Late last year IBM reckoned biometrics would finally replace the password within the next five years. The prediction was part of a series that also speculated that the digital divide would cease to exist and that mind-reading technology would become a possibility. But, at least on the subject of passwords, new research from …
Why 20 years?
Passwords have been used for centuries because they work.
That was when you only had to remember one, and it was 'simple', and invariably permanent.
Now we have literally dozens, most must meet a minimum strength criteria, and all expire after xx days.
You're correct - passwords do work. but it's the fleshy bit using them that's reaching it's operational limit.
RE: Fleshy Bits and operational limits
I suppose we're reaching EOL (end of life). All the signs have been there to see; the manufacturer hasn't shown much interest in support for a while now and upgrades have been noticeably thin on the ground. Prepare for humanity V2.0.
I share your concerns but not your opinion. I mean; while it is true that we now have a dozen different passwords to consider, we now /also/ have a dozen different tools which can help us in that process.
For starters; using programs like pwgen (also available on Windows). And second; using a password vault. Even modern browsers like firefox or seamonkey can store your passwords in a database so that you can still have dozens different passwords while its still easy to use.
So I don't think its reaching its limits; we simply need to extend on it. Use the 'One' password to protect the rest.
If I were at an ATM under duress i'd rather be able to give some cash to the guy holding a knife to my throat.
There's so much wrong with that.
I can't see how it'd do anything but throw up false positives most of the time. If you're running late for something, but need cash you might be stressed for instance.
What if you're pissed?
Then you have the issue that oppressive regimes will routinely take biometrics of their citizens for ID purposes - passport anyone? Oh, we'll need your fingerprints and an iris scan. Wow, we can now access your bank details, computer etc and share these biometrics with the local council just like we allow them to use RIPA terrorism intended laws to investigate rogue dogshit. I'd rather forget a password than carry around a biometric anyone can access.
Can I tick the box for "no more cash when pissed"
Hmm, i'de also need the override "Cab fair required, not going back in for another swifty honest guv'"...
Or maybe they just haven't tried hard enough
person chooses 3 famous people from a list of thousands.
person is challenged by system which shows a grid with (say) 100 photos of people in
person has to pick 2
almost, but not entirely secure - and much easier to remember.
next, install webcam and deduce the right ones by process of elimination over a few weeks :)
And blind users or those with poor facial recognition skills use the system by...?
I guess they'd be relying on blind chance. Ba-dum-tish.
Anyone seen my hat?
> almost, but not entirely secure
Unless of course you have malware on the box. A password replacement proposal that doesn't stand up to malware-infected clients isn't all that interesting.
Only sales people and people who don't understand security have been pushing biometrics. A great big password that you can't change is one memorable description. Also, fucking expensive to test in comparison to passwords.
add to that...
add to that, the technology involved is likely to have many flaws that can and will be compromised.
the simplicity of a password is its strength. its easy to use and so long as a large enough word is used using upper and lower case, including numbers and punctuation is quite secure. its just a matter of how secure the platform that is is being used on is.
ATM's should have two pin numbers in use. your real oner and a duress code. the duress code should still issue funds, but alert the local law enforcement and automatically focus the local cctv system to the area....the money it issues should have some sort of trace attached to it, like smart water so that the perpetrator can be traced more easy. or get rid of cash all together
The best way to beat criminals it to make it not worth while or worth the risk.
now, where the hell did i put my wallet?
Why a separate duress password
I know ADT alarm systems will trigger a panic mode if you enter the PIN backwards.
I wonder what happens if your PIN is 3333, or 1221, or, ... Just sayin'.
Assuming the system can allow for that, you then have a built-in configuration-free way to opt out of having a duress code (not sure why you would want an opt-out, but the option is free so why not).
"Duress Passwords" aren't new...
If you shop with a CC (In the US at least - I havent been able to verify if something similar exists in the UK) and hear your clerk say the words "I have a Code 10 Authorisation Request" whilst manually attemping your payment, prepare yourself for a visit from the Fraud Squad...
I used to work for a major UK DIY retailer
and Code 10 meant something of that nature, yes. (There was a panic alarm under the till too but I wasn't told about that until I asked what the red button was.)
if I was committing credit card fraud, I'd have been out of the store by the time the clerk looked funnily at the card reader and picked up the phone.
Knights of the Rainbow Table
You're much better off using a correctly punctuated pass phrase than some 8 character alphanumeric password
It is many orders of magnitude easier to bust :
'ytZo0&5x' (100ish hours)
than it is to bust
"My mum really likes a mango on a Monday" (10^50ish years)
On you will not remember 1s after reading it, the other you have already remembered.
Yes, but then your secure passphrase is rejected because it has no symbols nor numbers in it, you become exasperated and use a less secure password :)
You can change your password
Fingerprint is fine for a closed system like a bank ATM, I already don't trust no-name ATMs and finger print scanner would not help.
But if I use a fingerprint (or other biometric) reader to log onto internet banking then that fingerprint has to be converted into a number, and if that is intercepted by bad guys (the same way a password can be today) then I'm screwed. I can change my password but I can't change my fingerprint.
Sure they are going to transmit the fingerprint encrypted but I'm sure someone is going to crack it when there is lots of money involved. Or we will see fake fingerprint scanners like the fake card readers they have today.
My primary argument against biometrics is that they're BLOODY difficult to change if they're ever compromised.
most people have 10 password choices (20 if they take off their shoes).
I'm still not convinced biometrics are any use as a general password alternative, though.
Maybe you should do some reading around to help you understand the subject.
I would suggest you look at some cryptography basics.
No one sends sensitive security tokens in the clear.
call me pessamistic but....
"Sure they are going to transmit the fingerprint encrypted but I'm sure someone is going to crack it when there is lots of money involved"
when they are designing such a system, they are going to make some assumptions.
The first assumption is going to be that the system is going to be secure enough that nobody is going to be able to intercept the digitized fingerprint.
the second assumption is going to be that if someone was to possibly intercept the digitized fingerprint, then injecting the numbers back in is going to be twice as hard.
The third assumption is going to be, that it is going to be impossible to get past the first two assumptions, so encrypting the fingerprint ingo is going to be time consuming and a waste of man hours...
they will most likely buy in some cheap encryption (probably already compromised ( like ON Digital / ITV digital did)) or just reverse the data stream of the digitized fingerprint .... then go the pub....
these are the people entrusted in keeping our money safe dont forget... look at the track record...
Passwords rule until....
Many organizations have a clause in their Ts&Cs stating that passwords must not be written down. Many people who have, say, 40+ logins to remember write their passwords down in some way or other. I foresee a court case in the not too distant future where, after losing money due to someone stealing his/her list of passwords, a user claims that such a contract clause is unreasonable on the basis that an average person cannot be expected to remember dozens of different passwords- after which banks, shopping sites, etc will find an alternative to passwords.
Actually the court case I'm waiting for is the biometric one.
That's where some bloke lacking pieces of his anatomy sues the fuck out of Hollywood for leading the bad guys to believe that they could get into his biometrically secured office, by taking along his fingers and eyeballs....
I use passphrases for accounts that need to be really secure
I paste them into a little c program that mangles them and it spits out a horrible password like "fjbit1eUuQspStjfphxt"
which I then paste into whatever.
Needless to say the password program is owned by root and is only executable.
For SSH access I also use a highly unusual username which is the only account on my server that is allowed SSH access
Already removing fingers
Can't imagine I'm going to be first with this
yeah, but now _everyone_ is going to be using correcthorsebatterystaple as their password and so there's no security there either!
I see you link...
...and raise you an XKCD password generator:
Computers vs Humans
Sorry to pee in your cornflakes - this is exactly the reason why serious crackers have rainbow tables and dictionary files.
@Computers vs Humans
Rainbow tables only 'work' if you have access to the hash on the target system. If you are having to attack it as a normal user then anything that puts the mean-time-to breach at a few attempts per second (or whatever limit is applied on multiple failures) to hundreds of years is fine.
The XKCD argument was based on that premise.
If they have full access to the target to get the hashes, they probably have that system owned. They also can reverse your password, but if you have easy phrases that differ, no advantage to other site.
What is needed is:
A) Easy but strong choices.
B) Several of them so little shared to compromise vis honeypot sites.
C) Means of dealing with infested PCs that allow a local attack using the just-gathered information for a given site.
I think (C) is the hardest to deal with following XKCD-like education.
Computers vs Humans
There are 225,000 words in Websters dictionary.
Four random words produces a possible 2562890625000000000000 combinations.
A ten character password using entirely random characters, assuming 100 available characters, produces a possible 100000000000000000000 combinations, or rather 1/25 as many as the four words option.
A little inaccurate 2562890625000000000000?
# comb-s of 4 words out of n=250000 (distinct ones) is
I mean n=225,000 not 250,000
@Computers vs Humans
Rainbow tables are exactly the reason that one should, at the very least, sprinkle a decent amount of salt over passwords - about 128 crypto-random bits on each password should get the ball rolling.
As for brute force or basic dictionary attacks, these are a different kettle-o-fish, but there are relatively trivial ways to /assist/ in reducing exposure.
The problem is there are a lot of commercial systems out there that still dont even take the most rudimentary of data security precautions. 'Reap what you sow' I suppose.
That's a little silly...
To meet the requirement of being easy to remember, the password must be limited to words that the owner actually knows. To the average English speaker, that limits the range to something between 15,000 and 30,000 words.
If you put someone on the spot and tell them to 'think of four words', I'd bet a small fortune that at least 50% of the subjects would come up with four words chosen from a pool of no more than 2,000 in total, and 90% would have two or three words chosen from that pool.
So the *probable* range of passwords using this system is closer to 16,000,000,000,000.
Of course the *probable* range of passwords using 'random' characters is much smaller, too, since the huge majority of people base their 'random characters' on English words, and even serious security geeks tend heavily towards letters and numbers.
Bottom line: this is a silly calculation.
"But that’s fiction. In reality, ATM cameras using facial and iris recognition may be able to detect stress, pupil dilation, and changes in heart rate and breathing patterns to establish a confidence level that the user is not in danger."
Great, so you have to be a nice calm state in order to get in to a system?? Buggered any time I'm running late, just been to the gym, stressed 'cos the boss needs something NOW, shivering 'cos it's cold, etc...
Article seems to overlook the growth of two+factor authentications
IE with tokens and now mobiles (either soft token apps or a text with a code). Passwords on their own are seen as outdated by many, but with a second-factor that is how it becomes a worthy oponent to a biometric solution.
Oh, like RSA?
As in, the one that's already been compromised? Yeah, that'll work.
No, not like RSA.
We've got nice things like TOTP these days; that's the sort of stuff that google uses to provide 2-factor authentication for gmail using, eg. an android app. Hardware token systems could work just fine if they could be configured by the end user (or employer). I have some nice TOTP and HOTP tokens here... the security issue with those is that the vendor knows which serial numbers they sold to me, which presents an avenue of attack, assuming the attackers could also get my password.
Don't assume that one corporation's greed (they wanted centralised control of the system to protect their income stream) and ineptitude means the underlying system is broken.
I'd also suggest that public key cryptosystems can exist separately from a formal PKI. I've been quite happy with my SSH keys, for example, though they require a little more care than 'normal' users might be expected to exercise.
one time pass
I've given up trying to remember passwords. Where I can, I set a long password completely at random and make no attempt to remember it. Then, the next time I need to log in, I request a new password.
There are two flaws in this approach, but I feel the freedom from having to remember random alphanumeric words that need to be changed every 30 days is worth it.
Flaw 1: I have to wait around for the new password to be generated and emailed to me.
Flaw 2: I'd be completely unable to reveal my amazon.com password even if under torture and at risk of death.
Why not use a password manager?
I use 1password on my macs & iPhone. When creating an account on any website, I let 1password generate a random 16 digit password [mixture of upper and lower case and digits]. Then when I revisit that site, I just hit CMD+\ and enter my password for 1password itself in a popup and 1password automatically fills in the login details for me.
I've no idea what my passwords are, for most of the sites I frequent. I just let 1password remember all that crap for me. And it syncs wirelessly across all my gadgets too, which is nice.
[Disclaimer: No relation. No personal interest in the company etc. Just a satisfied customer. Other password managers are available]
Some people have bad memories.
That's like saying just write it all down in a memo book...until you lose the memo book.
Or in this case, put them in a password vault under one super password...until you forget THAT password.
Nah, you just save the super password inside an unrelated excel or txt document somewhere in your PC. That's what I do, and unless someone starts reading each and every file in my computer (and knowing what are they looking for) I think it's secure enough.
Now, if you manage to forget not only the super password but also the place where you saved it... you have bigger things to worry about, such as that Alzheimer...
- Microsoft boots 1,500 dodgy apps from the Windows Store
- Windows 7 settles as Windows XP use finally starts to slip … a bit
- HUGE iPAD? Maybe. HUGE ADVERTS? That's for SURE
- Too slow with that iPhone refresh, Apple: Android is GOBBLING up US mobile market
- Tim Cook: I'm NOT worried about CRAP iPad sales. It's just a 'speedbump'