NYT Password Security Discussion Overlooks Universal Logins

A recent NYT piece explores the never-ending quest for password-based security, to which reader climenole responds with a snippet from ReadWriteWeb that argues it's time to think more seriously about life beyond passwords, at least beyond keeping a long list of individual login/password pairs: "These protective measures don't go very far, according to the New York Times, because hackers can get ahold of passwords with software that remotely tracks keystrokes, or by tricking users into typing them in. The story touches on a range of issues around the problem, but neglects to mention the obvious: the march toward a centralized login for multiple sites."

In matters of security

[Pojut]

In matters of security, the most important tool anyone can have is common sense. Phishing scams, "dangerous" websites, revealing important information willy nilly...all things that cause major problems in the digital world, and all things that could be almost completely avoided if common sense was more prevalent.

Granted, some people "don't know any better"...but that's why you educate those types of people if you know any.

Re:In matters of security

[Nursie]

Well, it doesn't help that companies are ill informed a lot of the time. I got a call today claiming to be from my ISP, asking for feedback on the service. At the end of the call they said they just wanted to verify my identity and asked for my DOB and the answer to my secret question that gets used as a password backup/reset mechanism, so they could confirm they were talking to the right person.

I told them absolutely not, they phoned me, I only prove my identity with private information when I've phoned a number/service I recognise, not a random caller.

I'm pretty sure it was them as I got a 'thanks for your feedback' email afterwards, but WTF?
I'm tempted to think it was some sort of test/survey thing to find out how dumb people are, but that's probably being too generous.

Re:In matters of security

[Pieroxy]

I live in France and when you're late for your electric bill they have a robot call you that propose you to enter your credit card information to pay your bill 'on the phone'.

Again, I am pretty sure it's them calling, and I am pretty sure also that this is something new as I never got it before. But this is scary. And I can't help but be scared at how many people will provide their credit card information on such an incoming call...

Re:In matters of security

[PPH]

My credit card company (Visa) calls me occasionally about suspicious activity on my card. When they leave a message, the number they leave is NOT the same as the customer service number on the back of my card.

It's been explained to me that this number gets me to the same place as the customer service number with a few less steps. But I've told them that I'll never call anything other than the number on the card. And that its a really bad idea to train customers to return calls to just any number and expect them to identify themselves with SSNs, relatives names, and provide their card number.

If anyone is supposed to be smart enough to figure social engineering attacks out, it should be Visa and their ilk.

Re:In matters of security

[mcgrew]

In matters of security, the most important tool anyone can have is common sense.

And paying attention. However, not everyone has common sense, and some people have an attention defecit.

Re:In matters of security

I agree this is a very, very bad practice. However, you are mistaken in your facts. It is not Visa that is doing this it is your bank. The number you call is your banks number and not Visa. Visa has very little contact with the cardholder and the policies that brought this about were due to your bank. Easy enough to change banks!

Re:In matters of security

[WNight]

It has a Visa logo on it, it's Visa doing it. They only license their trademark to partners in good standing.

You want us to think they're astute enough to manage to push every little contract change, etc, to their partner banks, but NOT enough to be able to check for proper security practices?

Re:In matters of security

[John+Hasler]

If anyone is supposed to be smart enough to figure social engineering attacks out, it should be Visa and their ilk.

They've figured out the ultimate social engineering attack: the credit card.

Re:In matters of security

[Nursie]

No, it's not. It's really not. VISA allow the logo to be used on hundreds of thousands of card products across the world. Thye provide card/transaction standards, a worldwide authorisation network and various other things. Their relationship is with @aquiring banks and issuing banks.

You cannot get a credit card from visa. They do not deal with individual accouns or providing credit like @bank does. tThey are not like Amex. It's the company that you got your Visa card from that are your problem.

Re:In matters of security

[minstrelmike]

Mastercard sends me a paper bill with a warning that a paper trail is an identity thief's best friend.That may be a true statement but I suspect most identity theft is done electronically, hence my request for the paper bill..

Re:In matters of security

[WNight]

Yeah, I get that that's their story. What the banks do isn't their problem because they're only partners...

But they partnered with the bank. They allowed them to use their logo, and they have a compliance program to make sure the bank is doing a proper job.

Crazy legal fictions don't change the reality of the situation which is that you have a Visa card with a Visa logo on it, much of the profit goes back to them, and they run the show. You might not be able to call them for anything, even reporting criminal actions at your bank, but they're still in charge.

Re:In matters of security

[Nursie]

In charge... Well you *could* see it like that....

The profit is mostly your banks. VISA make transaction fees but have nothing to do with the debt itself. It's not a crazy legal fiction in any sense, your bank offers you an instrument of debt. Your bank sets the interest rates and credit limits. Your bank ensures the security of the whole thing. VISA is just the comms network and the set of standards that go with it.

They're really not in charge of or responsible for anything much to do with your credit card any more than your google mail account is the responsibility of the backbone providers.

Re:In matters of security

[WNight]

In charge... Well you *could* see it like that....

Yeah, imagine one of the partner banks not paying Visa their fees, or trying to put a Visa and Mastercard logo on the same piece of plastic. Visa would put a stop to that instantly.

In charge. Their trademark, their rules.

VISA make transaction fees but have nothing to do with the debt itself. It's not a crazy legal fiction in any sense, your bank offers you an instrument of debt.

Yeah, money is flowing around between you and the bank and Visa because of the debt, but Visa is only involved in the transaction fees, as if that makes any difference and isn't just an excuse to abandon their responsibility.

That's what I mean, legal fiction. Plain as day, they're involved. They make money from it, but they've got excuses why that money is different than this money and thus doesn't count. It's as if the guy who held you while the loanshark beat you claimed innocence because he only got paid hourly, and never money from your pocket.

If they offered a generic service like a telephone line, or a packet-switched-network, they could claim ignorance of its use. When a bank starts to work with Visa do you think Visa comes, hooks up some machines and just leaves?

VISA is just the comms network and the set of standards that go with it.

And the monopoly holder of access to many stores.

And the loansharking franchise that uses that network.

Yes, I do understand what you're trying to say but I think artificial barriers like that are just used to avoid responsibility.

Idiots

[The_mad_linguist]

Why don't you hunter2s shut the hunter2 up!

Re:Idiots

[Abstrackt]

Why don't you *******s shut the ******* up!

Jeez, you really are a mad linguist.

Re:Idiots

[sconeu]

No, he's a Marklar.

Re:Idiots

[c++0xFF]

Why don't you *******s shut the ******* up!

You must have used some really foul language. Slashdot never censors posts like that!

Re:Idiots

[c++0xFF]

My first Whoosh on Slashdot. That should be one of the achievements.

Re:Idiots

[rduke15]

Where are my mod points when I need them? This is FUNNY, not flamebait!! Please someone read the linked thing and correct the mod. on the parent.

Re:Idiots

[Golddess]

Let me get this straight...

OP posts in plaintext the phrase "hunter2".
Next post quotes OP, but replaces hunter2 with *******, demonstrating that they are aware of the famous (infamous?) bash quote.
You then reply with a link to the bash quote with a comment that basically states "here, let me clue you in".

*baffled*

Single point of failure

[$RANDOMLUSER]

Always a great idea. Windows registry anyone?

Re:Single point of failure

Speaking of Microsoft,

Link from TFA regarding password strength. It's where they got that table in the article. At the Microsoft site, they have a link...

They have a Password Checker: is your password strong test?

That's just a mock phishing example waiting to happen.

Re:Single point of failure

[kenrblan]

Remember when building a critical system ask WNGD? (What would Northrop Grumman Do?)

Re:Single point of failure

[tverbeek]

Maybe the NYT article doesn't mention centralized login because such an obviously bad idea?

Re:Single point of failure

[Ephemeriis]

Always a great idea. Windows registry anyone?

It doesn't actually have to be a single point of failure though... What ever happened to OpenID?

Re:Single point of failure

[sarathmenon]

Not exactly. I use clipperz.com to store my passwords, and one of the features it provides is a direct login. The way this works is that it submits the password form directly, without you having to visit the website and copy paste the password from clipperz. It's impermeable to keyloggers and clipboard sniffers because you don't copy or type the password anywhere. Now, if your system is already hosed, your could theoretically be hacked. But, at that point you're SOL anyway.

Yeah, I know the drawbacks of using a password manager, and an online one at that. But it's the best tradeoff I've seen. I have to remember only one strong password, and I can just randomly type in unique passwords for the sites I visit. Plus, their architecture is solid.

Re:Single point of failure

[bluefoxlucid]

Yeah my initial response was going to be "LOL"

Re:Single point of failure

[vux984]

Pretty cool. Is there an open source equivalent? One that can be hosted on one's own servers?

Re:Single point of failure

[vux984]

Replying to my own post because clipperz actually appears to be Affero GPL... !

Re:Single point of failure

[jimicus]

Maybe the NYT article doesn't mention centralized login because such an obviously bad idea?

It's not quite as simple as that.

On the face of it, yes, it introduces a single point which, if compromised, has pretty bad consequences. But at the same time, if there's only one password to remember the likelihood of it being written down, exactly the same as the username or otherwise trivially guessable probably drops dramatically.

Now, if something like OpenID were to support certificate-based authentication...

Re:Single point of failure

[Sancho]

Hey, that's pretty neat. Thanks for pointing that out.

Re:Single point of failure

[Harodotus]

Some "best" password tested results from the Microsoft site:
  - aaaaaaaaaaaaaaaaaaaaaaaaaaaaa
  - 123456789012345678901234567890123456789012345
  - qwertyuiop[]\asdfghjkl;'z
  - `1234567890-=qwertyuiop[

I'm thinking they don't do dictionary attacks here...

Re:Single point of failure

[tverbeek]

While it might reduce by a marginal amount the likelihood of the account being compromised, the potential consequences would be profoundly greater. That's a poor trade-off.

Several years ago, the pretty-damn-good and carefully-guarded common password that I used for buying things from sites such as Amazon, eBay, iTunes, etc. - reasonably well-run, reputable companies - was compromised somehow. (I have other different passwords that I use for message boards, others for banking, others for work-related accounts, etc.) Just dealing with that small breach was a serious hassle; if my financial institutions, e-mail, or privileged accounts had been involved, it could've been disastrous. Thank-you, but Do Not Want.

Re:Single point of failure

[godel_56]

Maybe the NYT article doesn't mention centralized login because such an obviously bad idea?

. . . if there's only one password to remember the likelihood of it being written down, exactly the same as the username or otherwise trivially guessable probably drops dramatically.

Schneier recommends that passwords should be written down but kept in a safe place, such as a wallet.

Now, if something like OpenID were to support certificate-based authentication...

Yes, good idea, but password managers and password generators provide the same sort of functionality as a centralized log-in system, without having to trust a third party. On Windows I use the PasswordMaker add-on for Firefox plus Keepass as my password manager. PasswordMaker also has a stand alone desktop version.

Re:Single point of failure

[Bigjeff5]

A dictionary attack would fail completely in all of those cases, and a brute force attack would be required. Since the length of the password is unknown, more than likely even the "aaaaaaaaaaaaaaaaaaaaaaaaaaaaa" password is no easier to crack than any other possible password. If the length is known, then of course passwords like those you listed are the first ones you try, but with an unknown length there is nothing wrong with that password or any other in your list.

So, what is your point?

Re:Single point of failure

[Harodotus]

Well, it was mainly meant as a tongue-in-cheek dig at the folks in Redmund.

However, while it's not like I've gone to trouble of checking it, it's my understanding that modern password guessing dictionaries are incredibly extensive and have lengthy sections of common key combinations such as single letter repetitions of all acceptable lengths, numeric sequences, and keyboard patterns like qwerty, extended qwerty (qwertyuiop[]\asdfghjkl;'z), as well as many more folks have been dreaming up for decades now.

Of course the webpage is just a local javascript for simple complexity checking, but it's important to remember that it's not really a good simulation of a password's unguessability.

Re:Single point of failure

[tareko]

You were actually employing a tiered "single sign-on" strategy without any of the convenience of SSO. For the vast majority of sites, the site being compromised is inconsequential. e.g., So What if my local newspaper site login was breached?

It makes an awful lot of sense to have, say, 3 OpenIDs. One where you just could care less; used in the majority of sites (say, 70%). One where you'd rather not lose them (say 20% like your Amazon, eBay, iTunes), and one used for the last 10% that you guard zealously like your bank, email or whatever.

Torn

[esocid]

I'll admit, I feel torn when I see that OpenID login. Increase my chance of giving someone access to everything? Or make it simple?
In the end I compromise and simply use a variation of one password for those.

There is the problem with centralized logins: the masses don't consider the first part, and only think of the convenience.

Re:Torn

[Pieroxy]

OTOH, for stupid online forums and unimportant stuff such as random blogs, it makes sense. Unfortunately, those are the ones NOT proposing openId...

Re:Torn

[tronbradia]

What's easier: getting your openID taken down? Or changing all the passwords to sites that you gave the same or similar password to, everywhere on the internet?

I don't even have a list of all the sites I've given my crap password to. But if they were all authenticated with openID, I would only have one problem to fix.

Re:Torn

[houghi]

There used to be a time that you could easily host your own OpenID with e.g. http://siege.org/phpmyid.php
You point to http://yoursite.example.com/ instead of the one from Google or any other OID provider.
That way you limit the chance of giving somebody else access as you manage your own login and password.

Some others might be found here : http://openid.net/developers/libraries

Re:Torn

[Eil]

This is why you choose a reliable OpenID provider for your account. A reliable provider should have a good security record and (ideally) explain the details of their authentication system including how the passwords are stored.

Since OpenID is open, you can also be your own provider.

Re:Torn

[boxwood]

KeePass is a pretty good solution. it saves all your passwords into an encrypted file. All you have to remember is the password to get into KeePass and you have access to all your passwords. Most of the tim you can just click on the username field on the webpage, click on the sitename in KeePass, hit ctrl-v and it'll enter your username and password and submit it.

So you can have all your passwords for every site be a unique password of random characters, but have to only remember one password. Works for Windows, MacOS, Linux, and has a standalone version you can put on a thumbdrive if you need to use a computer at an internet cafe or whatever.

A simple keylogger won't get your passwords, they'd have to keep track of copy and paste operations to get your passwords.

Re:Torn

[Sancho]

The best thing to do is to look at how you currently operate and see if OpenID would improve security or not. If you're already using passwords in a particular way, you probably aren't going to change much.

A lot of people reuse their passwords, despite the fact that best practices suggest a unique password for each site. In this case, it just makes sense to go with OpenID.

If you already use lots of unique passwords, and you have no problem remembering them, then keep on doing that. OpenID gives you little benefit.

As someone else mentioned, it's probably easier to recover from a lost OpenID password than remembering all of the sites that shared a common password and changing them there. Moreover, it's easier to deal with phishing if the only site you sign into is your OpenID provider. Heck, if you run your own OpenID provider, all the better. You're probably immune to phishing for all intents and purposes.

Re:Torn

[Chelloveck]

I like SuperGenPass. It never actually saves a copy of your passwords, it algorithmically generates them from the site's domain name and your master password. (Actually, from any two strings. By convention it's the domain and master password, but you could use any identifier/keyword pair.)

It's made to run as a bookmarklet which auto-populates password fields on web forms. There's also a mobile version for when you're using someone else's computer. Either way the password is dynamically generated by JavaScript running locally. The mobile version is also good for pages which have funky login prompts that don't play nice with the bookmarklet. (I'm looking at you slashdot!)

How does centralized login solve keylogging?

[KarlIsNotMyName]

So they just need one password to access all your profiles?

Unless it was not actually your password for all those sites, but the password to a database (only available locally) that contained the password to those sites, I don't see how that's a solution. Actually, I thought the main problem with passwords was that people already used the same password for all their sites.

Re:How does centralized login solve keylogging?

[silas_moeckel]

It's not one password shared among all the sites for the web it general work as thus, You go to the site you want to log in as it, it talks to the third party log in site and redirects the user there to log in they do whatever they need to log in and get redirected back to the original site with a cookie that site validates the cookie. If the user is already logged in they never even see the third party site, the primary site never sees the credentials and that third party site can use more than just passwords to authenticate the user. It's not perfect but it's much better than current. Effectively it's a single sign on system for the web, things like openid allow this to be fairly decentralized (allowing an arbitrary number of third party sites to process the log ins). You don't even have to break anonymity as the origin sites needs only a uuid to keep track of that user on there system.

Re:How does centralized login solve keylogging?

[Bigjeff5]

Exactly my thoughts.

Keyloggers still work, phishing scams still work, and social engineering still works. If centralized logins become the norm, the bad folks will simply target the centralized logins.

Your risk with centralized logins, however, skyrockets. Now, instead of losing control of one login to one website, you lose everything. Moreover, they don't even have to guess what sites you have access to, they can simply dig through the centralized login site and find it once they have your account info.

The NYT article is interesting, but the SlashDot summary is near useless. There is no need to specifically include universal logins in the discussion, because universal logins suffer from exactly the same issues that individual logins do. The only possible reason for including them is the fact that the potential loss is much much higher with a universal login.

Re:How does centralized login solve keylogging?

[dstar]

And this solves the keylogger problem how?

It doesn't. You still have to authenticate at some point; at most, it reduces the opportunities for a keylogger to catch the password (if you only have to type it in every couple of weeks).

In exchange, it provides phishers with a dream environment. The only way to be certain you're actually connected to your authentication provider is to use SSL and make sure that you see the lock -- and if your security depends on Joe Random User doing that, you've already lost.

Shalon Wood

Re:How does centralized login solve keylogging?

[ceoyoyo]

Showing that the submitter doesn't even understand the very basics of security.

Re:How does centralized login solve keylogging?

[Ephemeriis]

So they just need one password to access all your profiles?

No.

The idea is to implement some kind of centralized authentication - not necessarily a password. You could do one of those RSA keychain fobs... Or some kind of smartcard or biometric or something... Since it's centralized, you only need one doohickey/password/scan/whatever. And once you're authenticated against that one central site, you don't need to continually re-authenticate everywhere you go.

In theory, you can do something more secure. The end user only needs one doohickey. The individual websites don't need to spend a ton of time or money developing fancy authentication schemes. So you've actually got less burden on both the end user and the individual websites.

Re:How does centralized login solve keylogging?

[bluefoxlucid]

The only way to be certain you're actually connected to your authentication provider is to use SSL and make sure that you see the lock -- and if your security depends on Joe Random User doing that, you've already lost.

Shalon Wood

You have no idea what you're talking about; this is a huge nonsequitar from the discussion on keylogging, although technically mostly accurate (there are ways to break this, but they rely on specialized conditions).

Re:How does centralized login solve keylogging?

[IndustrialComplex]

Keyloggers still work, phishing scams still work, and social engineering still works.

Except that this DOES address those issues, it doesn't make them impossible, but you are missing some advantages here.

Let's say you maintain passwords with 10 different services (not unlikely anymore). Does the typical person know the practices of each of those services? Do they keep track of when those practices change? No, of course they don't.

But let's say you reduce that to one service. All of a sudden you CAN expect people, if demonstrated to them and repeated, that KEYLOGINSERVICE will only contact them by this method (FedEx?, etc) will NEVER ask for ANY information if they are calling you (or may NOT call you). Our website will look like THIS exactly, and here are several ways to verify that.

You know, all the 'standard' verification methods that are used by all the sites we use now (or some, none?) but this time you only have to remember it for ONE site, instead of a variety of methods employed by a variety of sites. When people get in the habit of realizing that the keyservice will NEVER call them, will only do things a certain way, it WILL help combat phishing, social engineering, etc.

Re:How does centralized login solve keylogging?

[silas_moeckel]

With 2 factor authentication keyloging is practically useless, you using a one time password that only works once. The two most common types of this are the keyfobs that use a large random number, the time and some math to generate a new string of numbers every minute, and a list of numbers you use once. Banks like the list as it's pretty easy to print a list of passwords on a piece of paper and mail it to you. Key fobs quality varies but for the ones that do not plug into the computer you would need a lot of samples or some hardware hacking to break into it (or steal the seed from the hopefully well protected servers running auth).

Re:How does centralized login solve keylogging?

[Frigga's+Ring]

Biometrics are still considered too intrusive by many people, but not a bad idea. Two-factor authentication using a token is fine until someone loses or breaks their token. If getting a replacement is too difficult or takes too long, you won't get people to adopt the technology. If getting a replacement is too easy, then you're back to the original issue: if they could get your token, someone would just need your PIN to access everything.

Re:How does centralized login solve keylogging?

[Bengie]

If OpenID takes off like a rocket, I'll pay for User/Pass/FOB to secure my account. Would be awesome

Google+OpenID+FOB=Awesome

Re:How does centralized login solve keylogging?

[maxume]

All the stupid users everyone is worrying about already use their email account as a single point of failure, so switching to another system that concentrates risk really isn't the disaster you are painting.

Re:How does centralized login solve keylogging?

[Sancho]

Correct. What this does is improve the safety for people who can manage the presence of mind to avoid phishing for a particular site, while increasing the overall damage done for everyone who gets compromised.

However I'm not going to log in to my OpenID provider on an untrusted computer. I might be willing to log in to, e.g. Facebook on an untrusted computer. So now my options are a little more limited.

Re:How does centralized login solve keylogging?

[gdshaw]

It doesn't. You still have to authenticate at some point; at most, it reduces the opportunities for a keylogger to catch the password (if you only have to type it in every couple of weeks).

You're assuming (incorrectly) that authentication to your OpenID provider is necessarily by means of a password. This is not a requirement: you could use SSL certificates, Kerberos, smartcards, or any other security technology that takes your fancy. You could also (for example) require that the login be authorised from a machine on your LAN.

I'm not saying that this is common practice (it isn't), but if you want this level of security then there is nothing in the OpenID protocol to prevent you from achieving it.

Re:How does centralized login solve keylogging?

[Bigjeff5]

Except that this DOES address those issues, it doesn't make them impossible, but you are missing some advantages here.

It only addresses the issues for people who are paying attention to them. Those are the same people who are already unlikely to be taken in by the various forms of social engineering.

Let's say you maintain passwords with 10 different services (not unlikely anymore). Does the typical person know the practices of each of those services? Do they keep track of when those practices change? No, of course they don't.

But let's say you reduce that to one service. All of a sudden you CAN expect people, if demonstrated to them and repeated, that KEYLOGINSERVICE will only contact them by this method (FedEx?, etc) will NEVER ask for ANY information if they are calling you (or may NOT call you). Our website will look like THIS exactly, and here are several ways to verify that.

Most people do not pay attention to the privacy policies of any website, regardless of how many websites they actually need to log in to. That's why phishing scams and the like work so well. Furthermore, the rules to avoid social engineering are not website specific, they are universal, and they apply whether you use a centralized password system or not. Basically everything you outlined there is how you avoid scams on the net - if you know the rules you already know they apply to everything, not just one website or another. Most people simply don't grasp the rules for safe browsing. As such, the problem is not with any particular website, or the number of passwords, etc. It's with the uninformed nature of the user. A centralized ID does not, in any way, address that problem. Companies already try to get their customers to follow safe browsing practices with very limited success.

A centralized login will help with users who have many passwords and must write them down. However, for most people who would use a centralized login (end users, generally) this is not a high-risk issue because their passwords are stored in a private place, even if they are stickied to their monitor.

Writing passwords down is a very big deal in public environment (the workplace, etc), but most of these environments already have a centralized login for all of their sensitive information - their local domain login. In these environments I might recommend something like OpenID for online content, simply because the user is more likely to put their passwords at risk by writing them down in public view. Most companies, however, have a proscription against using the web for personal use, so it likely would never come up. Then again, slightly smarter habits would eliminate the problem - keeping your notebook with your passwords on your person at all times and not associating the password directly with a specific user name or website would be reasonably secure under those conditions.

For most users though, it's a tradeoff of more convenience vs putting all of your online content at risk with a single breach of security. Nothing about the centralized login improves your security at all.

Re:How does centralized login solve keylogging?

[Monkier]

Combine centralized and "multi-factor"? Build more PCs with smart card readers?

I'd like to see google offer some form of multifactor on their openid provider. A keyring token generator, or maybe a smartphone app?

resistance....

[M.+Kristopeit]

this story neglects to mention the obvious: the resistance from developers unwilling to hand the security of their systems and the trust of their users over to a 3rd party.

OpenID isn't the solution

[yourcelf]

The trouble with OpenID is it's still one identity that you're carting around, allowing yourself to be tracked across multiple sites.

A better solution is just to use a password manager (KeepassX, Last Pass, etc.) which lets you manage your own multiple identities in a secure way. This gives you the convenience of a single sign-on with the security of a distinct identity for every site where you want it.

Re:OpenID isn't the solution

[atisss]

wrong. password managers would be susceptible to the same problems - sniffers, etc, and they are less comfortable if you're using multiple computers.

You can customize your own OpenID server for keeping sessions on trusted IP addresses, but requiring some rotating logic only known to you when visiting from guest computers.

Re:OpenID isn't the solution

[bsDaemon]

All the Mac, Linux and BSD-based workstations I use regularly have KeePassX installed, and I keep a mirror copy of the database on my IronKey, as well as synching up the critical personal information with the built-in Windows programm on the IronKey for if I need to use a Windows machine without KeePassX on it. I don't honestly know what the root passwords to my personal VPS servers, my account passwords, or any of my banking passwords are. I know the pass phrase for the ironkey, and the passphrase for the keepassx database. Everything else is randomly generated on my behalf.

Re:OpenID isn't the solution

[ADRA]

Correct my if I'm wrong, but couldn't the only one that could realistically track your actions through OpenID be your authentication provider themselves? Don't trust them? Make your own. If you mean that people can track you based on your credentials exposed through OpenID, then I'd say there's absolutely nothing new there. The one flaw I find with OpenID is its reliance on HTML in order to present the authentication. If they came up with some non-html login form standard to allow for application logins, I'd be sold. PS: Oauth+OpenID may be an eventual solution, but every time I look at really integrating into an app I feel like cutting myself instead.

Re:OpenID isn't the solution

[Hadlock]

OpenID be your authentication provider themselves? Don't trust them? Make your own.

OpenID is really expensive to run though; it requires a verisign security cert, which runs $250+/year.

Re:OpenID isn't the solution

[bhcompy]

I agree with this sentiment.

Realistically, just keep a few different classes of passwords depending on the website. For Slashdot, Fark, your general BBS, etc, a less secure password is not that big of an issue, and I'll use one or two different passwords depending on the security restrictions of the website.

Then, you have websites like Woot that will allow you to use your Facebook, Yahoo, OpenID, whatever passwords, but Woot stores your payment information. That's not the kind of place that you want to use a universal password, and instead use a more secure password. Same goes for utility, banking, etc, except those get the highest level passwords.

I have about 10 primary passwords(and variations of them if there is a rotating password policy). Not difficult to remember, but then again I remember all of my locker combinations since jr high.

Single sign-on password management is just as stupid security wise as storing all of your personal and/or business documents on Google Docs. Never give someone a one stop shop for all of your stuff. Granted if OpenID used 30 second randomly generated passwords tied to an RSA Token on your person, I'd be more willing to adopt that type of single sign-on system.

Re:OpenID isn't the solution

[shaiay]

you do know that KeePassX is a post of the windows KeePass and the database is compatible between versions? There is even a portable version you can put on you IronKey, so you don't have to export keepass data tou your IronKey

Re:OpenID isn't the solution

[bsDaemon]

No, I hadn't seen the portable version of KeePass, I guess since I just install it from ports or the package repository and don't actually get it from the website. This is much handier though.

Re:OpenID isn't the solution

[Sancho]

Could you give some more details on this? As far as I can tell, there's no registration requirement for OpenID, and you can be a provider with all open source software. Who requires a verisign security cert?

Re:OpenID isn't the solution

[WiPEOUT]

There's no reason why you couldn't have an OpenID for each and every single site and a single shared password for all of them, e.g. site.yourname.openidprovider.net, since either way you're trusting the identity management capability.

Wait....

[yoblin]

Great, so I'll be able to use Facebook Connect to login to my bank accounts soon????? Count me in!!!!!!

Re:Wait....

[Pieroxy]

Better yet! I can post my bank account balance on facebook in one click! And my actions portfolio! My credit rating! Yeeeeeaaah!!!!

TPTB'd like to keep our identities

[marcuz]

NY Times knows what they are doing while supporting this call for centralized password management and identity system. They serve the powers that be on their quest to even greater power. I agree with their point - increasing the so called safety - but on the other hand I am a bit worried about having a few people in charge of the identities of eventually entire population. Almighty government and rich corporations will certainly be willing to help us with our identities.

Re:TPTB'd like to keep our identities

[ADRA]

Passports, Driver's Licenses, Social Security numbers... yeah the governments just can't be trusted with your identity. Lets trust in Google/Yahoo/Facebook/Microsoft/IBM/etc for our identity needs. Even better, lets have hundreds of incompatible schemes and make user sign up and use them all. That surely has to be more secure than having a single point of failure. I mean look, There's only one ROOT signatory (Verisign) and you just KNOW they fuck up everything they touch, right?

Three factor authentication...

[HerculesMO]

I like OpenID, but if you couple it with a three factor authentication, whether it be a smartcard, or biometric, or whatever.. that's when it becomes useful.

Too bad the current implementation doesn't support it. Sadly, World of Warcraft and Starcraft II do.

Go figure.

Re:Three factor authentication...

[VGPowerlord]

I like OpenID, but if you couple it with a three factor authentication, whether it be a smartcard, or biometric, or whatever.. that's when it becomes useful.

Too bad the current implementation doesn't support it. Sadly, World of Warcraft and Starcraft II do.

Go figure.

Three factor authentication? So, something you know (password), something you have (smartcard), and something you are (biometrics)?

Or did you mean two factor?

Re:Three factor authentication...

[HerculesMO]

Sorry, it's early in the week :)

Re:Three factor authentication...

[VGPowerlord]

Sorry, it's early in the week :)

Yes, virtual Mondays suck almost as much as real Mondays (my office was closed yesterday for Labor Day, so today is Virtual Monday for me, too).

KeePassX

[bradley13]

I am very happy with KeePassX. It stores your passwords and related information in an encrypted file. You can copy a password out of it to paste into a web-form. This means

• You don't have to remember your passwords - they can be randomly generated according to a wide set of rules.
• You don't have to type your passwords - they transfer via the clipboard (which is automatically emptied after a few seconds)
• Your passwords are (reasonably) secure, being stored in an encrypted file.

The obvious problem is that you need a password to open the KeePassX file. However, this at least does not go via browser, and I can manage to remember one complex, very secure password.

KeePassX is open-source, available for Windows/Mac/Linux, and compatible across all of these. Nice solution - give it a try!

p.s. I have no relation to the project - just a happy user!

Re:KeePassX

[Nerdfest]

The obvious problem is that you need a password to open the KeePassX file.

Actually, you can use a file based key in addition to a password, for some 2 factored goodness.

Id go for this if it was a ssl certificate

[pgmrdlm]

Just asking if that type of security exists for open id?

Re:Id go for this if it was a ssl certificate

[pgmrdlm]

Individual certificate, sorry. Should have been part of the original post.

The password metaphor

[tick-tock-atona]

What has always amazed me about authenication for access-control via a computer is the widespread use of "passwords". We treat computer access-control like it's a brand new problem, however it's really just the same old access-control problem that we solved at least 4000 years ago.

Why don't we have passwords to get into our houses? Why don't we have passwords to get into our cars or P.O. boxes or even safe-deposit boxes? Because passwords are a pain in the ass that are inherently insecure because we, as humans, are terrible at remembering arbitrary strings of numbers/letters/symbols. What we are good at remembering - objects/ideas and the words associated with them - make for terrible passwords because they are so darn easy to guess.

The idea of a lock and key is one which we have been using for millenia for security, so why haven't we applied this simple metaphor for electronic access-control. We even have the technology readily available: Public Key Authentication. But for some reason the only place I've ever seen it used is in OpenSSH. In fact, it's considered superior to password authentication in OpenSSH and recommended over a password.

So why not have RSA keys to our email, online banking etc. just like we have keys to our houses, cars etc?

Re:The password metaphor

[rickb928]

Ok, so explain how an PKI key system would work.

I have visions of either having your key out there somewhere, and some way to securely access it, or having your key on something like a token.

If the key is out there, do I access it by providing a passcode to authenticate myself? Sounds like a password to me.

If it's on a token, well, where do I insert that, or do I use the token to get a passcode. Again, a password, though we use tokens here so it is at least something 'I HAVE', one of the three factors we like.

In the end, remember, I need a solution that works on multiple computers, does not leave behind any of itself, and can be remembered or discovered by ME easier than a password.

BTW, for my token-based access, we use both a fixed password and the token variable. Still a password. Something I have, the token as a variable password. Something I know, user name and fixed password. Something I am we do not yet support, but I'm willing. I use fingerprints on my little notebook at home. I don't at work or on any other machine.

Re:The password metaphor

[ledow]

The UK Government Gateway used to issue keys to every individual user. You can use the GG to do everything from file tax forms to start a business. I've never had to do anything as secure and never been as worried about someone finding out those login details on any other website, including my own personal bank account. It was an absolute pain in the arse. 50% of their phone calls were for lost / reissued keys. It didn't stop automated tools scraping keys from compromised computers and causing all sorts of pain (even with separate password required). Issuing them took forever. And in the end you had to prove who you were to get one which was inevitably less secure than the key itself, prove who you were to get one revoked/reissued, prove who you were to do anything with them. Especially around the tax filing time, they were so busy re-issuing keys to people who'd lost them and just wanted to file their return before they got charged, you couldn't get through on the phone lines.

They scrapped it after only two years, I believe, and replaced it with a password system like the banks - two unique items of information posted to you in separate envelopes and requiring both to login. Although there's still a crush around filing time, it's not anywhere near the shambles of before. And to be honest, it wasn't the government fault. People are just inept at holding items secretly, especially when they are downloaded from a secure website that they have to authenticate against in some way anyway, and when the reissue process has to be secure anyway. It could work, if you could make everyone get used to saving such things in a good place but they are no better or worse - the gains in security are lost in practicality almost immediately. Even *generating* that amount of keys must take months.

Re:The password metaphor

[jimicus]

I suspect it's more inertia than anything else - the technology didn't exist when it first became necessary to authenticate users, so people did the best they could think of - passwords.

Over the years, the concept has been tweaked to to make it more secure - eg. only storing hashes of passwords, demanding passwords of a particular complexity - but ATEOTD we're still polishing the same turd.

Technically speaking, it's entirely true that keypair authentication is much more secure, but there are still a lot of user interaction issues to resolve, eg:

- How come I can't insert a USB keyfob with a certificate signed by my employer's CA to log onto my PC? How come the same keyfob can't then be used with a mac? Linux?
- How come I need to install certificates separately in Firefox to IE on the PC or Safari on the Mac? It's not like Microsoft (or for that matter Apple) make it impossible for third-party applications to use the keystore.

In many ways, it's probably just as well these things haven't been solved. A PC that's got a malicious keylogger on there could have all sorts of other things, and if you think the worlds' malware authors would give up overnight just because the world moved over to key/certificate based authentication, you're in a dreamworld. You think changing a few passwords is awkward, how do you think your bank will react if your account is drained by someone who presented the correct certificate?

Re:The password metaphor

[maxume]

Passwords are pretty much analogous to (most) house keys, they are simple secrets that work well enough most of the time (that you can put your secret in your pocket with the house key is largely an implementation detail).

Cryptography is some brand new thing compared to locks and keys.

Re:The password metaphor

[tiksi]

For those 4000 years, those keys have been easily stolen or copied, allowing me access to your house, car, PO box, etc.

Every day i see people leave their keys laying around. How is this system any better?

Re:The password metaphor

[Sancho]

Keyfobs make malware work much harder. You don't insert them--you press the button and a number pops up. Enter that number and your password into the website, and you're in. The number changes in X seconds (where X is usually 60 or less.)

It makes it hard for malware to do its job. Now the malware must do its work right then, while you're in your authenticated session. It has to work automatically to e.g. perform a balance transfer. Other mitigation such as CAPTCHAs make it even harder for the malware to use the authenticated session, unless there's a human somewhere using your session. Once you require that a person be involved in the malware transaction, your safety improves significantly.

I think the ideal solution would include the following:
Keyfob plus certificate on USB stick.
Randomly generated form elements.
Honeypot form elements.
Captchas on all pages authorizing movement of money.
5 minute session timeouts.
Tie session to IP address (ideal) or to geolocation data (since NAT, AOL, etc. may show you as coming from several addresses.)
Remote logout.
SMS/email notification of logins.

Re:The password metaphor

[Bigjeff5]

Website/program/service = lock

USB/Memory stick/certificate = key

Lock and key are matched up the first time you set up the service, just like we do with frickin doors and shit.

Seriously, why is this hard to understand?

It's a lock, and it's a key that fits the lock. There is one lock and one key (or multiple keys, if the need is there).

Re:The password metaphor

[rickb928]

Ok:
Web service or whatever runs on my computer (I know it's out there ).

USB/memory/cert are something have.

User ID I know.

And I was explaining how I use a token at work. I get it.

But a cert on a stick isnt enough.

Re:What about using your phone?

[Tukz]

Take a look at Blizzard's Battle.net Authenticator.
It generates a new key every 2 minutes I believe, and you have to enter that along your account name and a password.

If someone steals your password, it's useless without the authenticator.

I have it on my Android phone.
No one can log into my Battle.net account, without my phone.

Which is also password protected, heh.

I'd welcome a single sign on solution, that adapted this.

My country (Denmark) is currently forcing a single signon system down throat of official web sites, such as banks, IRS and the like.
And it's horrid, because it relies on a key card, with a certain number of keys.

When asked why the fuck they didn't include an optional key generator instead of having to replace the key card when it runs out, they had no real answer.

This single sign on solution, I do NOT welcome.

I'm listening...

[GoChickenFat]

So educate me... How do I use common sense to determine if the site I just logged into actually secures the login information on the backend? Is it stored in clear text, transmitted in clear text, available to everyone in the company? I have no idea what happens to the credentials I just entered. How do I use common sense to determine if Facebook, MySpace, Slashdot, NYT, etc are taking the securing of my personal and login information seriously? Do you read every EULA completely? Would you even know if the company did not follow their EULA? Do you have the resources to sue if they don't?

Common sense tells me that no site is to be trusted implicitly; they are all dangerous.

Re:I'm listening...

[Pojut]

I was referring to things like phishing emails, nigerian bank scams, etc.

One example would be if you get an email from Paypal/your bank/etc saying something about your account, don't click on the link...type the URL in yourself.

That sort of thing.

Re:I'm listening...

[Myopic]

So, you were proposing a partial solution of half measures and best guesses? Wow, you sure laid the smackdown on all those unknowledgeable l00zers.

Re:I'm listening...

[Pojut]

I fail to see how educating people on the basics of avoiding scams is a bad thing..nor do I see how it's an attempt at a "smackdown".

Re:I'm listening...

[Myopic]

Good try at moving the goalpost, or redefining the question, but I'm compelled to call you on it.

In matters of security, the most important tool anyone can have is common sense.

This is what you said, it is the statement in question, and it is wrong. Common sense is, obviously, a great thing to have and to exhibit in pretty much all situations; but it is not at all the most important tool in matters of internet security, as user GoChickenFat pointed out. Common sense can only get you so far, and after that, more important tools take over to help protect people who are both informed or uninformed.

Even if that weren't true, I always roll my eyes when I hear people say that education is the answer to whatever the problem is. That's a cute way of saying we should not solve the problem, because education will always fail, because education will inevitably only reach part of the population, leaving the problem amongst the rest of the population. For sufficiently important problems, if we decide we actually want to solve the problem (some problems are less bad than the solution, and we should just live with them), then a package of solutions which includes approaches other than education (and more important than education) will be appropriate. And that is the case with internet security.

I don't want to argue about it and I'm sure you're a smart guy who doesn't want to argue. Education is awesome and I support it, as do you. I'm sure that you merely used a term of phrase which did not perfectly capture your meaning, which could be that education is important, or that silly users get what they deserve, or something like that. Unless you are a security ideologue, then I have nothing against you and wish you well.

Re:I'm listening...

[Pojut]

Fair enough!

Re:What about using your phone?

[tiksi]

So all someone has to do to access ALL of your accounts is steal your phone? But that would never happen, who's ever heard of a phone get stolen?

Re:What about using your phone?

[Sancho]

Phone could be password protected, with remote-wipe.

My front door has a key code.

[AnAdventurer]

I have a password to get into my house, well, a key code. My deadbolt lock has a number pad. I punch in my code and the deadbolt unlocks. I hate carrying keys around, if I could get my truck to start up that way i would (I already have a hidden wireless keypad on my truck that will unlock and/or open the windows.

Makes more sense to just use one password

[gurps_npc]

OK, so I could use one website with 1 password, trusting them with all my information (and look how great Facebook does), or I could use multiple websites with one password. In either case, I am trusting people not to screw with my information. So I am trusting more people with multiple sites, but they don't KNOW that I am trusting them. Sure it's security by obscurity, but it still makes more sense than trusting the same company with all my info. And it still lets me use one password for finances and another for my email and another for my medical information, and a third for all my social websites and games. No need to give the people I play games with ANY access to my finances. But honestly there are many better solutions that moronically giving away your privacy just reduce the number of people that know your password. It's a really stupid idea.

Re:Makes more sense to just use one password

[Myopic]

yes you could do that first thing, or that second thing, or any of a large number of other things which are all better than the first two options. good luck.

Re:What about using your phone?

[gmor]

Google actually offers two-factor authentication with your cell phone whenever you're at a new browser. It's not perfect yet: you can't revoke access for a browser once it's been verified, and there are unprotected APIs such as GData and IMAP. But at least it's a step in the right direction.

Central login and privacy

[Technomancer]

Central login by definition links your multiple accounts to a single identity. In most cases it is not a problem. But do you really want somebody to know you login with the same ID to you bank, health insurance and pr0n site? I don' think so. I'd prefer to have several identities on-line. One for secure stuff (bank, financial, medical info etc), one for shopping, one for unimportant stuff like forums, diggs, facespaces etc and one or many for things that I may not be so proud off like pr0n sites. The quality of the passwords I use on these tiers of logins should be appropriate for the importance of the account.

An email password can allow access to most others

[r3xx3r]

Many many websites and programs that require passwords allow u to reset passwords by having them send u an email and a link in the email to reset the password. so, if ur email password is compromised many other passwords are comprimised as well.

Re:What about using your phone?

[vakuona]

Your phone just gives you a code to use in conjunction with your login and your password. If your phone is stolen, then you assume your keys are compromised, and you get in touch with your authentication provider and get them to revoke all unused keys. For someone to be able to access all your accounts, they will need to steal your phone, get your other login credentials (which are hopefully in your head), and do it before you get the keys revoked. Additionally, this is meant to protect against keyloggers and the like to ensure that any keys they intercept are, almost by definition, useless, because they have already been used.

Work in Progress

[darkpixel2k]

It's already a work-in-progress: gpgAuth

One password everywhere, no passwords stored on remote servers, validation of the server too--like SSH.

Anyone think we'll dump passwords in 5 years? 10?

[isoloisti]

This topic of passwords keeps coming up. Different people keep piping in with "the REAL problem with passwords is........" and the solution is PKI/OpenID/keepass/1password/phone auth/securID etc etc etc. My impression is that we are making no progress whatever. We can't even agree on what the main problems are (keylogging, user forgetting, phishing, brute-forcing etc). With a 100 slashdotters posting you get 100 different offered solutions. So my guess is that 5 years from now, and probably 10 we're stuck exactly where we are today. Anyone disagree?