Boffins demo passwords even users don’t know What if you could use a password with 38 bits of entropy without memorizing it? Stanford University researchers think they've found a way to deliver. Their argument is that attackers can steal passwords from ill-defended servers, install keyloggers in drive-by attacks, or force people to hand over their security tokens. The …
"The aim is to defeat the 'rubber hose' attack (i.e., beating the information out of some unfortunate insider) – since you can’t divulge what you don’t know."
So the bad guys sit you in front of a computer and beat you with the hose until you successfully complete the game. If they are particularly cunning they can record your keystrokes (or mouse movements or whatever) and replay the game.
How does this help?
I wasn't concerned when the 'breach' happened. (At the time, Lastpass wasn't sure that whether some/all of the database had been stolen - but reported suspicious activity.)
No big deal: Within a day or so of the announcement, I changed my master password and in the next few days, I changed (and muchly strengthened) all of the critical passwords, and some of the less-than-critical ones. This was relatively painless - as it was handled by the Lastpass software.
And, no I don't know what most of my passwords are. Heck, I've even displayed some of the 100plus-character passwords to friends - warning them beforehand that this was their ten-second chance to steal a password of mine. (It always elicited a laugh, once they saw the completely-impossible-to-memorize passphrase...)
Arm in cast means password lost?
"Sorry boss, no can do, my arthritis is acting up!" "What did you say!? That's ageist!!"
"What do you mean I've been goofing off? I was learning some new passwords. But for extra extra security I decided these servers on the left were going to be left-handed servers, and I'm right-handed, and so it took me 3 hours to beat the game the first time, and I needed to be sure I'd trained it right and so that's what I've been doing since Monday. I _had_ to check the entropy you see! It's for security purposes!!"
"Oh by the way, the bring your child to work day had a slight downside this year. Seems that Alex's little Ella got in and reset the master password to the accounting app. Had great fun I hear, playing that game. Anyway, now she's demanding a motorbike before she'll come in and play that game again. She's bored with it now..."
Dumb ass idea. Period.
First off, the password itself isn't the problem. Most of them are lost due to bad systems security. Ie: dumb programmers who have failed to read ( or put into practice) owasp guidelines.
Second, even if it was only 5 minutes, that's too long. People would flat out refuse to use it.
Third, there are a lot of passwords out there that people only use once a month ( exa: paying bills). If all you get is a couple weeks before you need a relearn then this idea is DOA.
Morons. I want my tax money back that funded this crap.
For years, I've been creating passwords based on patterns of the positions of keys rather than the characters on them. Not obvious patterns like each key along a row, but more complex ones that are still within my ability to remember. Even if threatened, I wouldn't be able to give away my passwords.
I also use DVORAK keyboard layout, so the patterns end up becoming quite random when converted to a standard QWERTY keyboard.
Anonymous because I'm revealing my password strategies. :)
..they would spend their working time in creating a hardware token device which is formally proven correct, from the hardware up to the software running on the device and the services which need to be authenticated. Publish the circuit schematics and the software as open source.
One-Time PIN generators can be done securely and correctly; no need to use the brain-fucked approach of RSA "Security".
A la...
123456214365124635216453261435624153621435264153624513265431256413524631256431524613542631456213546123451632456123541632514623156432516342153624156342
AKA one lead of CS6 - which will mean a lot to some people, and nothing to others, but hundreds of people around the country could recreate that from the description of "1 lead of CS6"
So do you play the game or just reproduce the key strokes?
If you actually play the game any small kid who can REALLY play can access everything!
Either way you can be rubber hosed into reproducing the keys. They could add a polygraph to check you aren't stressed - but having a system deny your password because you aren't relaxed enough would be a stress feedback loop!!!
The only way to avert rubber hose attacks is to have a dummy login - same username but different password which gives access to a reduced / false a/c and locks / deletes the original. The "hosers" have less incentive to get the real password once they know it is locked - doesn't mean they won't "hose" the victim some more though!
This would be handy for bank card PINs (I've known people frog marched to the hole in the wall to withdraw as much as they can & hand it over). If they could enter a 2ndary PIN which said they only had a tenner left at the same time alerting the police...
That's the "plausible deniability" premise behind hidden partitions. You use a normal partition that has only embarrassing information which you'd give under coercion while at the same time keeping hidden in the same place the real goods.
Thing is, if the hose-users are aware of the possibility, they'll just keep rubber-hosing you to reveal ALL the secrets or hint that they know of the existence of a panic code---which can mean something very permanent to you if they suspect you're using that one instead of the real one.
The big problem with security at this time is the problem of establishing necessary trust between Bob and Alice when neither have a history of trust (because they've never met before). It's a problem that goes both to physics and psychology and is therefore one of the "hard" problems of security.
We had this at one facility I worked at, a panic PIN on any card-locled door would open the door in question and then send the entire facility into lockdown. The obvious problem is that the person who entered the panic PIN would then be trapped with the people forcing him to open dooors, as the doors were always in pairs and the inner doors could only be opened from the inside or remotely from the security centre (in the event that we had to completely evacuate so noone was left on the inside).
Don't tell the morons who run our corporate windows fail intranet, and who, contrary to proper security practise expire passwords all the bloody time so the users obviously pick something unsafe and tag it with numbers.
I haven't yet thought of a way to get Bruce Schneieieieieier to come and Falcon Punch them into behaving, but they don't need a shiny idea like this either, no siree :D
OK Here's the deal. You play the game and then forgot you played the game, but remember that you forgot the password. So when you need the password you forget to play the game, in which case you remember the password. But on a quantum level, you can both forget and not forget the password, so play the game and have some a beer and remember the password. ... it's really simple and foolproof (and nobody with rubber hoses knows you forgot)!
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
