Slashdot Mirror

← Back to Stories (view on slashdot.org)

NYT Password Security Discussion Overlooks Universal Logins

Posted by timothy on from the your-voice-is-your-password dept.

A recent NYT piece explores the never-ending quest for password-based security, to which reader climenole responds with a snippet from ReadWriteWeb that argues it's time to think more seriously about life beyond passwords, at least beyond keeping a long list of individual login/password pairs: "These protective measures don't go very far, according to the New York Times, because hackers can get ahold of passwords with software that remotely tracks keystrokes, or by tricking users into typing them in. The story touches on a range of issues around the problem, but neglects to mention the obvious: the march toward a centralized login for multiple sites."

29 of 127 comments (clear)

  1. In matters of security by Pojut · · Score: 4, Insightful

    In matters of security, the most important tool anyone can have is common sense. Phishing scams, "dangerous" websites, revealing important information willy nilly...all things that cause major problems in the digital world, and all things that could be almost completely avoided if common sense was more prevalent.

    Granted, some people "don't know any better"...but that's why you educate those types of people if you know any.

    --
    Living With a Nerd
    1. Re:In matters of security by Nursie · · Score: 2, Insightful

      Well, it doesn't help that companies are ill informed a lot of the time. I got a call today claiming to be from my ISP, asking for feedback on the service. At the end of the call they said they just wanted to verify my identity and asked for my DOB and the answer to my secret question that gets used as a password backup/reset mechanism, so they could confirm they were talking to the right person.

      I told them absolutely not, they phoned me, I only prove my identity with private information when I've phoned a number/service I recognise, not a random caller.

      I'm pretty sure it was them as I got a 'thanks for your feedback' email afterwards, but WTF?
      I'm tempted to think it was some sort of test/survey thing to find out how dumb people are, but that's probably being too generous.

    2. Re:In matters of security by Pieroxy · · Score: 2, Interesting

      I live in France and when you're late for your electric bill they have a robot call you that propose you to enter your credit card information to pay your bill 'on the phone'.

      Again, I am pretty sure it's them calling, and I am pretty sure also that this is something new as I never got it before. But this is scary. And I can't help but be scared at how many people will provide their credit card information on such an incoming call...

      --
      Write boring code, not shiny code!
    3. Re:In matters of security by PPH · · Score: 4, Insightful

      My credit card company (Visa) calls me occasionally about suspicious activity on my card. When they leave a message, the number they leave is NOT the same as the customer service number on the back of my card.

      It's been explained to me that this number gets me to the same place as the customer service number with a few less steps. But I've told them that I'll never call anything other than the number on the card. And that its a really bad idea to train customers to return calls to just any number and expect them to identify themselves with SSNs, relatives names, and provide their card number.

      If anyone is supposed to be smart enough to figure social engineering attacks out, it should be Visa and their ilk.

      --
      Have gnu, will travel.
  2. Idiots by The_mad_linguist · · Score: 5, Funny

    Why don't you hunter2s shut the hunter2 up!

    1. Re:Idiots by Abstrackt · · Score: 3, Funny

      Why don't you *******s shut the ******* up!

      Jeez, you really are a mad linguist.

      --
      They say a little knowledge is a dangerous thing, but it's not one half so bad as a lot of ignorance. - Terry Pratchett
    2. Re:Idiots by c++0xFF · · Score: 3, Funny

      Why don't you *******s shut the ******* up!

      You must have used some really foul language. Slashdot never censors posts like that!

  3. Single point of failure by $RANDOMLUSER · · Score: 2, Insightful

    Always a great idea. Windows registry anyone?

    --
    No folly is more costly than the folly of intolerant idealism. - Winston Churchill
    1. Re:Single point of failure by tverbeek · · Score: 3, Insightful

      Maybe the NYT article doesn't mention centralized login because such an obviously bad idea?

      --
      http://alternatives.rzero.com/
    2. Re:Single point of failure by tverbeek · · Score: 2, Interesting

      While it might reduce by a marginal amount the likelihood of the account being compromised, the potential consequences would be profoundly greater. That's a poor trade-off.

      Several years ago, the pretty-damn-good and carefully-guarded common password that I used for buying things from sites such as Amazon, eBay, iTunes, etc. - reasonably well-run, reputable companies - was compromised somehow. (I have other different passwords that I use for message boards, others for banking, others for work-related accounts, etc.) Just dealing with that small breach was a serious hassle; if my financial institutions, e-mail, or privileged accounts had been involved, it could've been disastrous. Thank-you, but Do Not Want.

      --
      http://alternatives.rzero.com/
  4. Torn by esocid · · Score: 4, Insightful

    I'll admit, I feel torn when I see that OpenID login. Increase my chance of giving someone access to everything? Or make it simple?
    In the end I compromise and simply use a variation of one password for those.

    There is the problem with centralized logins: the masses don't consider the first part, and only think of the convenience.

    --
    Absolute power corrupts absolutely. indymedia
    1. Re:Torn by houghi · · Score: 4, Informative

      There used to be a time that you could easily host your own OpenID with e.g. http://siege.org/phpmyid.php
      You point to http://yoursite.example.com/ instead of the one from Google or any other OID provider.
      That way you limit the chance of giving somebody else access as you manage your own login and password.

      Some others might be found here : http://openid.net/developers/libraries

      --
      Don't fight for your country, if your country does not fight for you.
    2. Re:Torn by Chelloveck · · Score: 2, Informative

      I like SuperGenPass. It never actually saves a copy of your passwords, it algorithmically generates them from the site's domain name and your master password. (Actually, from any two strings. By convention it's the domain and master password, but you could use any identifier/keyword pair.)

      It's made to run as a bookmarklet which auto-populates password fields on web forms. There's also a mobile version for when you're using someone else's computer. Either way the password is dynamically generated by JavaScript running locally. The mobile version is also good for pages which have funky login prompts that don't play nice with the bookmarklet. (I'm looking at you slashdot!)

      --
      Chelloveck
      I give up on debugging. From now on, SIGSEGV is a feature.
  5. How does centralized login solve keylogging? by KarlIsNotMyName · · Score: 2, Interesting

    So they just need one password to access all your profiles?

    Unless it was not actually your password for all those sites, but the password to a database (only available locally) that contained the password to those sites, I don't see how that's a solution. Actually, I thought the main problem with passwords was that people already used the same password for all their sites.

    --
    We are all God's parents.
    1. Re:How does centralized login solve keylogging? by Bigjeff5 · · Score: 3, Insightful

      Exactly my thoughts.

      Keyloggers still work, phishing scams still work, and social engineering still works. If centralized logins become the norm, the bad folks will simply target the centralized logins.

      Your risk with centralized logins, however, skyrockets. Now, instead of losing control of one login to one website, you lose everything. Moreover, they don't even have to guess what sites you have access to, they can simply dig through the centralized login site and find it once they have your account info.

      The NYT article is interesting, but the SlashDot summary is near useless. There is no need to specifically include universal logins in the discussion, because universal logins suffer from exactly the same issues that individual logins do. The only possible reason for including them is the fact that the potential loss is much much higher with a universal login.

      --
      Security is mostly a superstition... Avoiding danger is no safer in the long run than outright exposure. - Helen Keller
    2. Re:How does centralized login solve keylogging? by dstar · · Score: 2, Insightful

      And this solves the keylogger problem how?

      It doesn't. You still have to authenticate at some point; at most, it reduces the opportunities for a keylogger to catch the password (if you only have to type it in every couple of weeks).

      In exchange, it provides phishers with a dream environment. The only way to be certain you're actually connected to your authentication provider is to use SSL and make sure that you see the lock -- and if your security depends on Joe Random User doing that, you've already lost.

      Shalon Wood

    3. Re:How does centralized login solve keylogging? by Sancho · · Score: 2, Informative

      Correct. What this does is improve the safety for people who can manage the presence of mind to avoid phishing for a particular site, while increasing the overall damage done for everyone who gets compromised.

      However I'm not going to log in to my OpenID provider on an untrusted computer. I might be willing to log in to, e.g. Facebook on an untrusted computer. So now my options are a little more limited.

  6. OpenID isn't the solution by yourcelf · · Score: 3, Informative

    The trouble with OpenID is it's still one identity that you're carting around, allowing yourself to be tracked across multiple sites.

    A better solution is just to use a password manager (KeepassX, Last Pass, etc.) which lets you manage your own multiple identities in a secure way. This gives you the convenience of a single sign-on with the security of a distinct identity for every site where you want it.

    1. Re:OpenID isn't the solution by shaiay · · Score: 2, Interesting

      you do know that KeePassX is a post of the windows KeePass and the database is compatible between versions? There is even a portable version you can put on you IronKey, so you don't have to export keepass data tou your IronKey

  7. Wait.... by yoblin · · Score: 3, Funny

    Great, so I'll be able to use Facebook Connect to login to my bank accounts soon????? Count me in!!!!!!

    1. Re:Wait.... by Pieroxy · · Score: 4, Funny

      Better yet! I can post my bank account balance on facebook in one click! And my actions portfolio! My credit rating! Yeeeeeaaah!!!!

      --
      Write boring code, not shiny code!
  8. TPTB'd like to keep our identities by marcuz · · Score: 2, Insightful

    NY Times knows what they are doing while supporting this call for centralized password management and identity system. They serve the powers that be on their quest to even greater power. I agree with their point - increasing the so called safety - but on the other hand I am a bit worried about having a few people in charge of the identities of eventually entire population. Almighty government and rich corporations will certainly be willing to help us with our identities.

    1. Re:TPTB'd like to keep our identities by ADRA · · Score: 2, Insightful

      Passports, Driver's Licenses, Social Security numbers... yeah the governments just can't be trusted with your identity. Lets trust in Google/Yahoo/Facebook/Microsoft/IBM/etc for our identity needs. Even better, lets have hundreds of incompatible schemes and make user sign up and use them all. That surely has to be more secure than having a single point of failure. I mean look, There's only one ROOT signatory (Verisign) and you just KNOW they fuck up everything they touch, right?

      --
      Bye!
  9. Three factor authentication... by HerculesMO · · Score: 2, Insightful

    I like OpenID, but if you couple it with a three factor authentication, whether it be a smartcard, or biometric, or whatever.. that's when it becomes useful.

    Too bad the current implementation doesn't support it. Sadly, World of Warcraft and Starcraft II do.

    Go figure.

    --
    The price is always right if someone else is paying.
  10. KeePassX by bradley13 · · Score: 2, Informative

    I am very happy with KeePassX. It stores your passwords and related information in an encrypted file. You can copy a password out of it to paste into a web-form. This means

    • You don't have to remember your passwords - they can be randomly generated according to a wide set of rules.
    • You don't have to type your passwords - they transfer via the clipboard (which is automatically emptied after a few seconds)
    • Your passwords are (reasonably) secure, being stored in an encrypted file.

    The obvious problem is that you need a password to open the KeePassX file. However, this at least does not go via browser, and I can manage to remember one complex, very secure password.

    KeePassX is open-source, available for Windows/Mac/Linux, and compatible across all of these. Nice solution - give it a try!

    p.s. I have no relation to the project - just a happy user!

    --
    Enjoy life! This is not a dress rehearsal.
  11. The password metaphor by tick-tock-atona · · Score: 3, Insightful

    What has always amazed me about authenication for access-control via a computer is the widespread use of "passwords". We treat computer access-control like it's a brand new problem, however it's really just the same old access-control problem that we solved at least 4000 years ago.

    Why don't we have passwords to get into our houses? Why don't we have passwords to get into our cars or P.O. boxes or even safe-deposit boxes? Because passwords are a pain in the ass that are inherently insecure because we, as humans, are terrible at remembering arbitrary strings of numbers/letters/symbols. What we are good at remembering - objects/ideas and the words associated with them - make for terrible passwords because they are so darn easy to guess.

    The idea of a lock and key is one which we have been using for millenia for security, so why haven't we applied this simple metaphor for electronic access-control. We even have the technology readily available: Public Key Authentication. But for some reason the only place I've ever seen it used is in OpenSSH. In fact, it's considered superior to password authentication in OpenSSH and recommended over a password.

    So why not have RSA keys to our email, online banking etc. just like we have keys to our houses, cars etc?

    1. Re:The password metaphor by ledow · · Score: 2, Informative

      The UK Government Gateway used to issue keys to every individual user. You can use the GG to do everything from file tax forms to start a business. I've never had to do anything as secure and never been as worried about someone finding out those login details on any other website, including my own personal bank account. It was an absolute pain in the arse. 50% of their phone calls were for lost / reissued keys. It didn't stop automated tools scraping keys from compromised computers and causing all sorts of pain (even with separate password required). Issuing them took forever. And in the end you had to prove who you were to get one which was inevitably less secure than the key itself, prove who you were to get one revoked/reissued, prove who you were to do anything with them. Especially around the tax filing time, they were so busy re-issuing keys to people who'd lost them and just wanted to file their return before they got charged, you couldn't get through on the phone lines.

      They scrapped it after only two years, I believe, and replaced it with a password system like the banks - two unique items of information posted to you in separate envelopes and requiring both to login. Although there's still a crush around filing time, it's not anywhere near the shambles of before. And to be honest, it wasn't the government fault. People are just inept at holding items secretly, especially when they are downloaded from a secure website that they have to authenticate against in some way anyway, and when the reissue process has to be secure anyway. It could work, if you could make everyone get used to saving such things in a good place but they are no better or worse - the gains in security are lost in practicality almost immediately. Even *generating* that amount of keys must take months.

    2. Re:The password metaphor by Sancho · · Score: 2, Interesting

      Keyfobs make malware work much harder. You don't insert them--you press the button and a number pops up. Enter that number and your password into the website, and you're in. The number changes in X seconds (where X is usually 60 or less.)

      It makes it hard for malware to do its job. Now the malware must do its work right then, while you're in your authenticated session. It has to work automatically to e.g. perform a balance transfer. Other mitigation such as CAPTCHAs make it even harder for the malware to use the authenticated session, unless there's a human somewhere using your session. Once you require that a person be involved in the malware transaction, your safety improves significantly.

      I think the ideal solution would include the following:
      Keyfob plus certificate on USB stick.
      Randomly generated form elements.
      Honeypot form elements.
      Captchas on all pages authorizing movement of money.
      5 minute session timeouts.
      Tie session to IP address (ideal) or to geolocation data (since NAT, AOL, etc. may show you as coming from several addresses.)
      Remote logout.
      SMS/email notification of logins.

  12. I'm listening... by GoChickenFat · · Score: 2, Insightful

    So educate me... How do I use common sense to determine if the site I just logged into actually secures the login information on the backend? Is it stored in clear text, transmitted in clear text, available to everyone in the company? I have no idea what happens to the credentials I just entered. How do I use common sense to determine if Facebook, MySpace, Slashdot, NYT, etc are taking the securing of my personal and login information seriously? Do you read every EULA completely? Would you even know if the company did not follow their EULA? Do you have the resources to sue if they don't?

    Common sense tells me that no site is to be trusted implicitly; they are all dangerous.