Google Declares War On the Password

← Back to Stories (view on slashdot.org)

Google Declares War On the Password

Posted by Soulskill on Friday January 18, 2013 @06:02AM from the united-nations-powerless-to-intervene dept.

An anonymous reader writes "Wired reports on a research paper from Google employees about the future of authentication on the web. 'Along with many in the industry, we feel passwords and simple bearer tokens such as cookies are no longer sufficient to keep users safe,' the authors write. Their plan involves authenticating just once, to a single device, and then using that to unlock all of your other accounts. "We'd like your smartphone or smartcard-embedded finger ring to authorize a new computer via a tap on the computer, even in situations in which your phone might be without cellular connectivity." Recognizing that this isn't something they can accomplish on their own, they've gone ahead and created a device-based authentication protocol that is 'independent of Google, requires no special software to work — aside from a web browser that supports the login standard — and which prevents web sites from using this technology to track users.'"

19 of 480 comments (clear)

Min score:

Reason:

Sort:

Brilliant idea by 0123456 · 2013-01-18 06:04 · Score: 5, Insightful

Because I totally want anyone who steals my phone to be able to access every other site I use.
1. Re:Brilliant idea by Andrio · 2013-01-18 06:06 · Score: 5, Insightful
  
  The best feature of the password is that it's in your head. You carry it around everywhere, and it can never be physically taken from you.
  
  This proposed plan just makes cellphones that much more attractive to steal.
  
  --
  The Internet King? I wonder if he could provide faster nudity.
2. Re:Brilliant idea by Dexter+Herbivore · 2013-01-18 06:12 · Score: 5, Insightful
  
  The best feature of the password is that it's in your head. You carry it around everywhere, and it can never be physically taken from you. This proposed plan just makes cellphones that much more attractive to steal.
  The WORST feature of the password is that it's in your head. I have 20+ login passwords between work and home, my security is lower because you have to simplify them to remember them. If we can find a way to escape the tyranny of passwords that can generally be cracked by anyone who's determined anyway it can only be progress. Not that I have any faith in any organisation to do it after many failed or barely passable attempts (biometrics, smart cards etc).
3. Re:Brilliant idea by dkleinsc · 2013-01-18 06:26 · Score: 5, Interesting
  
  As you hint, passwords are both necessary and insufficient for real security. For anything important, you really ought to have 2/3 of the ID triangle: something you know (like a password), something you have (like an RSA token), or something you are (like fingerprints).
  
  --
  I am officially gone from /. Long live http://www.soylentnews.com/
4. Re:Brilliant idea by terrab0t · 2013-01-18 06:27 · Score: 5, Informative
  
  I use a password manager to solve this problem. It stores all (or a large set of) my passwords in an encrypted database. I have one very strong password that lets me access the database. The passwords it stores are all strong (sometimes hard to remember) passwords that I do not have to store in my head.
  I still have all of my eggs in one basket, but that basket is sealed in a solid iron box.
5. Re:Brilliant idea by kaiser423 · 2013-01-18 06:33 · Score: 5, Informative
  
  It really is. I love their current implementation. It's actually security done right. I use Google Authenticator on my phone. If I login from an unknown computer, it asks me for a pass code also, which I just bring up on my phone. I only need to remember the password to my phone/tablet. It's easily the most seamless and secure two-factor authentication I've ever used, and I've used a lot of them....
  I also use it as a token to access a couple of other sites. I believe that Apache has a module that can sync to Authenticator. It's great two-factor.
  It also comes with a list of one time codes that I can carry around for when I don't have access to my phone or tablet.
  It's like a permanent key/password manager for all of Google. It'd be great to turn it into my whole life. Much easier to just de-sync the Authenticator, then re-sync rather than blow away passwords for all sites, then re-create them for all sites if something gets compromised.
  TL;DR I trust Google to do this right because they're already miles ahead of everyone else.
6. Re:Brilliant idea by kaiser423 · 2013-01-18 06:36 · Score: 5, Insightful
  
  True, but if that password manager gets compromised by, say, Red October via capturing your keystrokes, everything is compromised for all sites until you take the time individually change each one,.
  Currently, with Google Authenticator, I have it set up to authenticate me for a number of things, as if it gets compromised, simply telling it to re-sync again re-secures all of my credentials. Much, much better management. Single point control.
7. Re:Brilliant idea by SirGarlon · 2013-01-18 06:39 · Score: 5, Interesting
  
  From the point of view of a digital stream of data, something you have is indistinguishable from something you are. (Fingerprint scanners are vulnerable to replay attacks.)
  
  --
  [Sir Garlon] is the marvellest knight that is now living, for he destroyeth many good knights, for he goeth invisible.
8. Re:Brilliant idea by Baloroth · 2013-01-18 06:40 · Score: 5, Informative
  
  True, but if that password manager gets compromised by, say, Red October via capturing your keystrokes, everything is compromised for all sites until you take the time individually change each one,.
  Currently, with Google Authenticator, I have it set up to authenticate me for a number of things, as if it gets compromised, simply telling it to re-sync again re-secures all of my credentials. Much, much better management. Single point control.
  LastPass offers Google Authenticator security over the vault, which means even if they get the master password they still wouldn't be able to access my vault. This does, however, mean the vault is technically not under my complete control (since I don't store it locally, although I do keep a semi-regular back of it). But, the advantage is worth it in my opinion.
  
  --
  "None can love freedom heartily, but good men; the rest love not freedom, but license." --John Milton
9. Re:Brilliant idea by Anonymous Coward · 2013-01-18 06:48 · Score: 5, Insightful
  
  There sure are a lot of people responding to you to explain the convoluted acrobatics they do to manage their passwords.
  If nerds have to do a bunch of tricks just to give themselves a little faith in their passwords, what hope does everyone else have?
10. Re:Brilliant idea by Anonymous Coward · 2013-01-18 08:06 · Score: 5, Informative
  
  I stopped using LastPass and switched to hiding keepass in SpiderOak when last year and someone downloaded LastPass' entire, albeit encrypted, password database. I was burned bad by that break in, because I had to sit there and changed dozens of passwords just in case. I migrated to keepass and generated very strong long random passwords for each website with it. I can't login to any sites now without it. I'd also recommend locking your keepass with a key file that you keep hidden elsewhere in addition to a password just in case your main password is stolen. Oh, and if you use webmail like gmail, make sure to use two-factor authentication that they provide to give some added security. It is far too easy to reset an account with very little knowledge of the person who owns the account, e.g. Wired's editor. I have a personal example of this myself, a coworker didn't know the password to a gmail account that we had set up for sending out continuous build integration emails (I.T. has lots of ports blocked and won't configure exchange for us) and we needed to reconfigure it. I simply guessed the location he had logged in at (he's in another country) but that didn't work, and then I tried his various known email addresses and one of them was accepted. Google gave me full access to the account, it was ridiculously easy. But, I digress. However, we still need at least a second part of the equation to protect a scheme like the one they're recommending. What they're offering is only one-factor and is just as poor if not more poor than using a password alone, it's only together that they're strongest.
11. Re:Brilliant idea by swanzilla · 2013-01-18 08:06 · Score: 5, Funny
  
  They must be in cahoots with my luggage manufacturer.
  
  --
  0 = 1 + e^(Alt something)
Yeah yeah, we have seen this before by s.petry · 2013-01-18 06:07 · Score: 5, Interesting

Every big company at some point has declared war on the password. We have smart cards, biometrics, RSA tokens, and finger paintings to prove it. None of those things work any better than a password when used alone. In conjunction with a password, we can achieve "better" security.
The logic of a password-less world is what's broken. Period, end of statement. If the logic is broken, no matter who implements the password-less solution we still end up with a broken solution.

--
-The wise argue that there are few absolutes, the fool argues that there are no probabilities.
1. Re:Yeah yeah, we have seen this before by ColdWetDog · 2013-01-18 06:10 · Score: 5, Funny
  
  One phone to rule them all, One phone to find them,
  One phone to bring them all and in the darkness bind them
  In the Land of Google where the Shadows lie.
  Don't be evil!
  
  --
  Faster! Faster! Faster would be better!
Tracking by QuietLagoon · 2013-01-18 06:07 · Score: 5, Insightful

... Their plan involves authenticating just once, to a single device, and then using that to unlock all of your other accounts. ...
That certainly makes it much, much easier for google to track you as you go around the web.
1. Re:Tracking by TheGratefulNet · 2013-01-18 06:21 · Score: 5, Funny
  
  security principles for authentication:
  1) what you have
  2) what you are
  3) what you know
  for google:
  1) what you have: you have a tracking device that we'd like you to always have on and always transmit your location and other info to us.
  2) what you are: you are a source of marketing info to us, as well as other info we can give/sell to others.
  3) what you know: you are told that we are 'not evil' and we've repeated that so many time, you just KNOW its true.
  
  --
  
  --
  "It is now safe to switch off your computer."
Do not RTFA by Night64 · 2013-01-18 06:20 · Score: 5, Informative

Would you all PLEASE do not RTFA this time? I cannot, for the love of God, read another whiny story about "I'm Matt Honan and I was fucked in the ass (metaforically speaking) by a 15 year old". And if this post get slashdotted, Wired will post another 100 stories about that. So please DNTRFA!

--
Grey's Law: Any sufficiently advanced incompetence is indistinguishable from malice.
how about REMOVING ARBITRARY PASSWORD LIMITS! by Umuri · 2013-01-18 06:29 · Score: 5, Insightful

Relevant xkcd
But seriously, how many times have you seen minimum (ok, can see a point here) or maximum (WTF) limits on a password length? Or requirements of what it can or cannot contain.
Is there any reasonable excuse for why a password must not contain certain characters, besides breaking poorly made scripts? I mean password security 101 says they'll hash it anyway, so why should it matter?

--
You never realize how much manually made unmanaged "linked" lists suck, till you have src.link.link.link.link...
1. Re:how about REMOVING ARBITRARY PASSWORD LIMITS! by codemaster2b · 2013-01-18 07:05 · Score: 5, Interesting
  
  Yes there is a reasonable excuse why it must contain certain minimum lengths and characters. It has to do with exponents. For fun I've written several types of password hash crackers in the past. The best way to defeat a brute-force password cracker is to expand the keyspace.
  A good password today at a minimum 8 characters, and can consist of any one of 95 keypresses on the keyboard. 95^8 = 6.6e15 combinations.
  If you don't use special characters, that 8 character password is only 62^8 = 2.2^14 combinations.
  If you don't use numbers, that 8 character password is only 52^8 = 5.3^13 combinations.
  And If you don't even bother to change cases, that 8 character password is 26^8 = 2.1e11 combinations.
  Those numbers don't tell the real story. Old Windows XP passwords could be cracked on average 2011 hardware at about 10 million (1e7) combinations / second. The "good" password above would be cracked in 21 years (max). No special characters would be cracked in 8 months. No numbers in 2 months. And single-case only in 6 hours.
  But today we have GPU password cracking, and much better hardware. A Radeon 5770 could crack the "good password", 8 characters long in a mere 28 hours. That was hardware from 2 years ago.
  
  --
  And over there we have the labyrinth guards. One always lies, one always tells the truth, and one stabs people who ask t