Slashdot Mirror

← Back to Stories (view on slashdot.org)

Google Declares War On the Password

Posted by Soulskill on from the united-nations-powerless-to-intervene dept.

An anonymous reader writes "Wired reports on a research paper from Google employees about the future of authentication on the web. 'Along with many in the industry, we feel passwords and simple bearer tokens such as cookies are no longer sufficient to keep users safe,' the authors write. Their plan involves authenticating just once, to a single device, and then using that to unlock all of your other accounts. "We'd like your smartphone or smartcard-embedded finger ring to authorize a new computer via a tap on the computer, even in situations in which your phone might be without cellular connectivity." Recognizing that this isn't something they can accomplish on their own, they've gone ahead and created a device-based authentication protocol that is 'independent of Google, requires no special software to work — aside from a web browser that supports the login standard — and which prevents web sites from using this technology to track users.'"

77 of 480 comments (clear)

  1. Brilliant idea by 0123456 · · Score: 5, Insightful

    Because I totally want anyone who steals my phone to be able to access every other site I use.

    1. Re:Brilliant idea by Andrio · · Score: 5, Insightful

      The best feature of the password is that it's in your head. You carry it around everywhere, and it can never be physically taken from you.

      This proposed plan just makes cellphones that much more attractive to steal.

      --
      The Internet King? I wonder if he could provide faster nudity.
    2. Re:Brilliant idea by aahzmandius · · Score: 4, Informative

      So have the phone de-auth after a certain amount of time without you entering your credentials. You'd still only have to remember credentials to one device, and then *it* does all of the 'heavy lifting' of authenticating everywhere else.

      --
      --Aahzmandius
    3. Re:Brilliant idea by Farmer+Pete · · Score: 2

      Your phone would be protected with a password silly! Oh wait, this seems like it would add complexity, and probably add passwords. It would also require all sites to majorly overhaul their authentication protocols. I'm guessing this is about as likely as happening as all websites accepting a fingerprint in raw form as a password.

    4. Re:Brilliant idea by Dexter+Herbivore · · Score: 5, Insightful

      The best feature of the password is that it's in your head. You carry it around everywhere, and it can never be physically taken from you. This proposed plan just makes cellphones that much more attractive to steal.

      The WORST feature of the password is that it's in your head. I have 20+ login passwords between work and home, my security is lower because you have to simplify them to remember them. If we can find a way to escape the tyranny of passwords that can generally be cracked by anyone who's determined anyway it can only be progress. Not that I have any faith in any organisation to do it after many failed or barely passable attempts (biometrics, smart cards etc).

    5. Re:Brilliant idea by bgarcia · · Score: 2, Interesting
      The worst feature of a password is that it can be obtained from you from someone located anywhere in the world, and you wouldn't necessarily realize it. Fishing websites and social engineering make passwords by themselves too easy to get around.

      You would still have a screen lock on your phone to prevent someone from using it to authenticate into all of your other accounts.

      --
      I'm a leaf on the wind. Watch how I soar.
    6. Re:Brilliant idea by robmv · · Score: 2

      Oh yea, everybody use the same password on all website you use, We know it is the best practice for security!!!!!

    7. Re:Brilliant idea by Anonymous Coward · · Score: 4, Insightful

      Please explain how I can log into whatever service provides the remote kill if I can't log into my computer, my email account, or anything else. Keep in mind that I don't know my phone's MAC or SIM identification off the top of my head.

    8. Re:Brilliant idea by dkleinsc · · Score: 5, Interesting

      As you hint, passwords are both necessary and insufficient for real security. For anything important, you really ought to have 2/3 of the ID triangle: something you know (like a password), something you have (like an RSA token), or something you are (like fingerprints).

      --
      I am officially gone from /. Long live http://www.soylentnews.com/
    9. Re:Brilliant idea by terrab0t · · Score: 5, Informative

      I use a password manager to solve this problem. It stores all (or a large set of) my passwords in an encrypted database. I have one very strong password that lets me access the database. The passwords it stores are all strong (sometimes hard to remember) passwords that I do not have to store in my head.

      I still have all of my eggs in one basket, but that basket is sealed in a solid iron box.

    10. Re:Brilliant idea by caknuckle · · Score: 2

      I have 20+ login passwords between work and home, my security is lower because you have to simplify them to remember them

      Have you tried using LastPass? You only have to remember 1 secure password (as complex as you want it to be) and LastPass remembers the rest for you. It also significantly reduces time logging into sites by filling the logins for you. I use this every day and don't want to remember what life was like without it.

    11. Re:Brilliant idea by Dcnjoe60 · · Score: 2

      Oh yea, everybody use the same password on all website you use, We know it is the best practice for security!!!!!

      I think his point was that if your phone or other device gives you access to all of your sites, then the single password on your phone is the same as using the same password on all your sites. Basically, hack the phone algorithm and you now have access to everything the person does.

    12. Re:Brilliant idea by Anonymous Coward · · Score: 3, Insightful

      That doesn't work. If someone compromises your slashdot password (e.g., hacks slashdot or phishes you for it) and sees it's "12345slashdot", it's a fair guess that "12345email" is your email password.

    13. Re:Brilliant idea by kaiser423 · · Score: 5, Informative

      It really is. I love their current implementation. It's actually security done right. I use Google Authenticator on my phone. If I login from an unknown computer, it asks me for a pass code also, which I just bring up on my phone. I only need to remember the password to my phone/tablet. It's easily the most seamless and secure two-factor authentication I've ever used, and I've used a lot of them....

      I also use it as a token to access a couple of other sites. I believe that Apache has a module that can sync to Authenticator. It's great two-factor.

      It also comes with a list of one time codes that I can carry around for when I don't have access to my phone or tablet.

      It's like a permanent key/password manager for all of Google. It'd be great to turn it into my whole life. Much easier to just de-sync the Authenticator, then re-sync rather than blow away passwords for all sites, then re-create them for all sites if something gets compromised.

      TL;DR I trust Google to do this right because they're already miles ahead of everyone else.

    14. Re:Brilliant idea by h4rr4r · · Score: 3, Interesting

      You have to simplify them?

      Use sentences. Easy to remember and very strong due to length.

    15. Re:Brilliant idea by kaiser423 · · Score: 5, Insightful

      True, but if that password manager gets compromised by, say, Red October via capturing your keystrokes, everything is compromised for all sites until you take the time individually change each one,.

      Currently, with Google Authenticator, I have it set up to authenticate me for a number of things, as if it gets compromised, simply telling it to re-sync again re-secures all of my credentials. Much, much better management. Single point control.

    16. Re:Brilliant idea by realityimpaired · · Score: 4, Informative

      There is a device called a "telephone" You pick up a "receiver", and "dial" a series of numbers associated with the person or company you are trying to communicate with.

      Your cell phone has a similar series of numbers associated to it, with which your service provider can locate your EMEI code (which is much more useful for remote killing your phone than the SIM card). Additionally, they can burn the EMEI so that it can't be activated on other providers (at least in most of the world). If you do not know your telephone number, then they can find it with your name, your account number, and many other pieces of information you can give them. Most cell providers have an option in their IVR to report a lost or stolen phone, too, with after-hours emergency support.

    17. Re:Brilliant idea by SirGarlon · · Score: 5, Interesting

      From the point of view of a digital stream of data, something you have is indistinguishable from something you are. (Fingerprint scanners are vulnerable to replay attacks.)

      --
      [Sir Garlon] is the marvellest knight that is now living, for he destroyeth many good knights, for he goeth invisible.
    18. Re:Brilliant idea by ElectricTurtle · · Score: 2

      I just use a mental algorithm to generate passwords based on time and thing. That way I can have new passwords at will that are consistent with a standard that only I know (and no, it's not just simple +1 number stepping). The only time I have problems is when my system is too long, like with classic VNC...

      --
      I support the Slashcott and will not be reading or commenting from 2/10/14 to 2/17/14. Beta is steaming pile of dog shit
    19. Re:Brilliant idea by Baloroth · · Score: 5, Informative

      True, but if that password manager gets compromised by, say, Red October via capturing your keystrokes, everything is compromised for all sites until you take the time individually change each one,.

      Currently, with Google Authenticator, I have it set up to authenticate me for a number of things, as if it gets compromised, simply telling it to re-sync again re-secures all of my credentials. Much, much better management. Single point control.

      LastPass offers Google Authenticator security over the vault, which means even if they get the master password they still wouldn't be able to access my vault. This does, however, mean the vault is technically not under my complete control (since I don't store it locally, although I do keep a semi-regular back of it). But, the advantage is worth it in my opinion.

      --
      "None can love freedom heartily, but good men; the rest love not freedom, but license." --John Milton
    20. Re:Brilliant idea by Anonymous Coward · · Score: 5, Insightful

      There sure are a lot of people responding to you to explain the convoluted acrobatics they do to manage their passwords.

      If nerds have to do a bunch of tricks just to give themselves a little faith in their passwords, what hope does everyone else have?

    21. Re:Brilliant idea by Anonymous Coward · · Score: 3, Interesting

      True, but if that password manager gets compromised by, say, Red October via capturing your keystrokes, everything is compromised for all sites until you take the time individually change each one,.

      Currently, with Google Authenticator, I have it set up to authenticate me for a number of things, as if it gets compromised, simply telling it to re-sync again re-secures all of my credentials. Much, much better management. Single point control.

      Actually, keepass can defeat most keyloggers as it uses a different function to put the password into a webform. Yes, you can copy the password to the clipboard, but allowing keepass to log you in is safer. Is it proof against all keyloggers? Hard to say, but it can defeat most at present.

      Now if you are speaking specifically about the keypass database, the keylogger would have to have physical access to that file and as with anything physical access trumps all.

    22. Re:Brilliant idea by Westwood0720 · · Score: 2

      I use an algorithm based on the website's name to generate my password. Just the name of the site and a math formula gets me to every site I need.

    23. Re:Brilliant idea by blueg3 · · Score: 3, Insightful

      I think his point was that if your phone or other device gives you access to all of your sites, then the single password on your phone is the same as using the same password on all your sites.

      Right, except that it's not, because now a successful attack requires both the password and also the phone.

    24. Re:Brilliant idea by Cinder6 · · Score: 4, Insightful

      What's particularly disturbing to me is that my bank has the most draconian password requirements, which make my bank password one of the weakest that I use. Joy.

      --
      If you can't convince them, convict them.
    25. Re:Brilliant idea by Anonymous Coward · · Score: 2, Informative

      A time stream of data is distinguishable with something you are, since the data function f(t) is warped by your token. Look up stream ciphers and the like. These are not vulnerable to replay attacks.

      I like stream ciphers for cell phone security.

    26. Re:Brilliant idea by pixelpusher220 · · Score: 2

      Having a password reader on your laptop that unlocks your other passwords is a security risk. The Feds can require you to input your fingerprint; ala taking your fingerprints. So they can make you unlock your device and everything else associated with it, no 4th/5th amendment issues at all.

      --
      People in cars cause accidents....accidents in cars cause people :-D
    27. Re:Brilliant idea by Nerdfest · · Score: 2

      Thanks for the tip, I didn't realize that they had this. That was always the weak point of that service, I thought. Two factor is pretty much required for a central repository

    28. Re:Brilliant idea by dkleinsc · · Score: 2

      Typically not, actually. Among other things, fingerprints are immutable, whereas the outputs from RSA tokens are constantly changing.

      In addition, generally speaking in order for biometrics to be relevant you need to be physically in the same location as the scanner. Which means you've already walked by human guards and a bunch of other people to get to whatever you're after. You're right that I can send any string of bits I want to your Ethernet port. Your USB port connected directly to whatever's controlling the lock, not so much.

      --
      I am officially gone from /. Long live http://www.soylentnews.com/
    29. Re:Brilliant idea by Applekid · · Score: 3, Insightful

      If there is installed software with enough low-level permissions to read your keystrokes, they're going to have rights monitor which files are being read at the moment you're attempting to log in / mount the drive / operation X, and then steal that file.

      --
      More Twoson than Cupertino
    30. Re:Brilliant idea by blueg3 · · Score: 4, Insightful

      No, it requires both the password and A phone, but not necessarily THE phone.

      Specifically, it requires the secret stored on the phone. The phone is not simply an algorithm for turning a password into a security token. It stores its own secret, independent of the password, that you would need to acquire.

      However, even if it does require THE phone, how often do people loose their phone?

      You mean how often do they lose their phone to someone who is interested and able to guess their password? A lot less often than how often people choose trivially-guessable passwords or have their passwords disclosed by a hacked website.

      Security should include a password, a device and a biometric check. Without all three, you are just as vulnerable as having using only a password.

      Strictly untrue. A password plus one of those two things is more secure than a password alone.

    31. Re:Brilliant idea by DMUTPeregrine · · Score: 4, Informative

      KeePass allows the use of key files on USB drives (or any drive.) This allows you to control the password safe, and the key file needed for authentication forms the second (something you have) factor.

      --
      Not a sentence!
    32. Re:Brilliant idea by fbumg · · Score: 2

      I agree, this is extremely frustrating. Why wouldn't a site supposedly into security limit my passwords to not even be able to use special characters that are readily visible on a keyboard. I can understand if they don't allow all unicode characters, but if I can type it in with nothing but my qwerty keyboard, using at minimum the shift character, then it should be allowed.

      --
      I know I don't know what I don't know.
    33. Re:Brilliant idea by Anonymous Coward · · Score: 5, Informative

      I stopped using LastPass and switched to hiding keepass in SpiderOak when last year and someone downloaded LastPass' entire, albeit encrypted, password database. I was burned bad by that break in, because I had to sit there and changed dozens of passwords just in case. I migrated to keepass and generated very strong long random passwords for each website with it. I can't login to any sites now without it. I'd also recommend locking your keepass with a key file that you keep hidden elsewhere in addition to a password just in case your main password is stolen. Oh, and if you use webmail like gmail, make sure to use two-factor authentication that they provide to give some added security. It is far too easy to reset an account with very little knowledge of the person who owns the account, e.g. Wired's editor. I have a personal example of this myself, a coworker didn't know the password to a gmail account that we had set up for sending out continuous build integration emails (I.T. has lots of ports blocked and won't configure exchange for us) and we needed to reconfigure it. I simply guessed the location he had logged in at (he's in another country) but that didn't work, and then I tried his various known email addresses and one of them was accepted. Google gave me full access to the account, it was ridiculously easy. But, I digress. However, we still need at least a second part of the equation to protect a scheme like the one they're recommending. What they're offering is only one-factor and is just as poor if not more poor than using a password alone, it's only together that they're strongest.

    34. Re:Brilliant idea by swanzilla · · Score: 5, Funny

      They must be in cahoots with my luggage manufacturer.

      --
      0 = 1 + e^(Alt something)
    35. Re:Brilliant idea by grantspassalan · · Score: 2

      How is something like fingerprints, a voiceprint or an iris scan different than a token or key? Just because the former are built in to your body, does not make them fundamentally different. They do have the advantage of not easily getting lost or stolen, but there have been reports of fakery even in those things. Additionally, once those biometrics are compromised, how are you going to fix that? Get new fingers or eyes?

      --
      A sufficiently advanced simulation is indistinguishable from reality.
    36. Re:Brilliant idea by cusco · · Score: 2

      My current Keepass database is now over 180 groups, most with multiple levels of passwords for different systems at customer sites. Most of our competitors have one or two passwords that they use across all customers. Our smarter sales guys use that as a selling point, and it also makes the customer's IT staff more likely to grant us remote access when they see that we actually do pay attention to user account security.

      --
      "Think about how stupid the average person is. Now, realise that half of them are dumber than that." - George Carlin
    37. Re:Brilliant idea by jbmartin6 · · Score: 2

      Problem is handling special characters via web interface. Allowing them causes all sorts of problems with encoding and bypass vulnerabilities. It's not impossible, just a lot trickier to implement. I don't mind the sites that decline special characters so much, it is the arbitrary length limits. Why can't I use 24 characters if I want? I don't know what back end issue would cause say a 12-character limit, unless it is just a front end to some cruddy old legacy system.

      --
      This posting is provided 'AS IS' without warranty of any kind, implied or otherwise.
    38. Re:Brilliant idea by osu-neko · · Score: 2

      I remember suggesting this at a customer's office years ago. As an example, I used a password made from the first letters of the words in the sentence, "The rain in Spain falls mainly on the plain." They seemed to like the idea in principle, but thought it would work better with a famous and easy to remember quote rather than a weird, random sentence. To my utter shock and horror, not a single person there had heard that sentence before.

      --
      "Convictions are more dangerous enemies of truth than lies."
    39. Re:Brilliant idea by osu-neko · · Score: 2

      If nerds have to do a bunch of tricks just to give themselves a little faith in their passwords, what hope does everyone else have?

      Why would we care? ;)

      --
      "Convictions are more dangerous enemies of truth than lies."
    40. Re:Brilliant idea by Algae_94 · · Score: 2

      I have a password manager in my head. I have one strong password that gets modified by my own algorithm. The modification is based on the site or service the password applies to. You only need to remember two things, the strong password and the algorithm to apply the modification to get the real password. For a simple example: If your strong password was "kittens" (obviously "kittens" is not strong, but it works for an example) and your algorithm was to simply concatenate the password and the name of the site, the password for /. might be "kittensslashdot" while the password for a Google account might be "kittensgoogle".

      Obviously you would want a stronger password to begin with, and you would want an algorithm a little more complicated than concatenation, but this does help prevent having to remember a potentially infinite set of passwords and just remember 1 + an algorithm. If your algorithm is good, you won't have a lot of dictionary words, the password length will be fairly long, and you won't suffer from password reuse.

    41. Re:Brilliant idea by kevmeister · · Score: 4, Informative

      +1 for LastPass.

      LastPass keeps an AES encrypted vault on my system, so I can use it when their vault is unreachable. AES is important as too many password "vaults" use undefined or obsolete and possibly vulnerable encryption. Works with Google Authenticator, too. Runs on Windows, MacOS, Linux and even my FreeBSD systems as well as iOS and Android. I'll admit that the mobile version is sub-optimal, but it does work. (A few apps don't allow a paste into the password field, so it won't work properly with them.)

      Oh.It is commercial and not free for mobile devices. It is subscription based, costs about USD 1 a month for all mobile devices sharing a single vault and is paid annually. It is free for desktop devices. LastPass also owns XMarks, the multi-browser bookmark and history sync service that I also use.

      I have no association with LastPass other than as a generally happy user.

      --
      Kevin Oberman, Network Engineer, Retired
    42. Re:Brilliant idea by lgw · · Score: 2

      Problem is handling special characters via web interface. Allowing them causes all sorts of problems with encoding and bypass vulnerabilities.

      Are there really people out there who still find this at all difficult? Seems hard to believe. I would rather expect banks to exclude some special characters due to ASCII-EBCDIC translation problems, and other sites due to outsourcing coding tasks to the mentally challanged in some sort of outreach program.

      --
      Socialism: a lie told by totalitarians and believed by fools.
    43. Re:Brilliant idea by Electricity+Likes+Me · · Score: 3, Interesting

      The idea is that KeePass uses a combination of mouse and keyboard input injection to type the password - most loggers only look at keyboard input, which defeats "trivial" cases - after all, if your system is keylogger compromised you have a much bigger problem anyway.

  2. Yeah yeah, we have seen this before by s.petry · · Score: 5, Interesting

    Every big company at some point has declared war on the password. We have smart cards, biometrics, RSA tokens, and finger paintings to prove it. None of those things work any better than a password when used alone. In conjunction with a password, we can achieve "better" security.

    The logic of a password-less world is what's broken. Period, end of statement. If the logic is broken, no matter who implements the password-less solution we still end up with a broken solution.

    --

    -The wise argue that there are few absolutes, the fool argues that there are no probabilities.

    1. Re:Yeah yeah, we have seen this before by ColdWetDog · · Score: 5, Funny

      One phone to rule them all, One phone to find them,
      One phone to bring them all and in the darkness bind them
      In the Land of Google where the Shadows lie.

      Don't be evil!

      --
      Faster! Faster! Faster would be better!
    2. Re:Yeah yeah, we have seen this before by s.petry · · Score: 2

      I accept the apology, but will point out that you should check user post history before accusing them of being shills. This is of course in addition to reading what was written, and not what you wish to read :)

      --

      -The wise argue that there are few absolutes, the fool argues that there are no probabilities.

  3. Tracking by QuietLagoon · · Score: 5, Insightful

    ... Their plan involves authenticating just once, to a single device, and then using that to unlock all of your other accounts. ...

    That certainly makes it much, much easier for google to track you as you go around the web.

    1. Re:Tracking by TheGratefulNet · · Score: 5, Funny

      security principles for authentication:

      1) what you have
      2) what you are
      3) what you know

      for google:

      1) what you have: you have a tracking device that we'd like you to always have on and always transmit your location and other info to us.

      2) what you are: you are a source of marketing info to us, as well as other info we can give/sell to others.

      3) what you know: you are told that we are 'not evil' and we've repeated that so many time, you just KNOW its true.

      --

      --
      "It is now safe to switch off your computer."
  4. Biometrics by drummerboybac · · Score: 2

    Isn't there already biometrics for this? You cant forget your finger in the car, and nobody can discretely steal it. They could steal it with a pair of bolt cutters, but then you have much bigger issues.

    1. Re:Biometrics by Nerdfest · · Score: 4, Interesting

      You should always use 2 factor authentication, with biometrics and with what is being suggested here. You know, both something you can lose, and something you can forget.

  5. Great idea! by fredprado · · Score: 2

    Now I will have to give my full identity to any site that today requires just an e-mail account to register. An identity that will be the same I will use to make payments. What could go wrong with that?

  6. Anonimity by Anonymous Coward · · Score: 4, Insightful

    Passwords are bad because they allow any individual to create as many distinct accounts as he or she wants. Require a hardware device per account and you now need an investment for every distinct account. Google wants every user to be identifiable across all sites/services using the same ID.

  7. Remember my password ... by perpenso · · Score: 2

    Because I totally want anyone who steals my phone to be able to access every other site I use.

    Well given the popularity of the "remember by password" "feature" that is sort of where we are today on computers and mobile devices.

  8. For the last time Google! by Sydin · · Score: 4, Insightful

    I really mean it: I don't want to have to login to the internet. You keep trying to get me to do it with Chrome, so I switched from that, but now you're going to badger me about this for my phone, too? Sometimes I want to surf anonymously. Sometimes I don't want Site X and Site Y knowing that I'm the same person logging into both. And I can say for certain that all the time, I don't want to be tracked by you so you can present me with more "targeted ads" to give me a better user experience. Let's not even get into what happens if my phone gets stolen, and suddenly all my consolidated information is at some stranger's fingertips. There are far, FAR too many problems with centralized authentication, and I'm really getting sick of Google trying to force it down my throat.

    1. Re:For the last time Google! by nuggz · · Score: 3, Insightful

      Yeah those bastards should work on implementing some sort of incognito mode when you're on the internet.

    2. Re:For the last time Google! by Hunter+Shoptaw · · Score: 3, Insightful

      So stop using Google Products. Seriously, if you don't like it change or stop complaining. You don't have to use Google, Chrome, Android or any other Google Product. You choose it.

    3. Re:For the last time Google! by AmiMoJo · · Score: 2, Informative

      I really mean it: I don't want to have to login to the internet. You keep trying to get me to do it with Chrome, so I switched from that

      You know it is literally one click and it won't bug you again, right?

      Sometimes I want to surf anonymously.

      And sometimes you want to authenticate yourself. Just don't authorize sites you don't trust to use your authentication, or enable private browsing mode.

      Sometimes I don't want Site X and Site Y knowing that I'm the same person logging into both.

      TFS mentions that Google's system makes this impossible.

      Let's not even get into what happens if my phone gets stolen, and suddenly all my consolidated information is at some stranger's fingertips.

      Just password protect the phone. That is the point - you have a single password for the phone that you don't use anywhere else. The unlocked phone is used for authentication, which is anonymous. The site doesn't get to track you with it, doesn't get your phone number, doesn't get access to your private data. That includes Google, as TFA makes clear.

      Protips: read TFA before ranting and never go full retard.

      --
      const int one = 65536; (Silvermoon, Texture.cs)
      SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
    4. Re:For the last time Google! by brkello · · Score: 2

      Ok, then google stops being viable as a company. You get all this stuff, for free, because google is an ad company and can make enough money doing that they don't need to charge you for its applications of services.

      Don't like it, don't use it.

      --
      Support a great indie game: http://www.abaddon360.com
  9. Do not RTFA by Night64 · · Score: 5, Informative

    Would you all PLEASE do not RTFA this time? I cannot, for the love of God, read another whiny story about "I'm Matt Honan and I was fucked in the ass (metaforically speaking) by a 15 year old". And if this post get slashdotted, Wired will post another 100 stories about that. So please DNTRFA!

    --
    Grey's Law: Any sufficiently advanced incompetence is indistinguishable from malice.
    1. Re:Do not RTFA by Hunter+Shoptaw · · Score: 2

      You can read it on ARS if it makes you feel better.

  10. retina? by genericmk · · Score: 2

    Everything has a camera on it these days. Why not authenticate with your retina? Authenticate everything from an authenticate device as Google proposes but don't make the Android phone the centerpiece of authenticating everything.

    1. Re:retina? by jones_supa · · Score: 3, Insightful

      I'm not sure if the quality of many cameras is high enough for retina authentication*. Someone might also show a picture of your eye in front of the camera and thus gain access. I still find your idea interesting and would like to subscribe to your newsletter.

      *) Unless Apple comes up with Retina Camera ;)

  11. Has Google become EVIL? by Anonymous Coward · · Score: 2, Interesting

    Does Google want one authentication for everything, so that easier to identify everyone?

    Or, is the idea just some out-of-control childish thinkers at Google?

    1. Re:Has Google become EVIL? by grantspassalan · · Score: 2

      So what is new here since medieval times? Security based on either something you have or something you know. Whatever you have can be taken from you or lost and what ever you know can be forgotten or you can be tricked into revealing the secret. So far, these 2 security mechanisms are still the only ones available. There has always been and there will always be an inherent tension between good security and easy access. A bank vault combination is quite secure, but would you want to have to dial that every time you want to go into your house?

      --
      A sufficiently advanced simulation is indistinguishable from reality.
  12. how about REMOVING ARBITRARY PASSWORD LIMITS! by Umuri · · Score: 5, Insightful

    Relevant xkcd
    But seriously, how many times have you seen minimum (ok, can see a point here) or maximum (WTF) limits on a password length? Or requirements of what it can or cannot contain.

    Is there any reasonable excuse for why a password must not contain certain characters, besides breaking poorly made scripts? I mean password security 101 says they'll hash it anyway, so why should it matter?

    --
    You never realize how much manually made unmanaged "linked" lists suck, till you have src.link.link.link.link...
    1. Re:how about REMOVING ARBITRARY PASSWORD LIMITS! by codemaster2b · · Score: 5, Interesting

      Yes there is a reasonable excuse why it must contain certain minimum lengths and characters. It has to do with exponents. For fun I've written several types of password hash crackers in the past. The best way to defeat a brute-force password cracker is to expand the keyspace.

      A good password today at a minimum 8 characters, and can consist of any one of 95 keypresses on the keyboard. 95^8 = 6.6e15 combinations.
      If you don't use special characters, that 8 character password is only 62^8 = 2.2^14 combinations.
      If you don't use numbers, that 8 character password is only 52^8 = 5.3^13 combinations.
      And If you don't even bother to change cases, that 8 character password is 26^8 = 2.1e11 combinations.

      Those numbers don't tell the real story. Old Windows XP passwords could be cracked on average 2011 hardware at about 10 million (1e7) combinations / second. The "good" password above would be cracked in 21 years (max). No special characters would be cracked in 8 months. No numbers in 2 months. And single-case only in 6 hours.

      But today we have GPU password cracking, and much better hardware. A Radeon 5770 could crack the "good password", 8 characters long in a mere 28 hours. That was hardware from 2 years ago.

      --
      And over there we have the labyrinth guards. One always lies, one always tells the truth, and one stabs people who ask t
  13. Common sense, FTW by Okian+Warrior · · Score: 4, Informative

    Suppose you have a "smart" credit card in the form of one of those "credit card" calculators. Keypad + simple LCD display.

    When you use the card, you type a pin/password on the card, which then generates a new single-use credit card number which attaches to your account, encrypts it with your personal key, and sends it off when the card is swiped.

    If you lose your card, no one else has access since they don't have your PIN(*). No one can snoop the data since it's encrypted en-route. No one can copy your card since the information never leaves the card and anyway the number is single-use only.

    Suppose this same card is in the form of a thumb drive. It identifies as a security token, and will encode and decode on request, but will not under any circumstance let the keys out. All calculations are done on the device, the code is fixed and cannot be changed, and requires a PIN once when the computer boots.

    You don't have to worry about viruses or data leaks.

    Since it is a thumb drive, you can add public keys with abandon. To do business with any company, you send them a token encoded with your private key and their public key, they send you information using their private key and your public key. The card will require the operator to enter the PIN to store a new corporate key (for convenience). All the public keys for your credit cards, store cards, bank access, &c are stored in one place.

    Suppose the device is blue-tooth enabled. Now you don't need to hunt around for a USB port - you can enter your pin and hit "accept" when you want to make a purchase at a store - after the LCD display shows you the purchase price.

    If you lose your device you get a new one. Go to the bank, show identification, get a new card with the bank's keys on it. If the bank keeps a backup of your stored corporate keys, they can download the keys along with your new private key at their secure site.

    The important bit for all of this is a) the calculations are done on the device not an external computer, and b) storage for multiple corporate keys (visa, MC, Pennys, Wal-Mart, &c) in one device.

    This has been obvious for years, it's just one of those cases where the entrenched monopoly has no incentive to fix the problem.

    (*) Even assuming a thief can hack the physical card, it takes credit card theft away from "millions of cards were exposed by computer hack" to "lots of work required to hack a single card". And your bank will invalidate your old private key when the new card is issued.

  14. So the *real* reason is... by fahrbot-bot · · Score: 2

    Once you're automatically logged into ALL your accounts at the same time, Google (and other sites) have a much wider pool of available data upon which to link and troll information about you. For example, have you checked your Twitter account settings recently? Twitter automatically tries to connect to your Facebook account - even if you don't have one, which I don't (that I know of anyway). (Damn Twitter panel just sits there with its icon swirling.)

    Personally, I prefer to only logon to sites as-needed.

    --
    It must have been something you assimilated. . . .
  15. I don't see how passwords were the problem... by superdave80 · · Score: 2

    The article links to an example of a guy (Mat Honan) who had his accounts hacked into:

    http://www.wired.com/gadgetlab/2012/08/apple-amazon-mat-honan-hacking/all/

    But as far as I can tell from reading that article, no password was every compromised. Most of the passwords were reset using other information (credit card numbers, billing address, etc.), and tricking clueless phone support people. So why use this example as a reason to get rid of passwords, when the passwords weren't really the problem in the first place?

  16. Why not include *where* we are? by webdog314 · · Score: 3, Interesting

    I'm certainly no expert in the security of GPS/spoofing, but since so many of our devices have location services built in, couldn't we add *where* we are trying to gain access as a relevant factor? Perhaps the security system could ask for a mere simple password if it sees that you are currently at home, and requires secondary authentication (RSA fob, Goggle Auth, etc.) someplace you haven't been before. Most people who have stolen your credentials aren't going to log in from your house (short of your own kids, but if that happens, you have bigger problems).

  17. Fingerprints are awful by tokencode · · Score: 2

    Fingerprint readers are one of the WORST methods of security. Imagine if you left your password on everything you touched. A little super-glue mist and someone has your password. Biometric fingerprint readers can easily be tricked with a good latex impression of the print and little bit of moisture and heat.

  18. Yubikey by Hrrrg · · Score: 2

    I bought a yubikey. It's a great concept. The problem is, almost no one really uses it. I bought it to use on gmail - well, guess what? Gmail didn't officially support it - you had to install a software hack to get it to work. I can get this software to work on windows, but not on Ubuntu (I probably could if I hadn't given up after an hour). Yubikey has a special key that supports lastpass and paypal. So then I bought that one, but haven't had time to try it out. I did all of this several months ago, so my info may be outdated...

  19. 1998 called... by mmontour · · Score: 3, Interesting

    Dallas Semiconductor once had a product called the "Crypto iButton", a small Java CPU + a hardware RSA engine and tamper-resistant memory. With appropriate plugins you could set it up as a security device in your browser and then authenticate remotely using SSL client certificates (with the private key never leaving the iButton).

    http://people.cs.uchicago.edu/~dinoj/smartcard/javaring.html

  20. Re:don't pick insecure passwords by jbmartin6 · · Score: 2

    What the hell does he mean by "linked?" This makes no sense.

    It means they got his gmail, then used the 'I forgot my password' links at the other sites to email reminder or reset links to his Gmail address.

    --
    This posting is provided 'AS IS' without warranty of any kind, implied or otherwise.
  21. to quote douglas adams by pezpunk · · Score: 2

    "It was an Ident-i-Eeze, and was a very naughty and silly thing for Harl to have lying around in his wallet, though it was perfectly understandable. There were so many different ways in which you were required to provide absolute proof of your identity these days that life could easily become extremely tiresome just from that factor alone, never mind the deeper existential problems of trying to function as a coherent consciousness in an epistemologically ambiguous physical universe. Just look at cash point machines, for instance. Queues of people standing around waiting to have their fingerprints read, their retinas scanned, bits of skin scraped from the nape of the neck and undergoing instant (or nearly instant --- a good six or seven seconds in tedious reality) genetic analysis, then having to answer trick questions about members of their family they didn't even remember they had, and about their recorded preferences for tablecloth colours. And that was just to get a bit of spare cash for the weekend. If you were trying to raise a loan for a jetcar, sign a missile treaty or pay an entire restaurant bill things could get really trying.

    Hence the Ident-i-Eeze. This encoded every single piece of information about you, your body and your life into one all- purpose machine-readable card that you could then carry around in your wallet, and therefore represented technology's greatest triumph to date over both itself and plain common sense."

    Ford promptly knocks Harl unconscious and steals his ident-i-eeze, which he then uses to gain access to the Hitchhiker's main corporate accounts computer system.

    --
    i could live a little longer in this prison
  22. Wrong part number by mmontour · · Score: 2

    Some other iButton products are still available, but the Java cryptographic ones I'm talking about (e.g. DS1957) were discontinued.