Experts: We're stuck with passwords – and maybe they're best Late last year IBM reckoned biometrics would finally replace the password within the next five years. The prediction was part of a series that also speculated that the digital divide would cease to exist and that mind-reading technology would become a possibility. But, at least on the subject of passwords, new research from …
That was when you only had to remember one, and it was 'simple', and invariably permanent.
Now we have literally dozens, most must meet a minimum strength criteria, and all expire after xx days.
You're correct - passwords do work. but it's the fleshy bit using them that's reaching it's operational limit.
I share your concerns but not your opinion. I mean; while it is true that we now have a dozen different passwords to consider, we now /also/ have a dozen different tools which can help us in that process.
For starters; using programs like pwgen (also available on Windows). And second; using a password vault. Even modern browsers like firefox or seamonkey can store your passwords in a database so that you can still have dozens different passwords while its still easy to use.
So I don't think its reaching its limits; we simply need to extend on it. Use the 'One' password to protect the rest.
Then you have the issue that oppressive regimes will routinely take biometrics of their citizens for ID purposes - passport anyone? Oh, we'll need your fingerprints and an iris scan. Wow, we can now access your bank details, computer etc and share these biometrics with the local council just like we allow them to use RIPA terrorism intended laws to investigate rogue dogshit. I'd rather forget a password than carry around a biometric anyone can access.
add to that, the technology involved is likely to have many flaws that can and will be compromised.
the simplicity of a password is its strength. its easy to use and so long as a large enough word is used using upper and lower case, including numbers and punctuation is quite secure. its just a matter of how secure the platform that is is being used on is.
ATM's should have two pin numbers in use. your real oner and a duress code. the duress code should still issue funds, but alert the local law enforcement and automatically focus the local cctv system to the area....the money it issues should have some sort of trace attached to it, like smart water so that the perpetrator can be traced more easy. or get rid of cash all together
The best way to beat criminals it to make it not worth while or worth the risk.
now, where the hell did i put my wallet?
You're much better off using a correctly punctuated pass phrase than some 8 character alphanumeric password
It is many orders of magnitude easier to bust :
'ytZo0&5x' (100ish hours)
than it is to bust
"My mum really likes a mango on a Monday" (10^50ish years)
On you will not remember 1s after reading it, the other you have already remembered.
If you shop with a CC (In the US at least - I havent been able to verify if something similar exists in the UK) and hear your clerk say the words "I have a Code 10 Authorisation Request" whilst manually attemping your payment, prepare yourself for a visit from the Fraud Squad...
Fingerprint is fine for a closed system like a bank ATM, I already don't trust no-name ATMs and finger print scanner would not help.
But if I use a fingerprint (or other biometric) reader to log onto internet banking then that fingerprint has to be converted into a number, and if that is intercepted by bad guys (the same way a password can be today) then I'm screwed. I can change my password but I can't change my fingerprint.
Sure they are going to transmit the fingerprint encrypted but I'm sure someone is going to crack it when there is lots of money involved. Or we will see fake fingerprint scanners like the fake card readers they have today.
"Sure they are going to transmit the fingerprint encrypted but I'm sure someone is going to crack it when there is lots of money involved"
when they are designing such a system, they are going to make some assumptions.
The first assumption is going to be that the system is going to be secure enough that nobody is going to be able to intercept the digitized fingerprint.
the second assumption is going to be that if someone was to possibly intercept the digitized fingerprint, then injecting the numbers back in is going to be twice as hard.
The third assumption is going to be, that it is going to be impossible to get past the first two assumptions, so encrypting the fingerprint ingo is going to be time consuming and a waste of man hours...
they will most likely buy in some cheap encryption (probably already compromised ( like ON Digital / ITV digital did)) or just reverse the data stream of the digitized fingerprint .... then go the pub....
these are the people entrusted in keeping our money safe dont forget... look at the track record...
Many organizations have a clause in their Ts&Cs stating that passwords must not be written down. Many people who have, say, 40+ logins to remember write their passwords down in some way or other. I foresee a court case in the not too distant future where, after losing money due to someone stealing his/her list of passwords, a user claims that such a contract clause is unreasonable on the basis that an average person cannot be expected to remember dozens of different passwords- after which banks, shopping sites, etc will find an alternative to passwords.
I paste them into a little c program that mangles them and it spits out a horrible password like "fjbit1eUuQspStjfphxt"
which I then paste into whatever.
Needless to say the password program is owned by root and is only executable.
For SSH access I also use a highly unusual username which is the only account on my server that is allowed SSH access
Rainbow tables only 'work' if you have access to the hash on the target system. If you are having to attack it as a normal user then anything that puts the mean-time-to breach at a few attempts per second (or whatever limit is applied on multiple failures) to hundreds of years is fine.
The XKCD argument was based on that premise.
If they have full access to the target to get the hashes, they probably have that system owned. They also can reverse your password, but if you have easy phrases that differ, no advantage to other site.
What is needed is:
A) Easy but strong choices.
B) Several of them so little shared to compromise vis honeypot sites.
C) Means of dealing with infested PCs that allow a local attack using the just-gathered information for a given site.
I think (C) is the hardest to deal with following XKCD-like education.
There are 225,000 words in Websters dictionary.
Four random words produces a possible 2562890625000000000000 combinations.
A ten character password using entirely random characters, assuming 100 available characters, produces a possible 100000000000000000000 combinations, or rather 1/25 as many as the four words option.
That's a little silly...
To meet the requirement of being easy to remember, the password must be limited to words that the owner actually knows. To the average English speaker, that limits the range to something between 15,000 and 30,000 words.
If you put someone on the spot and tell them to 'think of four words', I'd bet a small fortune that at least 50% of the subjects would come up with four words chosen from a pool of no more than 2,000 in total, and 90% would have two or three words chosen from that pool.
So the *probable* range of passwords using this system is closer to 16,000,000,000,000.
Of course the *probable* range of passwords using 'random' characters is much smaller, too, since the huge majority of people base their 'random characters' on English words, and even serious security geeks tend heavily towards letters and numbers.
Bottom line: this is a silly calculation.
Rainbow tables are exactly the reason that one should, at the very least, sprinkle a decent amount of salt over passwords - about 128 crypto-random bits on each password should get the ball rolling.
As for brute force or basic dictionary attacks, these are a different kettle-o-fish, but there are relatively trivial ways to /assist/ in reducing exposure.
The problem is there are a lot of commercial systems out there that still dont even take the most rudimentary of data security precautions. 'Reap what you sow' I suppose.
"But that’s fiction. In reality, ATM cameras using facial and iris recognition may be able to detect stress, pupil dilation, and changes in heart rate and breathing patterns to establish a confidence level that the user is not in danger."
Great, so you have to be a nice calm state in order to get in to a system?? Buggered any time I'm running late, just been to the gym, stressed 'cos the boss needs something NOW, shivering 'cos it's cold, etc...
We've got nice things like TOTP these days; that's the sort of stuff that google uses to provide 2-factor authentication for gmail using, eg. an android app. Hardware token systems could work just fine if they could be configured by the end user (or employer). I have some nice TOTP and HOTP tokens here... the security issue with those is that the vendor knows which serial numbers they sold to me, which presents an avenue of attack, assuming the attackers could also get my password.
Don't assume that one corporation's greed (they wanted centralised control of the system to protect their income stream) and ineptitude means the underlying system is broken.
I'd also suggest that public key cryptosystems can exist separately from a formal PKI. I've been quite happy with my SSH keys, for example, though they require a little more care than 'normal' users might be expected to exercise.
I've given up trying to remember passwords. Where I can, I set a long password completely at random and make no attempt to remember it. Then, the next time I need to log in, I request a new password.
There are two flaws in this approach, but I feel the freedom from having to remember random alphanumeric words that need to be changed every 30 days is worth it.
Flaw 1: I have to wait around for the new password to be generated and emailed to me.
Flaw 2: I'd be completely unable to reveal my amazon.com password even if under torture and at risk of death.
Why not use a password manager?
I use 1password on my macs & iPhone. When creating an account on any website, I let 1password generate a random 16 digit password [mixture of upper and lower case and digits]. Then when I revisit that site, I just hit CMD+\ and enter my password for 1password itself in a popup and 1password automatically fills in the login details for me.
I've no idea what my passwords are, for most of the sites I frequent. I just let 1password remember all that crap for me. And it syncs wirelessly across all my gadgets too, which is nice.
[Disclaimer: No relation. No personal interest in the company etc. Just a satisfied customer. Other password managers are available]
Nah, you just save the super password inside an unrelated excel or txt document somewhere in your PC. That's what I do, and unless someone starts reading each and every file in my computer (and knowing what are they looking for) I think it's secure enough.
Now, if you manage to forget not only the super password but also the place where you saved it... you have bigger things to worry about, such as that Alzheimer...
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
