Slashdot Mirror
Why Are We Still Using Passwords? (securityledger.com)
Here's some surprising news from the Akamia Edge conference. chicksdaddy writes:
[E]xecutives at some of the U.S.'s leading corporations agreed that the much maligned password won't be abandoned any time soon, even as data breaches and follow-on attacks make passwords more susceptible than ever to abuse, the Security Ledger reports. "We reached the end of needing passwords maybe seven years ago, but we still use them," said Steve Winterfeld, Director of Cybersecurity, at clothing retailer Nordstrom. "They're still the primary layer of defense."
"It's hard to kill them," noted Shalini Mayor, who is a Senior Director at Visa Inc. "The question is what to replace them with." This, even though the cost of using passwords is high and getting higher, as sophisticated attacks attempt to compromise legitimate accounts using so-called "credential stuffing" techniques, which use automated password guessing attacks against web-based applications... Stronger and more reliable alternatives to passwords already exist, but the obstacles to using them are often prohibitive. Shalani Mayor said Visa is "looking at" biometric technologies like Apple's TouchID as a tool for making payments securely. Such technologies -- from fingerprint scans to facial and retinal scans -- promise more secure and reliable factors than alphanumeric passwords, the executives agreed. But customers often resist the technologies or find them error prone or too difficult to use.
"It's hard to kill them," noted Shalini Mayor, who is a Senior Director at Visa Inc. "The question is what to replace them with." This, even though the cost of using passwords is high and getting higher, as sophisticated attacks attempt to compromise legitimate accounts using so-called "credential stuffing" techniques, which use automated password guessing attacks against web-based applications... Stronger and more reliable alternatives to passwords already exist, but the obstacles to using them are often prohibitive. Shalani Mayor said Visa is "looking at" biometric technologies like Apple's TouchID as a tool for making payments securely. Such technologies -- from fingerprint scans to facial and retinal scans -- promise more secure and reliable factors than alphanumeric passwords, the executives agreed. But customers often resist the technologies or find them error prone or too difficult to use.
Biometrics are not more secure than passwords - theyâ(TM)re less secure but sufficiently more convenient that you can convince people to use them.
We still use passwords because theyâ(TM)re still the most secure way of authenticating your identity when combined with a second factor.
If I ever get arrested or stopped at the airport, my phone could be unlocked by forcing my finger on the button or scanning my face(iPhone X). So without a password, biometrics can trivially compromise your security against state/pseudostate actors when they have physical access to you. At least with a passcode they have to observe some sort of due process to coerce you.
The best method of authentication, as far I I've experienced, is a physical token (keycard). Worst case scenario, I don't notice it's missing after two days (Friday evening till Monday morning). Chances are I've dropped in a city centre rather than haven it exploited by an unknown agency. Even still, they;ve only got the physical credentials of a low-tier employee. On-site physical access is still required.
"We reached the end of needing passwords maybe seven years ago" - "The question is what to replace them with."
qed
You are right of course to distrust your own mind; it has a bias for convenience. But someone gives you a thing like a crypto token and tells you to entrust your deepest secrets, perhaps even to imbue the artifact with your personal authority.
Should you trust that thing so much, keeping mind that in effect means trusting everyone involved in its programming and provisioning?
I foresee passwords remaining useful and indeed essential, despite their obvious limitations, as part of two factor authentication. Even if you are using biometrics, those can be stolen or counterfeited by various methods.
Post may contain irony: discontinue use if experiencing mood swings, nausea or elevated blood pressure.
Clearly we need to replace passwords with a chip or mark or tattoo in the palms of the hands and on the foreheads / retinas, etc. Then we need to make sure that people can't buy or sell without taking these marks on themselves. Naturally cash will have to be eliminated. This way we can control and identify what the people spend their money on and we can use this information to further oppress and bind them down into abject bondage and suffering. Yep, that's the ticket. No more anonymity, all must bow down and accept the will of Evil. Every citizen a slave.
"A jackboot stamping on a human face forever"-Orwell or Huxley, i forget and am too lazy to search.
Faith: Belief in Truth. Superstition: Belief in Falsehood.
We use passwords because it's something you know AND SOMETHING YOU CAN CHANGE WHEN COMPROMISED.
You cannot change your fingerprints or other biometric data so when it's compromised or when technology advances in a way which allows the biometric sensors to be fooled then you are completely and totally stuffed. :-(
Do the people proposing this ever have _ANY_ real world experience at all ?
Oh, and yes, using biometric data allows intelligence agencies, who will likely be able to obtain that information in various ways, to pretend to be you when they want to compromise systems you control.
Instead of breaking in and stealing passwords, break in and steal all the biometric files. Your fingerprint may be unique, but to identify you I have to have a copy. If someone steals that copy, you are now compromised in a way you can't correct. You can't change your fingerprint every 60 days.
While other solutions may be more effective at preventing misuse by third parties, you are not required to give your password to law enforcement without reasonable cause.
Their simply demanding it is not " reasonable cause ".
Whereas your biometric ID is fair game. They can, and have, walked into an establishment and forced everyone who used biometric fingerprints to unlock their phones to do so. You have no recourse.
I'll keep my passwords until they fix the other problem thanks.
1. They aren't tied to biometrics, which once compromised, aren't easily changed. Plus, many people find it instinctively invasive, possibly because of that reason. In contrast, passwords/x509 are easily changed when when compromised or forgotten.
2. Biometrics work as authenticators but not as authorizers.. Nothing stops someone from duplicating your biometric properties (pic of your fingerprints or irises/face) without your authorization. Not so with a password.
Algorithms to validate, store and process passwords have been around a LONG time. Best practices are well known, and are relatively simple. You can build a password-based access control system using off the shelf libraries and known patterns that is very difficult, if not impossible, to bypass. The limiting factor to it's success is human fallibility.
Nearly everything else is complicated, involves a lot of math that not a lot of people understand, or third party hardware you might not trust, or third party services you might not trust, etc.. etc.. etc...
On top of all of that, maybe you can mitigate *some* human fallibility, but it can still come into play.
My Other Computer Is A Data General Nova III.
Just support devices like Yubikeys everywhere. Done.
This is what I use for Google/Gmail, Facebook, Github, and anything that requires SSH access. No more passwords. Just a physical device with a simple pin code.
The answers are pretty obvious.
Firstly, we still use them because there's no reasonable replacement. Duh.
Secondly, there's no reasonable replacement because of the way our computers work.
Passwords are essentially information held in a system outside the computer (your head), that can be used for verification. The problem is that humans aren't really good at remembering passwords, and we need so many of them, and they are infrequently needed.
All attempts at using computers to solve this issue have run afoul of the "general purpose computer" problem: because our computers do not address security properly, we cannot guarantee what software is running on the local hardware. We cannot guarantee the security of passwords held on the computer, or in an encrypted file, because it's so easy to download and run malware. No one keeps track of all the things run on the computer, and we can't even trust the people who supposedly *do* keep track.
One reasonable solution is to use hardware specific to the purpose that's *not* a general purpose computer.
If you had a piece of hardware - a thumb drive, for example - that was *not* general purpose and could not download and execute code, then that could be made pretty secure. It could hold a person's private key, have functions to encrypt, decrypt, and sign documents, and also pass out the public key. It could also download and install new keys, with the understanding that the base functions could not be changed.
There's some details involved: you need a way to securely backup the data, and you need a way to securely recover the data in various situations. Mostly, you need to save the data somewhere safe and write down a master password (one, a PIN of sorts) somewhere else.
The Mooltipass is pretty close. It generates strong passwords for each web site registration, and will fill in the fields for you when you go to log in.
That's not the complete solution, however. It should *encrypt* the password with the user's private key and the site's public key so that no one can view it(*), or even better use a zero-knowledge authentication process.
If we could somehow begin using a fixed-program computer - say, something the size of a credit-card calculator that requires a pin and that holds the information for *all* the cards in your wallet - we could get away from passwords.
We would also have a single point on which we could put *all* our effort to make secure.
Hypothetically, that one card would reduce credit card fraud to near zero. When you use the card you enter your PIN on the keypad, and the card generates a ShopSafe number tied to your credit account, valid for one purchase.
Take a look at the badges at high-tech conferences these days. It seems like the hardware shouldn't be that hard or expensive.
Could this be the next killer product from Apple? A hand-held thingy that's secure and ultra-convenient, that you use for payments (IRL and online) and password entry?
(*) Yes, ssh is not absolutely secure. Did you think all those cert authorities in your browser have been properly vetted?
think of them as a mutable biometric. it's biometric because its stored in your brain. It's mutable because you can change it. it can't actually be stolen from you if you don't give it up or write it down.
it's only when you go to transmit it that the problem occurs.
When you look at this this way, then you see that things like finger prints or retina have the same problems and worse. they are not mutable, they can be taken from you without you knowing it, and the transmission layer is still vulnerable
Nearly always, your first solution to a problem is the best one. Not always of course or there would be no need to research and study. But people have been using passwords for milennia because they are an effective tool that works from giving something to the sentry, to logging into google.
Some drink at the fountain of knowledge. Others just gargle.
people who post to slashdot from iphones and such get all of their apostrophes turned into å(TM)t â(TM)t
THis is 2017, it's possible to parse plain text and unicode correctly now I have read.
Some drink at the fountain of knowledge. Others just gargle.
Such technologies -- from fingerprint scans to facial and retinal scans -- promise more secure and reliable factors than alphanumeric passwords, the executives agreed.
No, no no, my god, no. Something that can be acquired just by looking at you is not secure. Using as authentication something that can only be changed by destructive surgery is not sane.
"First they came for the slanderers and i said nothing."
the obstacles to using them are often prohibitive
Which makes the article rather pointless.
However it misses out a vital aspect. No matter what technology replaces passwords, it will get hacked, faked, or discovered. One day. And that means that whatever security measure is in place, it must be changeable by the user, just like passwords are.
So that rules out all the biometric options, if they were only to be used on their own. Consequently, whatever replacement is to succeed must be something the user has (and could change) or knows (and can change).
But what?
politicians are like babies' nappies: they should both be changed regularly and for the same reasons
There is nothing wrong with passwords as a first line of authorization, but if it's all you're using then you really deserve to be hacked. In 2017 it's no longer acceptable to have a single factor of authentication to a system, especially with the prevalence of TOTP and Hardware key, such as YubiKey.
When trying to secure servers, if you don't have 2FA+ enabled, then you should be fired and blacklisted!
Sure, it's easy to say that passwords are a bad security method. But, it's like saying we need a better lock, when the walls are so thin bad guys just walk right through. Set the system up right, maintain it, and change when needed. At that point, the damage from easily guessed passwords is minimal.
But have you figured out how to U2F key with Google or Twitter without first setting up mobile phone verification? Say I want to have U2F (such as YubiKey) as my primary second factor, with TOTP (such as Google Authenticator) as a backup. But services like Google and Twitter support these only as backup second factors, not primary second factors. If I try to set up one of those as a second factor on Google or Twitter, the site won't let me proceed past the mobile phone verification. I don't want to use a mobile phone as the second factor for two reasons:
Cost U.S. pay-as-you-go carriers charge 10 cents per received text message, and services like Twitter automatically send the code as a text message to the associated mobile phone even if I have a non-SMS second factor set up. SIM swap fraud SMS authentication is vulnerable to social engineering in which the attacker compromises an account by arranging delivery of a replacement SIM to him.Here is a thought. How about multipurpose disposable personal authentication devices.
Think of TouchID. They key thing about TouchID is that the biometric authentication is "on device". So if you decoupled the TouchID from the iPhone, and developed a token that could use generate a one time passphrase that you use to login to any website, that would mean an attacker needs physical proximity to you to steal your logins. Goodbye Russian hackers.
Single point of failure yes, but also single point of hardening.
Because all the big sites wanted to be OpenID providers but not to accept logins from elsewhere.
accident damage, surgery, degredation of the eye are some of the ways you can be locked out of a biometric identifier. as the population ages, this is an issue that you need to think about. I will not use bios for this reason, as for some reason, I am not getting younger and more invulnerable.
if this is supposed to be a new economy, how come they still want my old fashioned money?
Why a 4 digit pin code is considerd secure?
Passwords for something you care enough about to protect are only the start. Businesses have been using TFA either Secure ID or via text for years.
Biometrics make horrible passwords. They are way too easy to steal and copy. Two factor makes more sense, but it is still a password. I suggest a many-factor system.
What we do in real life is use a combination of multiple different methods. It's not just the way your face looks, but the location, clothing, and voice.
A complex system that combines multiple methods, assigns a percent sure of identity might work. It could include a simple password (six characters), that must be typed on live video (increasing both the time it takes to enter a password and allowing verification of keyboard and typing pattern along with your hands and video file is hashed and saved to be sure it isn't reused), along with a check for an existing cookie on the PC, with a verification for usual browser, usual source IP address, etc.
Such a system would be set up to allow for changes, but not all at once. I.E. If you just change your keyboard, that doesn't trigger a violation, but if you replace your computer then you better have the same router source IP address or expect a phone call/email/letter.
excitingthingstodo.blogspot.com
It's Akamai, not Akamia.
Alas, as of this moment, the one place you can put something that NO ONE else can get it is in your mind. This is the ultimate safe.
This is why passwords remain the preferred authentication method. Because it feels secure, your mind is the only place the key exists. As soon as you move that key out of a person's mind and into a device, or biometric, it's no longer in the best safe in the world. Your mind. It's a very important semantic. People feel passwords are safe because they're stored in the best safe. Your mind.
Until we come up with another way to store the key in your mind, password will reign king of authentication. Period.
Personally I don't really like biometrics, or 'devices' to store your passwords for these exact reasons. Parts of my body can be taken from me by force. My 'device' can be lost, stolen, or damaged, locking me out of everything. The mind is insurmountable security. Yes, you can beat someone over the head to try to convince them to spill the beans, but even that can be resisted by a determined person.
The password is still the best security device we have. It can't be lost, stolen or damaged. No one can 'steal' it from you (though it can be guessed by persistent actors, but so could any other authentication method. Just takes time and effort.) It's no going anywhere until a suitable replacement is created.
And that suitable replacement doesn't seem to be coming anytime soon, because nothing feels like a password. It's yours, you made it, and you can change it. You can't change your fingerprint or retina scan.
[YubiKey] is what I use for Google/Gmail, Facebook, Github
How does that work?
As far as I can tell, U2F on GitHub is incompatible with Mozilla Firefox, incompatible with Edge, and incompatible with Safari. I'm not even sure it works with other Chromium forks, as the page mentions Chrome. In addition, you need to buy a supported smartphone or tablet first because U2F requires working TOTP, and you still need to generate a password for use when pushing.
Fingerprints are easily forged. The excellent paper http://web.mit.edu/6.857/OldSt... covered the issue 15 years ago and remains valid with even the best modern fingerprint scanners.
A person determined to use passwords in a sane way (every password unique, with 60+ bits of true entropy) enjoys at least a modicum of confidence that the password implementation itself is simple enough to actually work as implied.
I'm about fifty years away from believing than any biometric security solution can be trusted without inspection (we still need some astounding advances in proof-of-correctness technology).
And I don't really feel like reading all that code, anyway. Theo and his crowd probably won't do it for me, on principle.
Every problem in computer science can be solved by adding another layer of indirection, except for too many layers of indirection.
Every problem in computer security can be solved by adding another trust authority, except for the proliferation of trust authorities you already have no compelling reason to trust.
Bingo! Biometrics suck. How do you change your fingerprints, or your eye's iris?
There are three factors for authentication. Something you know, something you have and something you are.
Why would we give up one in favour of another when we could adopt the radical idea of using TWO AT ONCE.
They're unique, but stay the same between uses. So if someone manages to copy it when you use it, they can use the copy in the future to pose as you.
Fortunately, that means they have the same solution as credit cards. Chip and pin works by you remembering a PIN (like how you remember a password). You enter the PIN into an authorized device, and that allows the device to query the chip. The chip then establishes a secure link to the processing site. Intercepting that session's communications doesn't make it any easier to forge a future communication.
Likewise, passwords can be replaced by a authenticator. Your password unlocks the authenticator. The authenticator then takes the site you're trying to login to and the time of day to generate a unique code you need to login. That way your password never has to leave your control. In theory this could be used in lieu of a password, but so far it's mostly being used to augment your password. That is, you still use a password (which can be stolen) to login to the site, but you also need the authentication code as a second factor to let you in.
This is mainly because Google's implementation is half-assed and lets you use it if you have access to the device (which is always for phones without security enabled. Authy is better implemented, requiring a passcode or password to use every time, backs up your authentication keys on the cloud so you can share them between multiple devices (they're still useless without a passcode/password), and is compatible with Google Authenticator. It's still vulnerable to some sort of keylogger. So ideally, this authenticator would be a separate physical device which did only authentication so there's no opportunity for rogue software to be installed onto it.
It has been shown, time and again, that biometrics can be beat (and are beat) by relatively low-tech approaches - sometimes very low-tech approaches. And, to add insult to injury, once compromised, biometrics cannot easily be revoked, if at all. Use biometrics at your own peril.
You can change your password, but you canâ(TM)t change your fingerprint.
Aside from all the low tech ways to defeat biometrics (gummy bears anyone?), the simple issue is if your biometric information gets compromised, youâ(TM)re toast.
"Omnis tuus capsa sunt inesse nos"
https://en.wikipedia.org/wiki/...
This or something like it... fin.
I've decided to stop wasting my time responding to AC trolls/sockpuppets... so if you want a response from me... login.
The gradual change of your biometrics over time is the least problematical of the issues with biometrics. While this is annoying it is easy to fix by rescanning the information after first proving who you are by some other, manual, means.
The problem with biometrics is that if my information gets hacked the only way I can change it is via surgery and I'm simply not willing to have eye surgery to change my iris if my iris pattern is hacked when I can change a password simply by thinking of a new one.
Start using Biometrics AND Public Keys. Multi Factor is always better than single factor. PKI can be convenient if the syustems are in place to use them. Imagine world where you use your fingerprint and a Public Key to get access. THen you can generate public keys for every transation you make. Finger print to prove you are present, the system sends a message signed with the key you gave it, you decrypt using your private key and send a reply back with the random data in the message (signed with their public key of course) to show that you are authorized. Even changing our credit system to the later hald would be 1000 times better than SSN.
Why can so many people, even people "in the industry" not understand the difference between Identification and Authorization.
Biometrics is a good form of Identification, it's hard to lose your fingerprint or your retina (it can happen but it's not common in everyday life). You can't forget them at home, your spouse can't take yours with them by mistake, etc. A biometric ID/Authorization system can be excellent, near perfect if fact, at identifying you as you but it has no ability to handle the situation when it identifies someone who isn't you as you -- it has no system to handle the false positive.
Biometrics are a lousy form of Authorization. Once your biometrics have been used to identify you, you need a separate system to authenticate that it's actually you -- to defeat the false positive. As you travel around you leave your fingerprints and DNA all over the place, your image is recorded hundreds if not thousands of times a day. Your biometric ID is not private, gathering the information required to impersonate you is easy even if the techniques to impersonate you are not readily available at this time.
There is also the issue of what to do if your biometric identification has been compromised. If someone is accessing your bank accounts because they've been able to successfully fake your fingerprints, the bank can't issue you new fingerprints.
Biometrics are great for identification, but are terrible for authorization.
"Grab them by the pussy" -- President of the United States of America
Text input is the one universal constant we have for communicating between user and computer.
And requires only the same basic hardware that is required for general purpose user input...
In the free world the media isn't government run; the government is media run.
>"Why Are We Still Using Passwords? "
Because they are cheap, generally convenient, proven, and understood. Passwords actually work quite well *IF* they are managed correctly. And despite the summary, dictionary attacks are generally useless when servers are configured correctly.
For high security, when necessary, combining a password with a token of some sort is extremely effective.
Now fuck off trying to fool people into making your job easier.
No, your children are not the special ones. Nor are your pets.
The problem with using biometrics is the US courts can compel biometrics. They are not protected the same way a password is. There is case law supporting this, so until that is fixed I'll stick with a complicated password, and encryption.
They only authenticate you to the machine reading you. I can't use biometrics on line unless the machine reading me is already trusted. So how does a bank trust the finger print scanner?
A secret is always going to be the best security. However, how knowledge of the secret is verified can can be improved in a lot of ways.
because passwords are best.
You disagree? Invent a new method of opening the door to your house or starting your car before suggesting your "amazing new idea".
And for most of us a fairly permanent one at that.
What an absolutely asinine statement by "the executives".
Caution: Contents under pressure
Who is Popels?
His ignorance covered the whole earth like a blanket, and there was hardly a hole in it anywhere. - Mark Twain
The question posted is: Why Are We Still Using Passwords?
The answer is provided in the summary: Stronger and more reliable alternatives to passwords already exist, but the obstacles to using them are often prohibitive
Nothing more to say.
How do you propose to log into a website with your fingerprint? Put it on the reader and send it to the website? Unencrypted? Oh Oh now instead of just a password compromised, if it is intercepted, your fingerprint is out there for anyone to use
And what makes you think the websites will be any more diligent about safeguarding your fingerprint (or the encrypted version thereof) than they are about safeguarding your password (or an encrypted version thereof)?
Using biometrics as a 'login' device is an insanely crazy idea. The only reason people are sort of accepting it is because the flaws have not been exposed by the constant attacks of millions of cyber criminals.
Once your digitized fingerprint or face has been stolen you are in a world of trouble, worse than if your Equifax data were stolen.
This includes my bank, investment firms, and hospital (that's the one keyed to my specific phone).
When you set up your account, you generate your certificate signing requests for each device you plan to use and send them to service which will verify your identity and sign your certificates. Then you configure your browser to use the certificate when you connect to the website. That will be how you authenticate.
A password provides you legal protection from being (legally) forced to divulge it, not so with biometrics or hardware authentication dongles.
Multifactor is always better, but a key component of that has to be something hidden in your mind.
*insert pithy sig here*
To prevent fraud and to protect privacy, credentials must be separate from people's physical and legal identity. No biometric key can prevent coercion, guarantee anonymity or be revoked when it is compromised.
Right now, I can go to pretty much any computer in any country and be able to log into gmail (for example) without having to have:
a) elevated privileges to use/add additional hardware, OR
b) a mobile phone, OR
c) loose scraps of paper with one-time pads, OR
d) anything similar
Granted if I'm at some dodgy internet cafe there is a risk of key loggers, but passwords can be changed when you get to a trusted location.
https://ask.slashdot.org/story...
https://it.slashdot.org/story/...
Let's re-hash the same old crap and get advertising revenue, yay.
We'll make great pets
I never store passwords if I develop a UI. Either I use single-sign on so authentication is handled by someone else. If that's not feasible I just force users to verify their email address if they want to login, typically email address verification takes less than 15 seconds and the user will only need to do this once per device.
Passwords cannot be chopped off and used while you aren't there. Passwords can be invented and changed at any time by the user. Their very nature makes them ideal for security: an intangible, boundless bank of secrets known only to you that can be changed any time. Until they come up with some other identification method that doesn't rely on tangible objects or physical attributes that cannot be changed, the password is where it's at.
Until the biometric device is talking directly without any middlemen (like the vendor or the internet) to the payment people, it is inherently less secure. Because at all the points between, it's just a digital password, and one that is (a) reused between sites and (b) unable to be changed.
LITTLE GIRL: But which cookie will you eat FIRST? C. MONSTER: Me think you have misconception of cookie-eating process.
So you authenticate to your phone, and your phone authenticates to the "app", which is a website. An unauthorized person needs to break only one of these authentications. This approach doubles the variety of the possible attack vectors.
Bingo Dictionary - Pragmatist, n. A myopic idealist.
Public key cryptography has been the solution for a long time, we've just shot ourselves in the feet by not implementing it on the client side.
Client-side certificates for instance, SSH keys, PGP/GPG keys -- they're all examples of public key cryptography that works to secure data and requires the user to only remember one good password instead of many.
- Michael T. Babcock (Yes, I blog)