Experts: We're stuck with passwords – and maybe they're best Late last year IBM reckoned biometrics would finally replace the password within the next five years. The prediction was part of a series that also speculated that the digital divide would cease to exist and that mind-reading technology would become a possibility. But, at least on the subject of passwords, new research from …
...the fact that your hard drive crashed and the backup failed. Or you're trying to access the passwords from your phone where the secret password isn't kept for security reasons.
1Password sounds interesting, but I hear the Android interface isn't well polished. I would also like to have a cloud sync to say Dropbox in case I change machines or phones (had a phone break--thank goodness for a phone insurance plan). Perhaps if there was an alternative...
when you have to enter it about a dozen times a day. the (current) super password for my password database will likely be the very last thing that sticks in my rapidly declining grey matter at the terminal moment. what a sad thought...
(actually, I've started to memorize some of the *completely random* passwords my password generator generates. amazing that you can memorize 12 random characters, which don't form anything even vaguely pronounceable, if you have to enter them manually maybe twenty times...the one i always recall is my wireless password, which I'm always entering on different devices and so can't just copy/paste from the manager.)
Nowadays a password that lets you into the bank has to be inconveniently long to be safe. So some arrangement is needed whereby you input a short personal authentication into a device that you and the service that you're using both trust - like an ATM. That device is the other part of the dual key.
Someone has probably thoguht of this already, but if someones phone is fitted with an NFC device, even something inocuous fitted in the battery compartment, then the physical presence of the phone can also be used as a partial authorisation.
if the person leaves the workstation and takes their phone with them, then the system logs them off, or locks the workstation, etc.
Good idea, or a load of crap?
"In reality, ATM cameras using facial and iris recognition may be able to detect stress, pupil dilation, and changes in heart rate and breathing patterns to establish a confidence level that the user is not in danger."
"It says it won't let me take any money out as I am stressed by all this mugging business, so put the knife away OK Mr Mugger?"
So how long before the knife is put to good use cutting out/off the required body part to get the scanner to work?
As a consultant working at multiple sites, they really have become a pain in the backside.
Each site has different timeouts, different rules (and they sometimes change).
The amount of time lost, due to having to reset passwords mounts up fairly quickly.
Even a well maintained encrypted password solution has it's limitations (i.e. I forgot the password that was reset just before I went on holiday). Hard disk crashed and the last good backup was two weeks old. (how many of us have nightly backups of our laptops)
What really winds me up is when sites ask you to set a password and then reject it for failing to meet various requirements that [and this is the really teethgrindingly annoying bit] they didn't tell you about in the first place:
• Sorry. Your password must be at least six letters
• Sorry. Your password must contain at least one number
• Sorry. Your password cannot contain all numbers
• Sorry. Your password must contain both upper and lower case
• Sorry. Your password cannot be a dictionary word
I start out with an idea for a password, which is secure enough for he risk-level associated with the site in question, and which I can remember but then, by the time I've jumped through all their ridiculous hoops to make it conform to their idea of what constitutes a secure password, it's so far removed from what I started off with that I have to write it down myself, so I'll remember it. Which kinda defeats the purpose!
Choose your password - must contain at least 8 characters:
"Try h@cking this 5uckaz!!! &" Secure Meter: []
***Special chars not allowed!***
"Try hacking this 5uckaz" Secure Meter: []
***Spaces not allowed!***
"Tryhackingthis5uckaz" Secure Meter: [][][]
***Too long!***
"passw0rd" Secure Meter: [][][][][] OGMZ SO SECURE!
*** This is good - Proceed! ***
or my most hated one:
"your password contains an illegal character"
Which is fucking useless considering it doesn't tell you which character exactly is forbidden (and they change with every site). Financial institutions pulling this garbage is particularly frustrating because this is one of the cases where I'm willing to go out of my way to use a particularly strong password.
They're protecting themselves. They don't care if your password is weak - as long as there is a password. if it's compromised and you lose money then as long as the site can show that the loss was caused by someone using correct account and password information then the problem must be that you told someone your password or wrote it down somewhere. This way they don't have to pay up.
It's got so ridiculous I spent two hours finding software for storing passwords that works on my desktop, my tablet and my phone, then syncs amongst them as at the last count I need to hold 86 personal passwords with associated websites, 19 gadget passwords at home and 53 work related passwords!
All I have to do is lose my main password to the password safe and my life is for all intents purposes kaput!
I was told that banks (and other organisations) use your pin Plus or minus one as the duress password. This was from an annoyed secruity guard after I had just "almost" got my little used pin to a secure area right
Took me a while to submit this as I couldn't remember what username and password I had used when I created this account years ago!!!
New DNA-based system: There is a pinkie finger-sized hole. It says "insert finger here."
When I insert a finger, a clamp locks the finger in place, then a solenoid pricks the finger - drains out some blood for a DNA test - then the clamp unlocks. Five minutes later, the DNA test is complete and I have access. (The system would also check for a pulse and oxygen in the blood to ensure I'm not putting someone else's finger in; it could also scan the fingerprint).
Its partly personal interest and partly for work; but right now I'm checking how well Windows 7 operates using an rfid card reader. SO basically assigning specific cards to a specific user account.
Well, needless to say but Windows 7 is very extensive with this. Merely plugging in the cardreader (USB) will already trigger a change in "Admin pop-ups". Instead of having to type in a password you can now also "insert" the assigned card.
But the problem with this setup should be obvious.. Its much easier to simply keep your card lying on the rfid reader and click "ok" as soon as the prompt shows up. As such; while it makes authentication easier, it also increases the risk factor tremendously when dealing with common end-users.
End users care more about ease of use than security whereas admins and techies sometimes tend to swing a bit too much to the other side of the fence.
So yes; I think passwords will indeed be around for quite some time to go.
the problem is that while there are some quite viable alternatives - yubiKey or the RSA SecureID/VIP app there's no interoperability and everyone wants to roll their own... and totally pointlessly sites require users to sign up for an account (true even in many cases where you can log-in via OAuth.. you still have to fill out a profile)
the niggly little differences in detail (8 characters, 6 characters plus 2 digits, 10 characters at least one upper case, one digit and one special character, no special characters) just lead to frustration and security busting solutions like post-it notes. even though I know better I use a password manager solution (though it is one secured with a yubiKey token) but it doesn't help with some banking sites that additionally want me to use an on-screen keyboard and enter specific characters from the password.... aaaaaargh
I would have thought one simple way of improving password security is limiting the number of false entries you can make when trying to enter a password and in the simplest cases require a captcha or similar system to reset the count or require separate verification over the phone or in person (with banks). Also stop requesting the entire password, instead only ask for extracts of it (my bank does that for example). Use onscreen keyboards where you have to click with the cursor to enter the password / pin would reduce the risk of keystroke captures. Where pin numbers or passwords are entered on touch screens they should randomize the position of the entry keypad to reduce the risk of reading your fingerprint smudges. There are numerous methods you could easily use to make passwords & pins more secure without increasing their complexity.
Excerpts of passwords only work if you're able to arbitrarily memorize PARTS of a password, but many people memorize the password by some sort of mnemonic and so go from start to finish: otherwise, they mess up. That could be frustrating in a scenario where you can't type the whole thing and than backtrack (think ATMs). In any event, extracts simply make the malware get a little smarter and recognize that passwords being entered are incomplete. If the malware records the card number, the excerpt, and what the excerpt represents, they'll reconstruct the entire thing after enough fishing. On-screen keyboards with random layouts? Useless to the blind (they need to be able to FEEL the keys—usually by Braille) and powerless against screenreader malware and overlays that can point a camera at the screen. And since you can't physically rearrange a physical keyboard...
Organisations should think long and hard about how people actually use passwords and how important the data being secured is?
And remember that the more difficult it is, the more users will write it down (and often stick it on a post it note on the their desk!)
The Olympic volunteer web site required IIRC alpha numeric, mixed case >8 chars and the information is held is of low to medium importance. I hate to think of the password requirements for their financial and anti terrorist security depts!
Biometric data should only really be used to complement the password authentication.
So ideally something like this: You walk up to the ATM and the screen reads, "Hello and welcome back! Your last name begins with "R" and your first name contains the letter "E", is this correct? Then there could be 3 names to choose from for you to select, then enter your password. This could then be used for panic mode... the delay in answering the questions about your identity serve to keep the mugger in the same spot whilst security arrive.
Rather than using facial recognition though, a much more secure and simpler implementation, would be combining methods to identify if more than one person was present at the ATM. So have the customer stand on a pressure pad that calculates the weight, along with a camera that identifies number of bods present. You could also have a rotating screen slide around the ATM which only has room for one person.
I've actually seen this kind of thing (weight + sliding screen door) implemented in a security door in Austria. It occasionally refused you access and you had to step out and in again - but this is something the hoi polloi is already conditioned to deal with in other areas.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
