Slashdot Mirror
Google Declares War On the Password
An anonymous reader writes "Wired reports on a research paper from Google employees about the future of authentication on the web. 'Along with many in the industry, we feel passwords and simple bearer tokens such as cookies are no longer sufficient to keep users safe,' the authors write. Their plan involves authenticating just once, to a single device, and then using that to unlock all of your other accounts. "We'd like your smartphone or smartcard-embedded finger ring to authorize a new computer via a tap on the computer, even in situations in which your phone might be without cellular connectivity." Recognizing that this isn't something they can accomplish on their own, they've gone ahead and created a device-based authentication protocol that is 'independent of Google, requires no special software to work — aside from a web browser that supports the login standard — and which prevents web sites from using this technology to track users.'"
Because I totally want anyone who steals my phone to be able to access every other site I use.
But my employer doesn't allow me to have my phone at my desk ... and if I forget it in the car I can't log into anything ... and if I lose it, WTF?
Hey, Google, stay the fsck out of my life.
Every big company at some point has declared war on the password. We have smart cards, biometrics, RSA tokens, and finger paintings to prove it. None of those things work any better than a password when used alone. In conjunction with a password, we can achieve "better" security.
The logic of a password-less world is what's broken. Period, end of statement. If the logic is broken, no matter who implements the password-less solution we still end up with a broken solution.
-The wise argue that there are few absolutes, the fool argues that there are no probabilities.
... Their plan involves authenticating just once, to a single device, and then using that to unlock all of your other accounts. ...
That certainly makes it much, much easier for google to track you as you go around the web.
If repeated authentication through passwords, by their own words, "isn't sufficient to keep users safe", then why on earth do they figure that a SINGLE authentication would be sufficient?
File under 'M' for 'Manic ranting'
Isn't there already biometrics for this? You cant forget your finger in the car, and nobody can discretely steal it. They could steal it with a pair of bolt cutters, but then you have much bigger issues.
How is that better?
Now I will have to give my full identity to any site that today requires just an e-mail account to register. An identity that will be the same I will use to make payments. What could go wrong with that?
...Trust this pc
Passwords are bad because they allow any individual to create as many distinct accounts as he or she wants. Require a hardware device per account and you now need an investment for every distinct account. Google wants every user to be identifiable across all sites/services using the same ID.
SexGodSecret1234
Please place your palm on the scanner look into the eyepiece and sing your social security number.
So I will not be able to access my account at all!. Since I have no cellphone, nor do I want or need one. Interesting.
Because I totally want anyone who steals my phone to be able to access every other site I use.
Well given the popularity of the "remember by password" "feature" that is sort of where we are today on computers and mobile devices.
The more announcements that I read like from from Google, the more I am convinced that they simply have no clue about the real world. Trying to require that everyone carry with them a suitable device for authentication is simply not going to work for all the obvious reasons. Convinces me more and more that Google is on the way down.
A well established cryptosystem is already established and the crypto-token sits in the pocket of most europeans. Chip&Pin credit cards have the crypto inside to securely authenticate people, and most people in the western world have a credit card. The tokens are signed by the banks, and a rigid structure already exists to authenticate the users. a 15 euro reader (retail price) is all most westerners would need to buy to do this, if the retarded Americans would go to a chip&pin card instead of paying billions for credit card fraud.
Most transactions that reaquire good authentication end up being *gasp* financial, and by adding the reader, this prevents a lot of methods of using stolen credit card numbers. This doesn't require a cell phone or some other expensive device, just a fucking credit card. Hell, my stupid work blackberry even has a bluetooth smartcard reader.
This is a solved problem, in europe. We just have to force the Americans to go along with banking security. You lose no more anonymity than you do with banking, which is to say "all". public key cryptography already applies, and with echelon, there's no hope of real anonymity if someone has a warrant anyway.
The device would have to alert the use to each authentication and give the option to *not* authenticate to a particular site. I'm not sure relying on the host computer would be sufficient. The device may need it's own display and a few keys.
And of course, it would have to have open software with open standards so that anyone could verify that it it working.
All ideas^H^H^H^H^Hprocesses in this post are Patent Pending. (as well as the process of patenting all postings)
I really mean it: I don't want to have to login to the internet. You keep trying to get me to do it with Chrome, so I switched from that, but now you're going to badger me about this for my phone, too? Sometimes I want to surf anonymously. Sometimes I don't want Site X and Site Y knowing that I'm the same person logging into both. And I can say for certain that all the time, I don't want to be tracked by you so you can present me with more "targeted ads" to give me a better user experience. Let's not even get into what happens if my phone gets stolen, and suddenly all my consolidated information is at some stranger's fingertips. There are far, FAR too many problems with centralized authentication, and I'm really getting sick of Google trying to force it down my throat.
... by slashdotting Yubico website (Error 503 Service Unavailable as of now).
Would you all PLEASE do not RTFA this time? I cannot, for the love of God, read another whiny story about "I'm Matt Honan and I was fucked in the ass (metaforically speaking) by a 15 year old". And if this post get slashdotted, Wired will post another 100 stories about that. So please DNTRFA!
Grey's Law: Any sufficiently advanced incompetence is indistinguishable from malice.
...for the half or two thirds of us that don't carry, or want, a "smart" phone.
mark, not being tracked
Everything has a camera on it these days. Why not authenticate with your retina? Authenticate everything from an authenticate device as Google proposes but don't make the Android phone the centerpiece of authenticating everything.
Does Google want one authentication for everything, so that easier to identify everyone?
Or, is the idea just some out-of-control childish thinkers at Google?
From: Overlordian Technology Think Tank Staff Re: "embedded finger ring technology" Maybe now we have the right combination of convenience and social climate to get those sheep to consent to being chipped or at least bar-code-tattooed.
One global identity used to track a user across every site. Your (insert embarrassing site here) account is now tied to your FaceBook by the one device authentication. Anyone else see the problem with this?
Looks like someone saw what Firefox Sync did and said, "Yeah, let's do that..."
And with mobile devices, can't even type them in. and why the ***** thing?? can't even see what the password I am typing and most of time there are not eyes watching me, especially on my phone. and changing passwords???? how is that more secure? I use a 4 digit number and a word for the site for all of my passwords and call it good enough. like slashdot is 9999slashdot but not 9999 and I use same 4 digit number everywhere. for banks and so on I put the 4 digit number in the middle. who cares?
Just give me a unicorn and I might be able to transport your letter a few metres.
Really, an 100% secure app running on unsecured smartphone, connected to the Internet communicates secretely to your 100% secure browser , running on your Internet-connected, unsecured PC; how could that not work?
Yet another federated single-signon scheme I have no intention of ever using.
Fail harder, GOOG. I don't trust my overall online identity to you any more than I'd trust Microsoft or Facebook. I like my online identity fragmented. I like my anonymity, and federation defeats that.
I'd no more trust a SSO than I'd trust a single key to unlock my house, my car, my truck, my safety deposit box, and my wife's chastity belt.... especially since I won't actually be holding the key; Google would be. Yaaay.
Thanks, but...um, hells no.
We'd like your smartphone or smartcard-embedded finger ring to authorize a new computer via a tap on the computer, even in situations in which your phone might be without cellular connectivity."
The smartcard can be embedded in the finger itself, instead of a ring on the finger. In fact it could be embedded anywhere in the body and it could be used identify you uniquely and track you. For your own safety and to provide for the completely unbreakable security, you would not be able to find the embedded smartcard yourself. (no, not even your ten year old son, who could build protocol droids from scrap parts, could build a scanner to find it). This is what the future is going to bring to us, it is as clear as the two suns on the sky.
sed -e 's/Chuck Norris/Rajnikant/g' joke > fact
Didn't RTFA, but it seems like Kerberos has solved a big chunk of this problem. Authenticate to your device once, pass encrypted tickets around that a) don't contain any portion of your password, and b) are cryptographically verifiable in an offline manner. A big problem I see with it is, who wants to manage that KDC and who would trust them?
I went to eat some animal crackers and the box said, "Do not eat if seal is broken." I opened the box and sure enough..
Relevant xkcd
But seriously, how many times have you seen minimum (ok, can see a point here) or maximum (WTF) limits on a password length? Or requirements of what it can or cannot contain.
Is there any reasonable excuse for why a password must not contain certain characters, besides breaking poorly made scripts? I mean password security 101 says they'll hash it anyway, so why should it matter?
You never realize how much manually made unmanaged "linked" lists suck, till you have src.link.link.link.link...
Fuck all of this. No tokens, no cookies, no one time auth, no security questions no PINs, no N factor auth.
Just plain rocksolid passwords used and stored using brains inside encrypted containers with a master key.
Why would we need anything else ? More factors and complications always means more points of failure.
I learned a lot about pretending to be someone else a while ago when I worked at a university.
A female professor wanted a very generic email address so that she could participate on political forums without anyone knowing her race or gender. It was to protect not just her politically but physically as well.
Cell phones can be lost or stolen.
Cell phone data can be tapped by applications.
Cell phone manufacturers and cell phone OS developers do not use good security practices in their designs.
Suppose we use our phones instead of individual passwords.
From a technical side, what is to stop somebody from getting their own phone running numerous passwords through it while intercepting the key that comes out to determine the algorithm used. Once you have the algorithm, you can spoof other systems, can you not?
From a user side, how is having a single password for my phone any more secure than using the same password on all the sites I visit?
Finally, from a paranoid side, the US courts have already ruled that what is on your cell phone does not need a search warrant. What is to stop the authorities from using your phone to obtain access to everything?
I'm sure there are many more "sides," but you get my drift.
I hope he's careful who he shows it to. It's his brother's birthday.
By the way, Eric Schmidt's gmail password is... abracadabra. And he shares it with Page and Brin.
The general public is not going to adopt multifactor authentication. They are so deceived into believing that "What you know" is secure. The Idea of adding "What you have" to the process is the digital equivalent to landing on the moon to some people. It is truly unfortunate.
On a side note. I couldn't really care less about peoples personal security. It's a personal choice and a lesson that most will have to learn the hard way. Untrained people will ALWAYS take the path of least resistance.
Conversely, Once a persons information is in the hands of a third party it should be mandated to use multifactor authentication & Encryption. That is our responsibility as IT/IS Professionals. There is no excuse.
Good luck Google.
...which has been tried before. Microsoft also tried a software approach called Passport.
:)
Honestly, there isn't anything better than a password.
Unless you want to get into retinal scans
Ok, so let me get this straight. Rather than solving the cookie problem with mandatory SSL (and encryption in general) everywhere and use of existing tech like pub/priv (asymmtric+symmertic) crypto, Google is advocating using either a phone, which your government/police/phone company can break into and reprogram at any time with a few key strokes (or be stolen and memory dumped). Or, they want you to wear a ring that, should you ever be arrested, the police can also just take from you and use to log into anything you own without so much as even a password to prevent non owner access?
Yeaaaaah, suuure...we'll get right on that Google.
This amounts to a very standard issue these days. In the last of giant corporations worth spending millions of dollars and minutes to hack into, a password is insufficient. Good for you. For the rest of the world, you know, like when I'm accessing my registration to a telecom conference in June, a password is plenty fine. If anyone really wants to hack that conference's web-site, then they can change the name that appears on my badge, and could even cancel my registration -- something that the conference organizers would happily fix for me on-site.
Has anyone else noticed that this issue seems to have grown (in Google's mind) as they offer more and more cross-integrated services through a single password? Perhaps, and this is just speculation, if they separated services into multiple accounts hosted independently, while it would be a little less convenient for users, it would be the same less convenient for hackers?
In any event, the idea of replacing something that can't be stolen, with something that can be stolen, is a plainly stupid idea. It's even more stupid than using biometrics -- something I can't control intently, and I leave everywhere I go. So stupid.
Suppose you have a "smart" credit card in the form of one of those "credit card" calculators. Keypad + simple LCD display.
When you use the card, you type a pin/password on the card, which then generates a new single-use credit card number which attaches to your account, encrypts it with your personal key, and sends it off when the card is swiped.
If you lose your card, no one else has access since they don't have your PIN(*). No one can snoop the data since it's encrypted en-route. No one can copy your card since the information never leaves the card and anyway the number is single-use only.
Suppose this same card is in the form of a thumb drive. It identifies as a security token, and will encode and decode on request, but will not under any circumstance let the keys out. All calculations are done on the device, the code is fixed and cannot be changed, and requires a PIN once when the computer boots.
You don't have to worry about viruses or data leaks.
Since it is a thumb drive, you can add public keys with abandon. To do business with any company, you send them a token encoded with your private key and their public key, they send you information using their private key and your public key. The card will require the operator to enter the PIN to store a new corporate key (for convenience). All the public keys for your credit cards, store cards, bank access, &c are stored in one place.
Suppose the device is blue-tooth enabled. Now you don't need to hunt around for a USB port - you can enter your pin and hit "accept" when you want to make a purchase at a store - after the LCD display shows you the purchase price.
If you lose your device you get a new one. Go to the bank, show identification, get a new card with the bank's keys on it. If the bank keeps a backup of your stored corporate keys, they can download the keys along with your new private key at their secure site.
The important bit for all of this is a) the calculations are done on the device not an external computer, and b) storage for multiple corporate keys (visa, MC, Pennys, Wal-Mart, &c) in one device.
This has been obvious for years, it's just one of those cases where the entrenched monopoly has no incentive to fix the problem.
(*) Even assuming a thief can hack the physical card, it takes credit card theft away from "millions of cards were exposed by computer hack" to "lots of work required to hack a single card". And your bank will invalidate your old private key when the new card is issued.
DEAD finger ring.
A strong system should have certain attributes such as:
1. A non-transferrable physical tokens (signet rings, implants, retina, voice, pulse-sensitive fingerprint) that are needed to generate the
2. one-time keys used for each transaction
3. whether by analog phone, smartphone, internet-connected PC, or other mechanism.
4. There should be an automagic session end when the token is separated from the connection mechanism.
5. The system should guarantee respect for the user's privacy choices.
6. Where laws prohibit 5, the system should ensure the user has a way to knowingly submit to the law.
7. Where laws permit 5, the system should support any desired number of pseudonymous/anonymous personae for a single human.
What else does it need?
Oh, I'm sorry sir, I thought you were referring to me, Mr. Wensleydale.
The reason why Matt Honan got hacked was not because of passwords being broken. It was because the procedures for customer service to identify you when need help like when you lose your password (or Yubikey or whatever) are horribly broken, and we need better minimum corporate standards, PCI-SIG style for things that can matter (or demand ways to outsource it to a trusted 3rd party, OpenID style), and better end-user education about security questions and other things like that and why that's just as important as how to choose and organize your passwords and not reuse them everywhere.
It prevents web sites from using this technology to track users... by which they mean that it prevents sites you go to in your browser from using it to track you. It doesn't prevent the people who make the browser, the smartphone OS, or essential programs that run on it from tracking you--which is to say, Google can still track you just fine.
So if my phone is stolen someone has access to all my stuff and if my battery dies or the phone breaks then I'm locked out of everything until it's fixed. It'd just make my phone a more attractive item to criminals and the government and if either of them take then again I have access to nothing. I realise google wants to create a real dependency to their phones but it's a stupid idea. I'd even go as far as saying the US government kindly asked for them to push this crap to make their life easier.
From a technical side, what is to stop somebody from getting their own phone running numerous passwords through it while intercepting the key that comes out to determine the algorithm used. Once you have the algorithm, you can spoof other systems, can you not?
This is basic cryptography. They could openly state exactly what algorithm they use and enable you to simply read the key. No interception or reverse-engineering necessary. It's still easy to make it secure. That's kind of why we spent so much time studying cryptographic algorithms. (Say, for example, PBKDF and zero-knowledge proof.)
From a user side, how is having a single password for my phone any more secure than using the same password on all the sites I visit?
Because the phone is acting as an active authenticator, rather than just supplying that single password. As a result, an attacker would need to possess the phone (or, realistically, the key contained in the phone) in order to authenticate to a site. So you're changing what they need to possess in order to carry out an attack. Also, when you're storing a secret in a phone, you're reliving it of the requirement of being memorable. A phone can store an arbitrarily-large secret with perfect recall, while you cannot. A phone can also do arbitrarily-complex cryptographic protocols using that secret, while you cannot.
Finally, from a paranoid side, the US courts have already ruled that what is on your cell phone does not need a search warrant. What is to stop the authorities from using your phone to obtain access to everything?
That's not quite set in stone, but let's assume it's true. It is slightly more convenient for them to just use your phone to log on to any web site as you than it is to serve those web sites with subpoenas for the same information. Unless the secret on the phone used for authentication is guarded behind a password or biometric input, which it probably should be.
Once you're automatically logged into ALL your accounts at the same time, Google (and other sites) have a much wider pool of available data upon which to link and troll information about you. For example, have you checked your Twitter account settings recently? Twitter automatically tries to connect to your Facebook account - even if you don't have one, which I don't (that I know of anyway). (Damn Twitter panel just sits there with its icon swirling.)
Personally, I prefer to only logon to sites as-needed.
It must have been something you assimilated. . . .
Because that one password is completely unbreakable.
http://tinyurl.com/42geekcode
I don't own a cell phone. Various online services such as google keep badgering my to associate my account with a cell phone number. I can't, don't want to, and don't need to. Their desire to do this is a desire for their own convenience, not mine. If some other user writes his google password on a post-it and then loses the post-it, google wants a method by which it's easy for google to retain the guy as a customer by giving the guy back his password. They want to do this with zero labor cost to them. They don't want to do it by email because if the guy's forgotten his gmail password he can't access his gmail. All of this has to do with what google wants, not with what I want.
TFA says, "Passwords are a cheap and easy way to authenticate web surfers, but they're not secure enough for today's internet, and they never will be," with a link to this article by someone named Mat Honan. Honan says:
You have a secret that can ruin your life. It's not a well-kept secret, either. Just a simple string of characters--maybe six of them if you're careless, 16 if you're cautious--that can reveal everything about you. Your email. Your bank account. Your address and credit card number. Photos of your kids or, worse, of yourself, naked.
Um, no. I don't use the same password for all these different things. Anyone who does is a fool. And no, I don't post naked pictures of myself online, with or without password protection.
No matter how complex, no matter how unique, your passwords can no longer protect you. Look around. Leaks and dumps--hackers breaking into computer systems and releasing lists of usernames and passwords on the open web--are now regular occurrences.
No. This guy obviously has no clue. Web sites typically store a hash of your password, not the password itself. And if you don't reuse the same password for multiple important accounts, there are no major ramifications from having your password for, say, facebook released into the wild, because it's not the same as your password for your bank account, etc. If someone uses a single password for every single account they have, then they're asking for trouble. That's their problem, not mine, and it's not a generic problem with passwords, it's a specific problem with the insecure way those people use passwords.
This summer, hackers destroyed my entire digital life in the span of an hour. My Apple, Twitter, and Gmail passwords were all robust--seven, 10, and 19 characters, respectively, all alphanumeric, some with symbols thrown in as well--but the three accounts were linked, so once the hackers had conned their way into one, they had them all.
What the hell does he mean by "linked?" This makes no sense.
Imagine that I want to get into your email. Let's say you're on AOL. All I need to do is go to the website and supply your name plus maybe the city you were born in, info that's easy to find in the age of Google. With that, AOL gives me a password reset, and I can log in as you.
If AOL does this, then AOL is a bunch of idiots. This has nothing to do with the security of passwords in general.
How do our online passwords fall? In every imaginable way: They're guessed, lifted from a password dump, cracked by brute force, stolen with a keylogger, or reset completely by conning a company's customer support department.
Your password can't be guessed or cracked by brute force if you pick a good password. It can't be "lifted from a password dump" if whoever you have the account with stores it in hashed form. If it's being stolen through a keylogger on your computer, then you have a bigger problem than the insecurity of your gmail account. Social engineering methods are the hardest to protect against, but the damage is mitigated if you don't reuse the same password for multiple high-stakes accounts
Find free books.
Google's gonna do what has already been done. Seriously, I have a LastPass account. Master password encrypted, with two factor authentication, that contains my Google password, that also has two factor authentication. Lastpass also sells a yubikey that I can tie to my account, with two factor auth. Soooo, while I applaud the Goog for stepping up on security ideas, a lot of this road has been done before. Also, please please steal my phone. I can shut it down and wipe it from anywhere in the world, or simply lock it and track it. And before anyone says anything, yes it's custom rooted and root encrypted. Lastly, before anyone asks, yeah it's a bit of a pain when I have to reinstall an OS or if I change/flash my phone.
The article links to an example of a guy (Mat Honan) who had his accounts hacked into:
http://www.wired.com/gadgetlab/2012/08/apple-amazon-mat-honan-hacking/all/
But as far as I can tell from reading that article, no password was every compromised. Most of the passwords were reset using other information (credit card numbers, billing address, etc.), and tricking clueless phone support people. So why use this example as a reason to get rid of passwords, when the passwords weren't really the problem in the first place?
Referring to the lawsuit brought by patent troll Uniloc against Laminar research (the developers of X-Plane) for using Google-provided authentication code in their Android app: http://www.x-plane.com/x-world/lawsuit/ Looks like every Android-app developer of significance currently stands at risk of being sued!
They are a stopgap with backwards compatibility while everyone moves to something else, if a computer is storing your password and not a private key someone somewhere is doing something wrong.
Your computer is equally as good at "remembering" a key as a password and the key is considerably stronger security. You can still password you private keys (with a keyring).
A key is stronger and if the server is compromised they can't use your public key to login.
Seems Google wants to keep all the tracking to itself!
Something like http://en.wikipedia.org/wiki/Security_Assertion_Markup_Language has been trying to solve this problem, also there's multi-step authentication that say requires your password and a randomly generated pass code from you phone. The google tool is cool though, and a lot easier to set up and use than what I'm mentioning. The goal with password management is to reach the common user after all.
If we can find a way to escape the tyranny of passwords that can generally be cracked by anyone who's determined anyway it can only be progress.
I agree but devices are not the way to go. The advantage of using your brain is that everyone is guaranteed to have one (whether or not they use it). Not everyone has a mobile phone and the same applies to any device you care to name. Even requiring biometric data such as finger prints or retina scans can rule out access to disabled people. There is a reason we still have passwords despite all their inherent disadvantages.
I use Google authenticator, which (in addition to, not in replacement of password) is re-generated every hour on my cell phone. The 4-6 digit "authenticator" lets me enter a password into a device to make that device (cell phone, laptop, PC, etc.) ok to open afterwards with just a password.
I accept this is better than just a password because I'm able to use simpler passwords rather than be forced to choose difficult and secure passwords on multiple sites. I forget one on a site and wind up giving them all my other passwords trying to open it (in multiple attempts) and don't like that. I especially resent entering difficult passwords into sites I don't know and don't trust... "Welcome to OneUseSite, please enter in a password with 16 letters, capitals and numeral and symbol". I don't like giving those sites an important password or even a method or clue that could be used to figure out other site passwords, but when I make one up I later forget it and wind up entering a good one in while trying to guess it (I keep a "throwaway password" for sites that make me authenticate myself for access to THEIR content... I don't care if someone reads NYTimes or WSJ with my password, that's their problem. The hardware encoded autheticator would be valuable to sites like these, and Netflix, where I give lots of friends my password because I don't care if they use it..
Gently reply
The best feature of the password is that it's in your head.
Obligatory: http://xkcd.com/538/
I'm certainly no expert in the security of GPS/spoofing, but since so many of our devices have location services built in, couldn't we add *where* we are trying to gain access as a relevant factor? Perhaps the security system could ask for a mere simple password if it sees that you are currently at home, and requires secondary authentication (RSA fob, Goggle Auth, etc.) someplace you haven't been before. Most people who have stolen your credentials aren't going to log in from your house (short of your own kids, but if that happens, you have bigger problems).
What if you work in a facility that won't allow devices like cellphones, bluetooth, etc?
Bark less. Wag more.
I don't have a cell phone and I have no desire to pay a few hundred a month to have people bug me at all hours of the day. I'll keep my passwords, thanks.
Fingerprint readers are one of the WORST methods of security. Imagine if you left your password on everything you touched. A little super-glue mist and someone has your password. Biometric fingerprint readers can easily be tricked with a good latex impression of the print and little bit of moisture and heat.
A password must be hard to crack.
A passphrase must be easy to remember and use.
These are conflicting requirements. What is needed is a method to map a passphrase to a password. I use something like this:
alias cryptpw='read pass;echo $pass|sha512sum|base64|cut -c -8'
The best feature of the password is that it's in your head. You carry it around everywhere, and it can never be physically taken from you.
XKCD.com/538 - Security
I carry my passwords in my phone - I have upwards of 100 of them and can't remember each one. I prefer not to use the same user id, either. Plus, these days, everyone has these stupid, canned security questions that anyone with my name could probably do a google search and discover (you're probably okay if you're "John Smith"...) - so my responses to those questions are as random as the passwords.
I can easily remember pass phrases (more complex than "staple battery horse correct"), but Google is the only provider who'll let me use them (Microsoft is down to 16-characters maximum for their services). My banking website still uses numeric PINs, but only up to 10 digits (might as well be 4-character passwords...)
Face it - the system is broken, it's time to move on.
I love the idea of Near-Field-Communication (NFC) in something innocuous like a ring - I have it on me more than my phone, less likely to lose / break / have stolen (all of my friends who've been mugged have lost wallets, purses, phones / electronics, but never jewelry). This is a simple solution to a problem that the whole world seems hell-bent on solving in the most ridiculous fashion possible.
This is fine as long as passwords are not [i]required[/i] for Internet access, so anonymity can be maintained, including old-school passwords for email and so on that don't encode a computer ID.
(-1: Post disagrees with my already-settled worldview) is not a valid mod option.
I bought a yubikey. It's a great concept. The problem is, almost no one really uses it. I bought it to use on gmail - well, guess what? Gmail didn't officially support it - you had to install a software hack to get it to work. I can get this software to work on windows, but not on Ubuntu (I probably could if I hadn't given up after an hour). Yubikey has a special key that supports lastpass and paypal. So then I bought that one, but haven't had time to try it out. I did all of this several months ago, so my info may be outdated...
I don't have a smartphone, nor a smartcard-embedded finger ring, you insensitive clods!!
Frankly, i am just a regular email, surfing news sites type these days. Nothing sensitive or work related. I just want to be able to type my alpha numeric password, check the Word of The Day, and then see what nonsense my sister has to tell me today. Whats wrong with that?
Dallas Semiconductor once had a product called the "Crypto iButton", a small Java CPU + a hardware RSA engine and tamper-resistant memory. With appropriate plugins you could set it up as a security device in your browser and then authenticate remotely using SSL client certificates (with the private key never leaving the iButton).
http://people.cs.uchicago.edu/~dinoj/smartcard/javaring.html
Are belong to us
Hey, I know how to solve this: Instead of sticking it in a cell phone, or a chip in a ring on your finger, let's make an embeddable chip that we can just stick under your skin and...
hmm. That's maybe getting a little mark of the beastish there. Who wants to be first in line to swear fealty to Sam Neill?
Google's proposal shows no engineering commonsense when it suggests that a web browser be a precondition for authentication, or even involved in it. Web browsers are massively complex pieces of software and hence unavoidably bug-ridden and regularly compromised, so the last thing you would ever want involved in the authentication process is that horrendous pile of rubbish.
And for the Nth time, the Web is not the Internet, it's only a small part of it, and those other parts don't want to be at the mercy of the Web nor of browsers for decent authentication. Keep authentication separate. That's why we define networking as many separate layers and protocols.
Of course Google wants to make browsers a part of everything because that's how they make their billions. But it's totally wrong, for so many reasons that it should be obvious to anyone involved in authentication.
That's all it is folks...NSA and Google are the same thing.
I doubt we lack the intellectual capacity to come up with alternatives to passwords. The problem is it requires something that appeals to the self-interest of billions of different users and the multitude of large (and not so large) corporations that serve them.
It would not be that difficult to create a physical key, like a USB driver, that had to be present to authenticate a computer with web sites. It could even create temporary travel keys that only allowed temporary authentication, while the permanent key remained secure. Or it could allow a phone to create temporary authentication. In both cases, if the travel key or phone was lost the permanent key could be used to shut off their access. Depending on the site and user authentication might be sufficient for use or it could have additional security.
I am sure there are many other, better, technical solutions. But its not clear that users or web sites consider the problem significant enough to address. It may frustrate the security folks, but it took a long time and a lot of publicity about burglaries to get people to lock their doors. And there are still many people who don't.
Well, if only we had some authentication scheme that only required you to authenticate once, and then grant you a token that expired after a certain time, and then you could use that token to authenticate to everything...
http://web.mit.edu/kerberos/www/dialogue.html
"I assume your hand print will open this door, whether you are conscious or not. "
Lt. Commander Data in A Matter of Time.
"It was an Ident-i-Eeze, and was a very naughty and silly thing for Harl to have lying around in his wallet, though it was perfectly understandable. There were so many different ways in which you were required to provide absolute proof of your identity these days that life could easily become extremely tiresome just from that factor alone, never mind the deeper existential problems of trying to function as a coherent consciousness in an epistemologically ambiguous physical universe. Just look at cash point machines, for instance. Queues of people standing around waiting to have their fingerprints read, their retinas scanned, bits of skin scraped from the nape of the neck and undergoing instant (or nearly instant --- a good six or seven seconds in tedious reality) genetic analysis, then having to answer trick questions about members of their family they didn't even remember they had, and about their recorded preferences for tablecloth colours. And that was just to get a bit of spare cash for the weekend. If you were trying to raise a loan for a jetcar, sign a missile treaty or pay an entire restaurant bill things could get really trying.
Hence the Ident-i-Eeze. This encoded every single piece of information about you, your body and your life into one all- purpose machine-readable card that you could then carry around in your wallet, and therefore represented technology's greatest triumph to date over both itself and plain common sense."
Ford promptly knocks Harl unconscious and steals his ident-i-eeze, which he then uses to gain access to the Hitchhiker's main corporate accounts computer system.
i could live a little longer in this prison
^ see title
i could live a little longer in this prison
once you cross the Mighty Google
Some other iButton products are still available, but the Java cryptographic ones I'm talking about (e.g. DS1957) were discontinued.
Duh.
Yes, any and all authentication methods have a vulnerability. This is unavoidable. The point is to balance security with ease of use. As it is now, the password system provides a low level of security (arbitrary password length limits coupled with human inability to make new passwords) and low ease of use (hard to remember and keep track of so many passwords across so many domains (e-mail, website, video game, applications, etc.). The solution was password managers, which is essentially the same as what is being talking about here: have one point of authentication which is then properly secured (two-factor, etc.). Which is more secure, having passwords some 90% of which can be cracked with a 1000-long list, or having to steal each person's key individually?
Although personally, I'd prefere password managers since I don't have to rely on Google for Yet Another Thing.
I can't imagine that the proposed plan is more secure than password encryption. Any security that is device-specific is problematic at best. I refute their thesis, and instead suggest a dual-password system for everything. First a system password that changes for every device, then an account password which must be at least 26 characters long and made up of a semi-random string.
even the computer won't know what you meant to type!
Great. So when someone steals your device, or you lose it, or it gets broken, or Google decides that they don't like the name you're using online, you're completely fucked in every conceivable way and subjected to the online equivalent of "Universal Default". Even better if it happens when you're traveling and away from home. Frosting-on-the-cake IDEAL if your voicemail, security system, transit smart card, and ability to pay for lunch at McDonald's depends on it, too.
Never, ever, EVER allow one single party to have the authority to nuke you without remorse, recourse, or even any hard requirement to confirm that they've done it and give any specific reason *why*. There's probably even an Antipattern named after this, with a name like "Single Point of Failure"
It's Google trying to consolidate identities by weaning people off passwords.
I have multiple identities on the 'net. Deliberately. For instance, I don't need my workplace associated with sites that don't need to know. It's the same reason I hate Disqus and will not comment on sites that use it. It's one reason I moved my blog off blogger. Google have shown they do not understand why people want multiple identities - but they have to support it because when they try to not, they find the negative feedback is deafening.
TL;DR: I Am Not A Google Identity. And I wish to remain that way.
'we feel passwords and simple bearer tokens such as cookies are no longer sufficient to keep users safe'
What evidence do you present to affirm this assertion ?
Answer: None !
Therefore Google Think is Shit Think.
XD
If they succeed, they will have created every repressive regime's wet dream. Even the U.S. gov't is pining for a national identity card, ostensibly for "security." This would be more like a global ID card.... with built-in profiling and GPS tracking.
Howdy howdy howdy
Steam client has been doing this for a while, I even had to authorize stream on my iphone
"We'd like your finger-embedded smartcard to authorize a new computer via a tap on the computer."
Co-operation beats competition
There are encryption systems that are secure enough under current available technologies. For example,I was reading an article by a Masters student from Concordia University, who developed in the lab a TrueCrypt type file system on Android called Mobiflage. The goal was PDE (Plausible Deniability Encryption). And, given hardware on mobile phones today, this was seen to be a viable option.
So, I think this could be molded into a very secure system, where your sensitive data is stored in a TrueCrypt type FS, and the rest of the OS / data can be on the regular file system. Only a handful of software has permissions / ability to read / write to the TrueCrypt data.
Do not use personal information. You should never use personal information as a part of your password. It is very easy for someone to guess things like your last name, pet's name, child's birth date and other similar details.
Do not use real words. There are tools available to help attackers guess your password. With today's computing power, it doesn't take long to try every word in the dictionary and find your password.
Mix different character types. You can make a password much more secure by mixing different types of characters. Use some uppercase letters along with lowercase letters, numbers and even special characters such as '&' or '%'.
Use a passphrase. Rather than trying to remember a password created using various character types which is also not a word from the dictionary, you can use a passphrase. Think up a sentence or a line from a song or poem that you like and create a password using the first letter from each word.
Maybe I don't want all of my other services to unlock with a single login? This is like openid? I don't use it
Where will the ads show up?
are we really living in the new world order of evil?
If they let you reset your password after you've established yourself by answering a few personal questions (mother's maiden name, high school mascot, etc.), then clearly the password is redundant and just a more errorprone proxy for asking you those questions. Seems to me a much improved system would be to have you register the answers to a large set of such questions, and login by answering a subset each time. (For those who are about to point out that a determined invader could find out the answers to these questions and impersonate you, let me point out that you don't have to register the actual true answers; your mother's maiden name may well be mudhead and your high school mascot the fighting turds, as far as some random website knows).
Star Trek transporters are just 3d printers.
The DS1990 is just a serial number chip without encryption. It can be easily copied or imitated.
The DS1961S "Protected EEPROM iButton with SHA-1 Engine" is a much more secure iButton because a secret can be hidden in the iButton that can't be read back, but is used to authenticate the data."
http://www.maximintegrated.com/datasheet/index.mvp/id/3557
Punch a hole in your card to cut the anteena coil and the RFID will be stop working. The chip will probably still work though.
With humans being mostly visual as for memory, why not elaborate on that for authentication? MS Picture-password goes along that way, it is already compromised somewhat on touch-screens, but that is a temporary technical problem. Ask me to select any old family-pic out of 20 slightly altered ones. Ask me if the pic of my wife is real or shopped. Ask me to pick which sunrise I saw in 1980 from Ibiza. You can know a lot about me, but never exactly what I have seen. And I remember quite well what I have seen, especially if I have to set/designate a specific picture as a personal lock.
FTFA: 2012 may have been the year that the password broke. It seemed like everyone on the internet received spam e-mail or desperate pleas for cash — the so-called “Mugged in London” scam — from the e-mail accounts of people who had been hacked. And Wired’s own Mat Honan showed everyone just how damaging a hack can be.
> Firstly, I don't recall seeing *any* spam e-mails in 2012 - at least to my own domain. I get a number to my work e-mail address, but that's because they use firstname.lastname@bigcorp.com, and at any rate the address is likely harvested when software companies demand e-mail address for pricing. At any rate, this is unlikely to be related to the e-mail account being hacked as much as it is marketers gonna market.
> Secondly, I vaguely recall the Mat Honan hack, but I'm reasonably certain I've already got sufficient steps to mitigate the attack he suffered. For one, I don't subscribe to the apple camp. For two, I don't use similar credentials across the web. For three, I think the guy who was affected made a significant number of utter schoolboy errors and would have been subject to an attack sooner rather than later. Lets hope he sufficiently learned his lesson rather than be the subject of another embarrassing hack later on.
Anyway, I'll be happy to see the demise of the password - it does have significant problems with regard to entropy versus memorability; general weakness tied into the idea that humans aren't necessarily designed to cope with arbitrarily long strings; arbitrary and inconsistent requirements, and policy-related changes. On a couple of occasions I've been aghast that somewhere requiring authentication kicks out credentials because they're either too long or they start with a number. The fuck?
But, I don't think Google is the innocent party presenting this for the good of mankind. Any move that reduces the possibility of plausible deniability, anything that increases the confidence that an action can be tied to a person, will directly benefit their bottom line. Therefore, I'd suggest that while the sentiments behind the paper may be good, a different approach may be better (e.g. LiveCD on RW media, with a KeePass or similar database in ~/boringdatabaselogs.
After all though, perhaps my tinfoil hat is on too tighOP HERE, DISREGARD THIS, I SUCK COCKS.
Yep. That's why the security game is very much like an MMO. There is no real way to win it, other than by not playing.
Disposable email accounts. Banking in person. Fake credentials/info when you do need to login to something for some reason. Few, very few, things get my real information. It used to be common practice to be like that, but now facebook, and realid, and google, have all convinced masses of people to give up all their real information willynilly, and I dont understand why people do it.
The simple truth is, for most of those masses of people, they dont have much if any real security; the real reason they dont get impacted by security breaches or identity theft is one of two things: they either arent interesting enough, or they simply haven't been gotten around to yet (ie, the "odds of being struck by lightning" effect)
(You could look at it as still playing, but now it's a different game, one you made the rules to instead of someone else's game/rules, giving you the advantage)
The guy who said the election was rigged won the presidency with the second-most votes.