Slashdot Mirror
Google Declares War On the Password
An anonymous reader writes "Wired reports on a research paper from Google employees about the future of authentication on the web. 'Along with many in the industry, we feel passwords and simple bearer tokens such as cookies are no longer sufficient to keep users safe,' the authors write. Their plan involves authenticating just once, to a single device, and then using that to unlock all of your other accounts. "We'd like your smartphone or smartcard-embedded finger ring to authorize a new computer via a tap on the computer, even in situations in which your phone might be without cellular connectivity." Recognizing that this isn't something they can accomplish on their own, they've gone ahead and created a device-based authentication protocol that is 'independent of Google, requires no special software to work — aside from a web browser that supports the login standard — and which prevents web sites from using this technology to track users.'"
Every big company at some point has declared war on the password. We have smart cards, biometrics, RSA tokens, and finger paintings to prove it. None of those things work any better than a password when used alone. In conjunction with a password, we can achieve "better" security.
The logic of a password-less world is what's broken. Period, end of statement. If the logic is broken, no matter who implements the password-less solution we still end up with a broken solution.
-The wise argue that there are few absolutes, the fool argues that there are no probabilities.
You should always use 2 factor authentication, with biometrics and with what is being suggested here. You know, both something you can lose, and something you can forget.
As you hint, passwords are both necessary and insufficient for real security. For anything important, you really ought to have 2/3 of the ID triangle: something you know (like a password), something you have (like an RSA token), or something you are (like fingerprints).
I am officially gone from
From the point of view of a digital stream of data, something you have is indistinguishable from something you are. (Fingerprint scanners are vulnerable to replay attacks.)
[Sir Garlon] is the marvellest knight that is now living, for he destroyeth many good knights, for he goeth invisible.
Yes there is a reasonable excuse why it must contain certain minimum lengths and characters. It has to do with exponents. For fun I've written several types of password hash crackers in the past. The best way to defeat a brute-force password cracker is to expand the keyspace.
A good password today at a minimum 8 characters, and can consist of any one of 95 keypresses on the keyboard. 95^8 = 6.6e15 combinations.
If you don't use special characters, that 8 character password is only 62^8 = 2.2^14 combinations.
If you don't use numbers, that 8 character password is only 52^8 = 5.3^13 combinations.
And If you don't even bother to change cases, that 8 character password is 26^8 = 2.1e11 combinations.
Those numbers don't tell the real story. Old Windows XP passwords could be cracked on average 2011 hardware at about 10 million (1e7) combinations / second. The "good" password above would be cracked in 21 years (max). No special characters would be cracked in 8 months. No numbers in 2 months. And single-case only in 6 hours.
But today we have GPU password cracking, and much better hardware. A Radeon 5770 could crack the "good password", 8 characters long in a mere 28 hours. That was hardware from 2 years ago.
And over there we have the labyrinth guards. One always lies, one always tells the truth, and one stabs people who ask t