Why Are We Still Using Passwords?

Here's some surprising news from the Akamia Edge conference. chicksdaddy writes: [E]xecutives at some of the U.S.'s leading corporations agreed that the much maligned password won't be abandoned any time soon, even as data breaches and follow-on attacks make passwords more susceptible than ever to abuse, the Security Ledger reports. "We reached the end of needing passwords maybe seven years ago, but we still use them," said Steve Winterfeld, Director of Cybersecurity, at clothing retailer Nordstrom. "They're still the primary layer of defense."

"It's hard to kill them," noted Shalini Mayor, who is a Senior Director at Visa Inc. "The question is what to replace them with." This, even though the cost of using passwords is high and getting higher, as sophisticated attacks attempt to compromise legitimate accounts using so-called "credential stuffing" techniques, which use automated password guessing attacks against web-based applications... Stronger and more reliable alternatives to passwords already exist, but the obstacles to using them are often prohibitive. Shalani Mayor said Visa is "looking at" biometric technologies like Apple's TouchID as a tool for making payments securely. Such technologies -- from fingerprint scans to facial and retinal scans -- promise more secure and reliable factors than alphanumeric passwords, the executives agreed. But customers often resist the technologies or find them error prone or too difficult to use.

Biometrics arenâ(TM)t secure...

If I ever get arrested or stopped at the airport, my phone could be unlocked by forcing my finger on the button or scanning my face(iPhone X). So without a password, biometrics can trivially compromise your security against state/pseudostate actors when they have physical access to you. At least with a passcode they have to observe some sort of due process to coerce you.

Give up anonymity if it saves just one life

[elainerd]

Clearly we need to replace passwords with a chip or mark or tattoo in the palms of the hands and on the foreheads / retinas, etc. Then we need to make sure that people can't buy or sell without taking these marks on themselves. Naturally cash will have to be eliminated. This way we can control and identify what the people spend their money on and we can use this information to further oppress and bind them down into abject bondage and suffering. Yep, that's the ticket. No more anonymity, all must bow down and accept the will of Evil. Every citizen a slave.

  "A jackboot stamping on a human face forever"-Orwell or Huxley, i forget and am too lazy to search.

Oh FFS, not this crap again

We use passwords because it's something you know AND SOMETHING YOU CAN CHANGE WHEN COMPROMISED.

You cannot change your fingerprints or other biometric data so when it's compromised or when technology advances in a way which allows the biometric sensors to be fooled then you are completely and totally stuffed. :-(

Do the people proposing this ever have _ANY_ real world experience at all ?

Oh, and yes, using biometric data allows intelligence agencies, who will likely be able to obtain that information in various ways, to pretend to be you when they want to compromise systems you control.

Sometimes the first impulse is right

[goombah99]

think of them as a mutable biometric. it's biometric because its stored in your brain. It's mutable because you can change it. it can't actually be stolen from you if you don't give it up or write it down.

it's only when you go to transmit it that the problem occurs.

When you look at this this way, then you see that things like finger prints or retina have the same problems and worse. they are not mutable, they can be taken from you without you knowing it, and the transmission layer is still vulnerable

Nearly always, your first solution to a problem is the best one. Not always of course or there would be no need to research and study. But people have been using passwords for milennia because they are an effective tool that works from giving something to the sentry, to logging into google.

Re:Those... arenâ(TM)t more secure

[nitehawk214]

Like passwords with unicode in them. Impossible to share via Slashdot.

Re:Those... arenâ(TM)t more secure

[fahrbot-bot]

Biometrics are not more secure than passwords - they're less secure but sufficiently more convenient that you can convince people to use them.

A fingerprint is more convenient until the moment you get a blister (or some other damage) on your finger(s), then you're locked out. Seems unlikely? When I got a job at the NASA LaRC way, way back, I had to get fingerprinted, but couldn't because I had been working on my car that week and my hands and fingers were all beat up. I had to wait a week for them to clear up enough to get processed.