bothered if nothing you hear appeals to you. It took me years to find music that appealed to me, and now I know where to look for it. The music industry is the last place to look for quality, well crafted, music. It's not impossible to find good music from a major label, but it's rare.
Dork out.
I just pooped your party.
So... you are sending a hash of password... Probably like it can be done with just clear text?
Extreme Programming - Redundant Array of Inexpensive Developers