Slashdot Mirror
Let Your Theme Song be Your Password
An anonymous reader writes "The latest proposed solution to the fact humans suck at using passwords properly is to let people use digital objects, like mp3s, photos or videos instead. A file is hashed into a unique, secure string that acts as the real password. A paper on the idea was put forward in a recent Usenix conference on hot topics in security, and a Firefox extension that implements the idea is available too."
"Your honor, the defendant has a musical password which was not authorized by us! By using it on more than one computer, he has distributed it illegally. We demand $700,000 in damages."
If you can use an MP3 as a "password" you may as well just go the whole nine yards and use a damn key file.
This is stupid and redundant.
TrueCrypt had an option like this. The best thing, in my opinion is to use a password and files. (Yes, multiple files).
My favourite system was to set up a TrueCrypt volume with a hidden volume. You have two passwords, and a set of files on a CD. The normal volume is opened with a password and all the files on the CD. The hidden is with the passoword and a selection of the files (I called them 0-9 so it ended as a 'pin' of sorts).
This means two things to know, and one to have, plus plausible deniablity, which isn't bad.
-- Lattyware (www.lattyware.co.uk)
Think about one of your favourite songs, poems (e.g. "Hey Jude" by The Beatles)
Now take the first letters of the refrain or the first verse (e.g. "Hey Jude, don't make it bad") and you get "HJdmib"
If you like, translate it a little bit into "l33t speak": HJdm1b
And you have a great password that you can remember easily.
EDUCATE your users!
Really? I used to use the tip of my penis, but MAN you should have heard the other people in the building COMPLAIN. Bitch, Bitch, Bitch.
The solution to authentication is something like the IronKey (a hardened USB drive for storing passwords) but with asymmetric crypto.
So you would go to Gmail, gmail would send a challenge that goes to the browser. A library on your browser would send the challenge to the USB device. The USB device would respond by signing the challenge asymmetrically, and that signature would route back through the browser to Gmail. Then you have 1 authenticated session until you destroy it. For sake of convenience imagine the implementation as using PGP -- public key, private key. Gmail has the public key, your USB device has the private key.
This is great since you could read your webmail on a friend's computer, or post Slashdot comments without leaving behind a persistent authentication token (barring a fake logout screen). Or there could be a keylogger on your home computer but it wouldn't be able to scrape persistent passwords and pass those on.
The only reason that humans don't use asymmetric security is that we're too stupid. Otherwise if we wanted high security we would be looking at screens of cyphertext and reversing the one-way function (a^b=c) in our heads. Given that we're too dumb, why not do not put our authenticator on a device that goes on a keychain with our other keys? (And you could make a backup just like with your other keys.)
I can't wait until /. posts the next stupid idea for replacing passwords (my favorite ice cream is LBtHrbjCi) so that I can copy-paste this comment again until I get early enough for +5.
If you need text styles to communicate then you don't have a message.