Slashdot Mirror

← Back to Stories (view on slashdot.org)

DARPA Wants To Kill the Password

Posted by samzenpus on from the at-least-zero-characters-long dept.

jfruh writes Many security experts agree that our current authentication system, in which end users are forced to remember (or, more often, write down) a dizzying array of passwords is broken. DARPA, the U.S. Defense Department research arm that developed the Internet, is trying to work past the problem by eliminating passwords altogether, replacing them with biometric and other cues, using off-the-shelf technology available today.

18 of 383 comments (clear)

  1. There we go again by ArcadeMan · · Score: 4, Funny

    Kill and eliminate passwords? Violence is not the answer.

    --
    Get free satoshi (Bitcoin) and Dogecoins
    1. Re: There we go again by Anonymous Coward · · Score: 4, Insightful

      We don't need to kill and eliminate passwords, we just need to modify them. The problem with passwords for the average user is the dizzying array of requirements from various websites (between 8 and 20 characters long, required to have upper/lower case and numbers, must have punctuation except "|~, etc.). I've never understood why passwords can't be sentences, like "I'm going to take my dog, Spot, to the park today." It's much easier to remember for the layperson and pretty quick to type once you've done it a few times. IANAC (I Am Not A Cryptologist), but I thought password strength was a function of length and potential characterset. It seems like everyday sentences would be the way to go since guessing it exactly right would be exceedingly difficult.

    2. Re: There we go again by AC-x · · Score: 4, Informative

      You probably shouldn't try to write about things you don't know about or understand.

      1. The industry accepted way to store passwords securely in a database is with a one-way, salted cryptographic hash (using as CPU intensive algorithm as possible).

      2. Many organisations have had database intrusions where these password hashes have been stolen (eg. eBay, Linkedin, LivingSocial etc.)

      3. When this happens (i.e. "they have a copy of the password hash") passwords can be cracked offline. Strong passwords are safe (too hard to brute force), but weak passwords can be found using a dictionary attack.

      4. Once the password is found offline a hacker can log straight in to the victim's online account with a single password attempt.

    3. Re: There we go again by AC-x · · Score: 4, Informative

      Hey Desler I really don't get you, you (appear to) know what a salt is yet you don't understand that an attacker would be performing the attack on the hash offline, with their own hardware. Rate limiting their own hardware would be, as you put it, the height of idiocy.

  2. All good until someone simulates biometrics... by Anonymous Coward · · Score: 5, Insightful

    You can change a password, you can't change your retina print. What do you do when your account is compromised? Get new eyes?

    1. Re:All good until someone simulates biometrics... by Thanshin · · Score: 5, Funny

      Finger print scanners are fooled by gummy bears.

      Where I work, the scanners are quite high. Way beyond the reach of even the tallest gummy bears.

    2. Re:All good until someone simulates biometrics... by Anonymous Coward · · Score: 4, Funny

      They may be short, but don't be fooled - they can actually reach quite high if they have their juice with them.

    3. Re:All good until someone simulates biometrics... by mellon · · Score: 4, Insightful

      Exactly right. Biometric passwords are much easier to fake, because you can't change them. They also provide a nice means of identifying surveillance targets. It's almost as if these guys are getting direction from the NSA or something.

  3. Ultimately... by Anonymous Coward · · Score: 5, Insightful

    Ultimately whatever password replacement you come up with gets turned into TCPIP packets over the intertubes. Whether you are measuring my height, fingerprint, penis size or whatever metric you come up with, it gets turned into 0's and 1's that I can grab and duplicate. It is still information on a remote server than can be hacked and used by third parties.

    And worse... once hacked, I can't do much to change my biometrics... so I'm totally screwed once the host server is hacked and a million biometric accounts are compromised.

    1. Re:Ultimately... by digitig · · Score: 5, Funny

      Whether you are measuring my height, fingerprint, penis size or whatever metric you come up with

      Penis size is pretty useless as a biometric. It changes depending on the site being accessed.

      --
      Quidnam Latine loqui modo coepi?
  4. presumably so... by Anonymous Coward · · Score: 5, Insightful

    ...when the NSA wants to tap into various accounts, they can track exactly who they belong to and who accesses them because it will be linked to your personally identifiable biometrics

  5. I can't change my fingerprint by Ubi_NL · · Score: 5, Insightful

    I can change my password anytime if I think somebody copied it. I cannot change my fingerprint or retina. There is no way I'm giving random webshops or google my biometric data.

    --

    If an experiment works, something has gone wrong.
  6. As long as certain rules are kept by Thanshin · · Score: 5, Interesting

    I'm ready to switch passwords for anything else as long as:
    1 - It can't be extracted from me by an easier method than torture or blackmail.
    2 - It stops working forever if I'm dead.

    Otherwise, some blood will have to wash away the naivete. Again.

  7. Passwords don't need to be killed by nine-times · · Score: 4, Insightful

    Passwords don't need to be killed. If you're thinking about replacing it with biometrics, I think that's thinking about the problem the wrong way too. The fact is, we already have all the technology we need to solve this problem much better than we do today. It's simple: instead of passwords, you should have a password protected private key, with a single password, and then use public keys for authentication. That way, you only need to know one password, and you've also eliminated a lot of the danger of snooping on connections because the private key isn't being sent.

    Of course, it would require that everyone pretty much agree on one set of standards for how it's supposed to be implemented, and than developers have to build their products with those standards. Then you probably also want some trustworthy and inexpensive/free Certificate Authorities. Ideally you'd want to be able, though not required, to use the same private key for everything-- email encryption, ssh logins, maybe even credit card purchases-- so you'd need mechanisms for managing your keys, keeping them safe but also making them available when needed. Throw in some dual-factor authentication where you want a high level of security, and you've basically solved the issue.

  8. So...revoke the certificate by Overzeetop · · Score: 4, Informative

    Any biometric password should be based on a certificate, not a direct digital representation of the biometric.

    --
    Is it just my observation, or are there way too many stupid people in the world?
  9. They should watch "Archer"... by QilessQi · · Score: 5, Funny

    Pam: Oh, OK, then good luck with all the biometric scanners. Unless you wanna cut off my fingers and scoop out my retinas.

    Kidnappers look at each other.

    Pam: Oh, don't be dicks!

    --
    Koans and fables for the software engineer
  10. A standardized interface for changing passwords by Marrow · · Score: 5, Insightful

    Every single site has a different way of giving you a way to change your password. This makes it impossible to write programs to write programs to change your password....like a password manager for instance. Imagine if you could just type in your new password into your password manager program, and it changes all the passwords it manages with one click. They could all be randomly generated and different for every site. Hints, recovery, email addresses, could all be updated with one click. With a history as to the previous versions in case something went south.

    Instead of struggling with writing all the captcha's, and strength meters, and interfaces, and all the CRAP that the every site on the planet does differently. Just standardize the interface and maintenance of passwords. And then standardize the strength of the generator programs. And voila, permanent security that is controlled where it should be: in your hands.

  11. Re:The problem is false negative by geekoid · · Score: 5, Insightful

    "Yes, we've all seen dozens of those science fiction stories where they steal people's eyes, or cut off their fingers, or take swabs of their DNA."
    cute, but not what the poster is talking about.

    Your info, weather its a password, or the bio-metric info will get turned into a string and stored in a database.
    Once that database in compromised, your bio-metric info on EVERY system you log into needs to be change to a different bio metric. They don't actually need to physical eye.

    --
    The Kruger Dunning explains most post on /. http://en.wikipedia.org/wiki/Dunning%E2%80%93Kruger_effect