* Posts by Jin

57 posts • joined 28 Aug 2012

Page:

Websites that ID you by how you type: Great when someone's swiped your password, but...

Jin

Bypass it if it is difficult to defeat

Criminals can attack the password as well.

Threats that can be thwarted by biometric products operated together with fallback/backup passwords can be thwarted more securely by passwords alone. We could be certain that biometrics would help for better security only when it is operated together with another factor by AND/Conjunction (we need to go through both of the two), not when operated with another factor by OR/Disjunction (we need only to go through either one of the two) as in the cases of Touch ID and many other biometric products on the market that require a backup/fallback password, which only increase the convenience by bringing down the security.

In short, biometric solutions could be recommended to the people who want convenience but should not be recommended to those who need security. It may be interesting to have a quick look at a slide titled “PASSWORD-DEPENDENT PASSWORD-KILLER” shown at

http://www.slideshare.net/HitoshiKokumai/password-dependent-passwordkiller-46151802

1
0

Biometric behavioural profiling: Fighting that password you simply can't change

Jin

Hopefully not for lower security

Moreover, behavioural biometrics bring down security.

Whether face, iris, fingerprint, typing, gesture, heartbeat or brainwave, biometric authentication could be a candidate for displacing the password if/when (only if/when) it has stopped depending on a password to be registered in case of false rejection while keeping the near-zero false acceptance.

Threats that can be thwarted by biometric products operated together with fallback/backup passwords can be thwarted more securely by passwords alone. We could be certain that biometrics would help for better security only when it is operated together with another factor by AND/Conjunction (we need to go through both of the two), not when operated with another factor by OR/Disjunction (we need only to go through either one of the two) as in the cases of Touch ID and many other biometric products on the market that require a backup/fallback password, which only increase the convenience by bringing down the security.

In short, biometric solutions could be recommended to the people who want convenience but should not be recommended to those who need security. It may be interesting to have a quick look at a slide titled “PASSWORD-DEPENDENT PASSWORD-KILLER” shown at

http://www.slideshare.net/HitoshiKokumai/password-dependent-passwordkiller-46151802

0
0

Mastercard facial recog-ware will unlock your money using SELFIES

Jin

Probably moving in a wrong direction

Whether iris, face, fingerprint, typing, gesture, heartbeat or brainwave, biometric authentication could be a candidate for displacing the password if/when (only if/when) it has stopped depending on a password to be registered in case of false rejection while keeping the near-zero false acceptance.

Threats that can be thwarted by biometric products operated together with fallback/backup passwords can be thwarted more securely by passwords alone. We could be certain that biometrics would help for better security only when it is operated together with another factor by AND/Conjunction (we need to go through both of the two), not when operated with another factor by OR/Disjunction (we need only to go through either one of the two) as in the cases of Touch ID and many other biometric products on the market that require a backup/fallback password, which only increase the convenience by bringing down the security.

In short, biometric solutions could be recommended to the people who want convenience but should not be recommended to those who need security. It may be interesting to have a quick look at a slide titled “PASSWORD-DEPENDENT PASSWORD-KILLER” shown at

http://www.slideshare.net/HitoshiKokumai/password-dependent-passwordkiller-46151802

0
0

British banks consider emoji as password replacement

Jin

Re-invented?

It appears that what have been around commercially for 15 years is now getting re-invented.

Such a story-involving picture password has, for instance, long been a component of Expanded Password System shown at

http://www.slideshare.net/HitoshiKokumai/death-to-password-no-it-is-given-a-new-life

0
0

Death-to-passwords FIDO Alliance finds a friend at DOCOMO

Jin

FIDO on a wrong path

FIDO is sadly promoting biometrics in a wrong manner.

Biometric authentication could be a candidate for displacing the password if/when (only if/when) it has stopped depending on a password to be registered in case of false rejection while keeping the near-zero false acceptance.

We could be certain that biometrics would help for better security only when it is operated together with another factor by AND/Conjunction (we need to go through both of the two), not when operated with another factor by OR/Disjunction (we need only to go through either one of the two) as in the cases of Touch ID and many other biometric products on the market that require a backup/fallback password, which only increase the convenience by bringing down the security.

In short, biometric solutions could be recommended to the people who want convenience but should not be recommended to those who need security. Below is a brief slide titled “Password-Dependent Password-Killer” posted with respect to this theme.

http://www.slideshare.net/HitoshiKokumai/password-dependent-passwordkiller-46151802

0
0

'Use 1 capital' password prompts make them too predictable – study

Jin

Wanted is hard-to-forget and yet hard-to-break passwords.

Being able to create strong passwords is one thing. Being able to recall them is another. And, being able to recall the relations between the accounts and the corresponding passwords is yet another. ID federations (single-sign-on services and password managers) create a single point of failure.

At the root of the password headache is the cognitive phenomena called “interference of memory”, by which we cannot firmly remember more than 5 text passwords on average. What worries us is not the password, but the textual password. The textual memory is only a small part of what we remember. We could think of making use of the larger part of our memory that is less subject to interference of memory. More attention could be paid to the efforts of expanding the password system to include images, particularly KNOWN images, as well as conventional texts.

0
0

Got a Samsung Galaxy S5? Crooks can steal your fingerprint – claim

Jin

Another loophole - fallback passwords.

Threats that can be thwarted by biometric products operated together with fallback/backup passwords can be thwarted more securely by passwords alone. We could be certain that biometrics would help for better security only when it is operated together with another factor by AND/Conjunction (we need to go through both of the two), not when operated with another factor by OR/Disjunction (we need only to go through either one of the two) as in the cases of Touch ID and many other biometric products on the market that require a backup/fallback password, which only increase the convenience by bringing down the security. You may be interested to have a quick look at a slide titled “PASSWORD-DEPENDENT PASSWORD-KILLER” shown at

http://www.slideshare.net/HitoshiKokumai/password-dependent-passwordkiller-46151802

0
0

Samsung forgets fingerprints, focuses its eye on YOURS

Jin

Password-dependent Password-killer?

Whether fingerprits or iris patters, it would bring down security so long as it is operated together with a fallback password.

Threats that can be thwarted by biometric products operated together with backup passwords (rescue/fallback/ alternative passwords) can be thwarted more securely by a password-only authentication.

We could be certain that biometrics would help for security ONLY WHEN it is operated together with another factor by AND/Conjunction (we need to go through both of the two), NOT WHEN operated with another factor by OR/Disjunction (we need only to go through either one of the two) as in the cases of Touch ID and many other biometric products on the market that require a backup/fallback password, which only increase the convenience while bringing down the security.

Incidentally, it is not possible to compare the strength of biometrics operated on its own with that of a password operated on its own. There are no objective data about the overall vulnerability of biometric solutions (not just false acceptance rate when false rejection is near-zero but also the risk of forgery of body features and the risk of use when the user is unconscious) and that of the passwords (not only that it may be as low as 10 bits or as high as 100 bits but also that it could be stolen and leaked.)

Such a terrible nonsense as the “password-dependent password-killer” should be killed dead lest the good reputation of biometrics as excellent identification tools for physical security should be damaged. Biometric solutions in cyber space could be recommended to the people who want better convenience, not to the people who need better security so long as they are dependent on the backup/fallback passwords.

0
0

Banks defend integrity of passcode-less TouchID login

Jin

The gate of a fallback password is open to criminals.

For biometrics to displace the password for security, it must stop relying on a password registered in case of false rejection. Threats that can be thwarted by biometric products operated together with fallback/backup passwords can be thwarted more securely by passwords only.

We could be certain that biometrics would help for better security only when it is operated together with another factor by AND/Conjunction (we need to go through both of the two), not when operated with another factor by OR/Disjunction (we need only to go through either one of the two) as in the cases of Touch ID and many other biometric products on the market that require a backup/fallback password, which only increase the convenience by bringing down the security.

Biometric solutions could be recommended to the people who want convenience rather than security but should not be recommended to those who want security rather than convenience.

0
0

iBank: RBS, NatWest first UK banks to allow Apple Touch ID logins

Jin

With caveats, not to be trapped in a quagmire

It is not possible to compare the strength of biometrics operated on its own with that of a password operated on its own. There are no objective data about the overall vulnerability of biometric solutions (not just false acceptance rate when false rejection is near-zero but also the risk of forgery of body features and the risk of use when the user is unconscious) and that of the passwords (not only that it may be as low as 10 bits or as high as 100 bits but also that it can be stolen and leaked.)

We could be certain that biometrics would help for better security only when it is operated together with another factor by AND/Conjunction (we need to go through both of the two), not when operated with another factor by OR/Disjunction (we need only to go through either one of the two) as in the cases of Touch ID and many other biometric products on the market which require a backup/fallback password.

Biometric products like Apple's Touch ID are operated by OR/Disjunction so that users can unlock the devices by passwords when falsely rejected by the biometric sensors. This means that the overall vulnerability of the product is the sum of the vulnerability of biometrics (x) and that of a password (y). The sum (x + y - xy) is necessarily larger than the vulnerability of a password (y), say, the devices with Touch ID and other biometric sensors are less secure than the devices protected only by a password, although it is more convenient.

Those banks would need to let their clients know clearly that this new access method using Touch ID is recommended to those people who want the convenience rather than the security, not recommended to those people who want the security more than the convenience.

0
0

Windows 10 to give passwords the finger and dangle dongles

Jin

A couple of misperceptions

It appears there are a couple of misconceptions at FIDO.

It makes no sense to expect a PIN to displace a password because the PIN, a numbers-only short password, belongs to the password. A’ which belongs to A cannot be an alternative to A. It also makes no sense to expect a biometric product operated with a backup/fallback password to displace a password. A+B cannot be an alternative to A.

Biometrics would help for better security only when it is operated together with another factor by AND/Conjunction (we need to go through both of the two), not when operated with another factor by OR/Disjunction (we need only to go through either one of the two) as in the cases of Touch ID and many other biometric products on the market which require a backup/fallback password.

Incidentally, it is not possible to compare the strength of biometrics operated on its own with that of a password operated on its own. There are no objective data about the overall vulnerability of biometric solutions (not just false acceptance rate when false rejection is near-zero but also the risk of forgery of body features and the risk of use when the user is unconscious) and that of the passwords (not only that it may be as low as 10 bits or as high as 100 bits but also that it can be stolen and leaked.)

0
0

Apple wants your fingerprints in the cloud

Jin

False Sense of Security

Why on earth do they endeavour to bring down security by putting biometric sensors on the phones, tablets and PCs which have been somehow protected by passwords?

Threats that can be thwarted by biometric products operated together with fallback/backup passwords can be thwarted more securely by passwords only.

Whether static, behavioural or electromagnetic, biometric products are generally operated together with a password by OR/Disjunction (as against AND/Conjunction that is common for 2-factor authentication) so that users can unlock the devices by passwords when falsely rejected by the biometric sensors. This means that the overall vulnerability of the product is the sum of the vulnerability of biometrics (x) and that of a password (y). The sum (x + y - xy) is necessarily larger than the vulnerability of a password (y), say, the devices with Touch ID and other biometric sensors are even less secure than the devices protected only by a weak password.

These biometric products might look more secure in appearance, but it is just a false sense of security. Many of the consumers, who are trapped in the false sense of security, may well be piling up more of their information assets in the cyber space while some of the criminals, who are aware that those consumers are now less secure, may well be silently waiting for the pig to be fat.

False sense of security about a threat could be even worse than the threat itself. It is a conundrum how it is possible for so many security professionals to remain indifferent to such a nightmarish situation.

2
0

Citadel Trojan snooped on password managers to snatch victims' logins

Jin

No surprise at all

What have long been anticipated are now happening as have been anticipated. As repeatedly pointed out by many, password managers should be operated in a decentralized formation or should be considered mainly for low-security accounts.

0
0

HALF A BILLION TERRORISTS: WhatsApp encrypts ALL its worldwide jabber

Jin

Need only to break the user's password

Assume that the entropy of the decryption key be 256 bits and that of the user's password be 13 bits (= 4 digit PIN), and the chances are that the data are lost to criminals who broke the password. It would be no use talking about encryption without talking about the reliable password or identity authentication of the user.

0
3

EVERYTHING needs crypto says Internet Architecture Board

Jin

Not forget password when talking crypto

Assuming that a classified data be protected by an encryption key of 256-bit entropy and the program to manage the system be protected by a manager’s password such as P@$$WoRd1234, the chances may well be that the system will have been taken over by the criminals or spooks who broke the password rather than those who tried to attack the 256-bit encryption key. It could be emphasized that sufficiently strong passwords are the key for the safe deployment of cryptography..

0
1

Mastercard and Visa to ERADICATE password authentication

Jin

Re: Biometrics

There is another issue to look at.

Whether static, behavioral or electromagnetic, biometrics can theoretically be operated together with passwords in two ways, (1) by AND/conjunction or (2) by OR/disjunction. I would appreciate to hear if someone knows of a biometric product operated by (1). The users of such products must have been notified that, when falsely rejected by the biometric sensor with the devices finally locked, they would have to see the device reset. It is the same with the biometrics operated without passwords altogether.

Biometric products like Apple's Touch ID are generally operated by (2) so that users can unlock the devices by passwords when falsely rejected by the biometric sensors. This means that the overall vulnerability of the product is the sum of the vulnerability of biometrics (x) and that of a password (y). The sum (x + y - xy) is necessarily larger than the vulnerability of a password (y), say, the devices with Touch ID and other biometric sensors are less secure than the devices protected only by a password.

What makes us nervous is the possibility of seeing such pictures that many of the consumers, who are trapped in the false sense of security, are piling up their assets and privacy in the cyber space while some of the criminal wolves, who are aware that those consumers are now less safe, are silently waiting for the pig to grow fat.

As such, it is really worrying to see so many ICT people being indifferent to the difference between AND/conjunction and OR/disjunction when talking about “using two factors together”.

0
0
Jin

Ghosts cannot kill the password

Many people shout that the password is dead or should be killed dead. The password could be killed only when there is an alternative to the password. Something belonging to the password (PIN, passphrase, etc) and something dependent on the password (ID federations, 2/multi-factor, etc) cannot be the alternative to the password. Neither can be something that has to be used together with the password (biometrics, auto-login, etc). Claiming that one of them can kill the password is like claiming to have found a substance that floats in the air and yet sinks in the water.

What can be killed is the text password, not the password. At the root of the password headache is the cognitive phenomena called “interference of memory”, by which we cannot firmly remember more than 5 text passwords on average. What worries us is not the password, but the textual password. The textual memory is only a small part of what we remember. We could think of making use of the larger part of our memory that is less subject to interference of memory. More attention could be paid to the efforts of expanding the password system to include images, particularly KNOWN images, as well as conventional texts.

0
0

Home Depot: Someone's WEAK-ASS password SECURITY led to breach

Jin

Need to cope with "Interference of Memory"

Using a strong password does help a lot even against the attack of cracking the leaked/stolen hashed passwords back to the original passwords. The problem is that few of us can firmly remember many such strong passwords. We cannot run as fast and far as horses however strongly urged we may be. We are not built like horses.

At the root of the password headache is the cognitive phenomena called “interference of memory”, by which we cannot firmly remember more than 5 text passwords on average. What worries us is not the password, but the textual password. The textual memory is only a small part of what we remember. We could think of making use of the larger part of our memory that is less subject to interference of memory. More attention could be paid to the efforts of expanding the password system to include images, particularly KNOWN images, as well as conventional texts.

1
0

Shove over, 2FA: Authentication upstart pushes quirky login tech

Jin

False Acceptance & False Rejection

Excessively depending on "contexts" could well bring the same sort of dilemma as biometrics, i.e., false acceptance versus false rejection, which can be summarized below.

Biometrics can theoretically be operated together with passwords in two ways, (1) by AND/conjunction or (2) by OR/disjunction. I would appreciate to hear if someone knows of a biometric product operated by (1). The users of such products must have been notified that, when falsely rejected by the biometric sensor with the devices finally locked, they would have to see the device reset. It is the same with the biometrics operated without passwords altogether.

Biometric products like Apple's Touch ID are generally operated by (2) so that users can unlock the devices by passwords when falsely rejected by the biometric sensors. This means that the overall vulnerability of the product is the sum of the vulnerability of biometrics (x) and that of a password (y). The sum (x + y - xy) is necessarily larger than the vulnerability of a password (y), say, the devices with Touch ID and other biometric sensors are less secure than the devices protected only by a password.

0
0

LastPass releases Open Source command line client

Jin

Caveats for ID federations

ID federations (single-sign-on services and password managers) create a single point of failure, not unlike putting all the eggs in a basket. It remembers all my passwords when un-hacked and loses all my passwords to criminals when hacked. It should be operated in a decentralized formation or should be considered mainly for low-security accounts, not for high-security business which should desirably be protected by all different strong passwords unique to each account. Needless to say, the strength of the master-password is crucially important.

Incidentally, at the root of the password headache is the cognitive phenomena called “interference of memory”, by which we cannot firmly remember more than 5 text passwords on average. What worries us is not the password, but the textual password. The textual memory is only a small part of what we remember. We could think of making use of the larger part of our memory that is less subject to interference of memory. More attention could be paid to the efforts of expanding the password system to include images, particularly KNOWN images, as well as conventional texts.

0
1

Apple releases MEGA security patch round for OS X, Server and iTunes

Jin

False Sense of Security

Apple is also expected do something about the vulnerability that their Touch ID brings: Biometrics operated with a password in the OR/disjunction way (as in the case of iPhone) offers a lower security than when only the password is used.

Biometrics can theoretically be operated together with passwords in two ways, (1) by AND/conjunction or (2) by OR/disjunction. I would appreciate to hear if someone knows of a biometric product operated by (1). The users of such products must have been notified that, when falsely rejected by the biometric sensor with the devices finally locked, they would have to see the device reset. It is the same with the biometrics operated without passwords altogether.

Biometric products like Apple's Touch ID are generally operated by (2) so that users can unlock the devices by passwords when falsely rejected by the biometric sensors. This means that the overall vulnerability of the product is the sum of the vulnerability of biometrics (x) and that of a password (y). The sum (x + y - xy) is necessarily larger than the vulnerability of a password (y), say, the devices with Touch ID and other biometric sensors are less secure than the devices protected only by a password.

It is very worrying to see so many ICT people being indifferent to the difference between AND/conjunction and OR/disjunction when talking about “using two factors together”.

0
0

Forget passwords, let's use SELFIES, says Obama's cyber tsar

Jin

The problem is not the password but the text password

Many people shout that the password is dead. The password could be killed only when there is an alternative to the password. Something belonging to the password (PIN, passphrase, etc) and something dependent on the password (ID federations, 2/multi-factor, etc) cannot be the alternative to the password. Neither can be something that has to be used together with the password (biometrics, auto-login, etc).

At the root of the password problem is the cognitive phenomena called “interference of memory”, by which we cannot firmly remember more than 5 text passwords on average. What worries us is not the password, but the textual password. The textual memory is only a small part of what we remember. We could think of making use of the larger part of our memory that is less subject to interference of memory. More attention could be paid to the efforts of expanding the password system to include images, particularly KNOWN images, as well as conventional texts.

It is nice for the cyber czar to have noticed that mobile devices come with cameras. However, neither fingerprints nor selfies sound attractive. Biometrics like fingerprints and face recognition operated together with a password by OR/disjunction (as in the case of Apple’s Touch ID) would lower the security than when only a password is used. As for selfies, how would it be possible to use the selfies as an alternative to the password (shared secrets) when our faces are very often exposed with our identity on the network?

0
0

'Bill Gates swallowing bike on a beach' is ideal password say boffins

Jin

Interference of Memory

That some people can do it does not automatically mean that all or many people can do it. That some can finish the marathon for less than 2.5 hours does not mean that many of us can do the same.

At the root of the password problem is the cognitive phenomena called “interference of memory”, by which we cannot firmly remember more than 5 text passwords on average. What worries us is not the password, but the textual password. The textual memory is only a small part of what we remember. We could think of making use of the larger part of our memory that is less subject to interference of memory. More attention could be paid to the efforts of expanding the password system to include images, particularly KNOWN images, as well as conventional texts.

Most of the humans are thousands times better at dealing with image memories than text memories. The former dates back to hundreds of millions of years ago while the latter's history is less than a fraction of it. I wonder what merits we have in confining ourselves in the narrow corridor of text memories when CPUs are fast enough, bandwidth broad enough, memory storage cheap enough, and cameras built in mobile devices.

0
0
Jin

Generating high-entropy passwords from hard-to-forget passwords

Generally speaking, hard-to-break passwords are hard-to-remember. But it is not the fate. It would be easily possible to safely manage many of such high-entropy passwords with the Expanded Password System that handles images as well as characters. Each image/character is identified by the image identifier data which can be any long. Assume that your password is “ABC123” and that those characters are identified as X4s&, eI0w, and so on. When you input ABC123, the authentication data that the server receives is not the easy-to-break “ABC123”, but something like “X4s&eIwdoex7RVb%9Ub3mJvk”, which might be automatically altered periodically or at each access if required.

When such high-entropy data are hashed, it would be next to impossible to quickly crack the hashed data back to the original password. Give different sets of identifier data to “ABC123” and the different servers will receive all different high-entropy authentication data. Brute-force attacking of “ABC123” and other similarly silly passwords would perhaps take less than a few seconds with dictionary and automatic attack programs but it could be an exhausting job when criminals have to manually touch/click on the display with their fingers.

This function of managing strong passwords by weak text passwords is one of the secondary merits of the Expanded Password System.

At the root of the password problem is the cognitive phenomena called “interference of memory”, by which we cannot firmly remember more than 5 text passwords on average. What worries us is not the password, but the textual password. The textual memory is only a small part of what we remember. We could think of making use of the larger part of our memory that is less subject to interference of memory. More attention could be paid to the efforts of expanding the password system to include images, particularly KNOWN images, as well as conventional texts.

Most of the humans are thousands times better at dealing with image memories than text memories. The former dates back to hundreds of millions of years ago while the latter's history is less than a fraction of it. I wonder what merits we have in confining ourselves in the narrow corridor of text memories when CPUs are fast enough, bandwidth broad enough, memory storage cheap enough, and cameras built in mobile devices.

0
0

Apple slaps a passcode lock on iOS 8 devices, but cops can still inhale your iCloud

Jin

False sense of security that Touch ID brings

I am of the opinion that Apple is expected do something about the vulnerability that their Touch ID brings: Biometrics operated with a password in the OR/disjunction way (as in the case of iPhone) offers a lower security than when only the password is used.

Biometrics can theoretically be operated together with passwords in two ways, (1) by AND/conjunction or (2) by OR/disjunction. I would appreciate to hear if someone knows of a biometric product operated by (1). The users of such products must have been notified that, when falsely rejected by the biometric sensor with the devices finally locked, they would have to see the device reset.

Biometric products like Apple's Touch ID are generally operated by (2) so that users can unlock the devices by passwords when falsely rejected by the biometric sensors. This means that the overall vulnerability of the product is the sum of the vulnerability of biometrics (x%) and that of a password (y%). The sum (x% + y% - xy%) is necessarily larger than the vulnerability of a password (y%), say, the devices with Touch ID and other biometric sensors are less secure than the devices protected only by a password.

Am I wrong in thinking that this fact should be known to the public?

0
0

Apple is too shallow, must go deeper to beat TouchID fingerprint hack, say securo-bods

Jin

Touch ID and Password/code

Biometrics operated with a password in the OR/disjunction way (as in the case of iPhone) offers a lower security than when only the password is used.

Users can unlock the devices by passwords when falsely rejected by the biometric sensors, which means that the overall vulnerability of the product is the sum of the vulnerability of biometrics and that of a password. It is necessarily larger than the vulnerability of a password, say, the devices with Touch ID and other biometric sensors are less secure than the devices protected only by a password.

As for an additional vulnerability unique to biometrics, we could refer to

http://mashable.com/2013/09/11/girl-fingerprint-scanner/

Apple should do something about these vulnerabilities if it claims to be security-sensitive.

1
0

Bracelet could protect user herds from lurking PREDATORS

Jin

Nice convenience obtained by abandoning security

Auto-authentication is what we cannot achieve with the passwords but we can so easily achieve with the likes of this kinds of bracelet and swallowed chips.

We know that the function of having someone else login to our phone/tablet/PC on our behalf while we are unconscious is already realized by biometrics as shown in

http://mashable.com/2013/09/11/girl-fingerprint-scanner/

But with the likes of electronic tattoos and hypodermic or swallowed microchips, we can expect the third persons to login to our accounts on our behalf a bit more gently and silently. The third persons would not have to behave very carefully not to wake us up. All that they have to do is just placing our PC/tablet/phone in the vicinity of our unconscious bodies. Then they would have a freehand over our accounts on our behalf.

Some people, for whom convenience is the top priority, might regard this as a proof that the passwords have the fatal drawbacks. I am, however, of the view that this tells us how critical it is to involve the confirmation of the users’ volition to make the login for identity authentication.

0
0

Apple's new iPhone 6 vulnerable to last year's TouchID fingerprint hack

Jin

False sense of security

It is very worrying to see so many ICT people being indifferent to the difference between AND/conjunction and OR/disjunction when talking about “using two factors together”.

Biometrics can theoretically be operated together with passwords in two ways, (1) by AND/conjunction or (2) by OR/disjunction. I would appreciate to hear if someone knows of a biometric product operated by (1). The users of such products must have been notified that, when falsely rejected with the devices finally locked, they would have to see the device reset.

Touch ID and other biometric products are operated by (2) so that users can unlock the devices by passwords when falsely rejected, which means that the overall vulnerability of the product is the sum of the vulnerability of biometrics and that of a password. It is necessarily larger than the vulnerability of a password, say, the devices with Touch ID and other biometric sensors are less secure than the devices protected only by a password.

As for an additional vulnerability unique to biometrics, we could refer to

http://mashable.com/2013/09/11/girl-fingerprint-scanner/

Needless to say, so-called 2-factor systems with a password remembered as the first factor and something possessed as the second factor are generally operated by (1), providing raised security at the sacrifice of lowered convenience.

I do not quite understand why the clever Apple is doing such a silly thing as spreading the false sense of security under the name of security.

0
0

Got your NUDE SELFIES in the cloud? Two-factor auth's your best bet for securing them

Jin

2-factors: Operated by AND/Conjunction or by OR/Disjunction?

2 is larger than 1 on paper, but two weak boys in the real world may well be far weaker than a toughened guy. Physical tokens and phones are easily lost, stolen and abused. Then the password would be the last resort. It should be strongly emphasized that a truly reliable 2-factor solution requires the use of the most reliable password.

I wonder how many people are aware that biometrics operated with a password in the OR/disjunction way (as in the case of iPhone) offers a lower security than when only the password is used. Media should let this fact be known to the public lest consumers should be misguided.

I am really worried to see so many people being indifferent to the difference between AND/conjunction and OR/disjunction.

Biometrics can theoretically be operated together with passwords in two ways, (1) by AND/conjunctiion or (2) by OR/disjunction.

I would appreciate to hear if someone knows of a biometric product operated by (1). The users must have been notified that, when falsely rejected with the device finally locked, they would have to see the device get reset.

Like other biometric products, Apple's iPhones are operated by (2) so that users can unlock the phones by passcodes when falsely rejected, which means that the overall vulnerability is the sum of the vulnerability of biometrics and the vulnerability of a password. It is necessarily larger than the vulnerability of a password.

As for an additional vulnerability unique to biometrics, you may refer to

http://mashable.com/2013/09/11/girl-fingerprint-scanner/

Needless to say, so-called 2-factor systems with a password as the first factor and something possessed as the second factor are generally operated by (1), providing raised security at the sacrifice of lowered convenience.

0
0

Apple promises iCloud security alerts, better 2FA after, er, NAKED Internet of Thingies flap

Jin

Two caveats

(1) The two-factor authentication could be reliable only when it comes with a reliable password.

2 is larger than 1 on paper, but two weak boys in the real world may well be far weaker than a toughened guy. Physical tokens and phones are easily lost, stolen and abused. Then the password would be the last resort. It should be strongly emphasized that a truly reliable 2-factor solution requires the use of the most reliable password.

(2) Biometrics, whether static or behavioral or electromagnetic, cannot be claimed to be an alternative to passwords UNTIL it stops relying on a password for self-rescue against the false rejection altogether while retaining the near-zero false acceptance in the real outdoor environment. A dog which depends on a man cannot be an alternative to the man.

I wonder how many people are aware that biometrics operated with a password in the OR/disjunction way (as in the case of iPhone) offers a lower security than when only the password is used. Biometrics industries should let this fact be known to the public lest consumers should be misguided,

0
0

Google recommends pronounceable passwords

Jin

Managing very strong password by pronouceable passwords

Generally speaking, hard-to-break passwords are hard-to-remember. But it is not the fate. It would be easily possible to safely manage many of high-entropy passwords with the Expanded Password System that handles images as well as characters.

Each image/character is identified by the image identifier data which can be any long. Assume that your password is “bowbow” and that those characters (treated as images) are identified as X4s&, eI0w, and so on. When you input bowbow, the authentication data that the server receives is not the easy-to-break “bowbow”, but something like “X4s&eIwdoex7RVb%9Ub3mJvk”, which might be automatically altered periodically or at each access if required.

When such high-entropy data are hashed, it would be next to impossible to quickly crack the hashed data back to the original password. Give different sets of identifier data to “bowbow” and the different servers will receive all different high-entropy authentication data. Brute-force attacking of “bowbow” and other similarly silly passwords would perhaps take less than a few seconds with dictionary and automatic attack programs but it could be an exhausting job when criminals have to manually touch/click on the display with their fingers.

2
4

Scared of brute force password attacks? Just 'GIVE UP' says Microsoft

Jin

A way to safely manage hard-to-break passwords

Sufficiently strong passwords are the key. Generally speaking, hard-to-break passwords are hard-to-remember. But it is not the fate. It would be easily possible to safely manage many of such high-entropy passwords with the Expanded Password System that handles images as well as characters.

Each image/character is identified by the image identifier data which can be any long. Assume that your password is “ABC123” and that those characters are identified as X4s&, eI0w, and so on. When you input ABC123, the authentication data that the server receives is not the easy-to-break “ABC123”, but something like “X4s&eIwdoex7RVb%9Ub3mJvk”, which might be automatically altered periodically or at each access if required.

When such high-entropy data are hashed, it would be next to impossible to quickly crack the hashed data back to the original password. Give different sets of identifier data to “ABC123” and the different servers will receive all different high-entropy authentication data. Brute-force attacking of “ABC123” and other similarly silly passwords would perhaps take less than a few seconds with dictionary and automatic attack programs but it could be an exhausting job when criminals have to manually touch/click on the display with their fingers.

Incidentally, ID federations (single-sign-on services and password managers) create a single point of failure, not unlike putting all the eggs in a basket. It remembers all my passwords when un-hacked and loses all my passwords to criminals when hacked. It could be considered mainly for low-security accounts, not for high-security business. Needless to say, the strength of the master-password is crucially important.

0
0
Jin

Nice logic!

"They found that requiring strong passwords is a waste of time when other security mechanisms, such as encryption and hashing, are absent or badly implemented." Then requiring safer automobile mechanism and better traffic regulations would be a waste of time when there are people who drive cars drunken. What a nice logic!!

0
0

Hot Celebrity? Stash of SELFIES where you're wearing sweet FA? Get 2FA. Now

Jin

2 may be weaker than 1 in the real world

2 is larger than 1 on paper, but in the real world two weak boys may well be far weaker than one toughened guy. Physical tokens and phones are easily lost or stolen. Then the password would be the last resort. It should be strongly emphasized that a truly reliable 2-factor solution requires the use of the most reliable password.

A sufficiently strong password alone could well be more effective than the combination of a weak password and a vulnerable second factor.

1
0

Password manager LastPass goes titsup: Users LOCKED OUT

Jin

Do not put all your eggs in a basket

ID federations (single-sign-on services and password managers) create a single point of failure, not unlike putting all the eggs in a basket. It remembers all my passwords when un-hacked and loses all my passwords to criminals when hacked. And it is now demonstrated that we could be locked out. It could be considered mainly for low-security accounts, not for high-security business. Needless to say, the strength of the master-password is crucially important, if required in fewer numbers.

0
2

Microsoft: You NEED bad passwords and should re-use them a lot

Jin

Humans are still poor at dealing with texts

What worries us is not the password, but the textual password. The textual memory is only a small part of what we remember. We could think of making use of the whole memory of ours. More attention could be paid to the efforts of expanding the password system to include images, particularly KNOWN images, as well as conventional texts.

0
0

Popular password protection programs p0wnable

Jin

Only for low security jobs

The maxim is reconfirmed that it is not wise to put many eggs in a basket. Password managers should be recommended only for low-security jobs.

0
0

L337 crackrz use dumb passwords too

Jin

Interference of Memory

It is probably because shrewd hackers also suffer the strong "interference of memory" when using text passwords. This report probably proves how common this cognitive phenomenon is among human beings.

0
0

EBay, you keep using the word 'SECURITY'. I do not think it means what you think it means

Jin

Nails given but no hammer given

To say only "changing passwords is a best practice and will help enhance security" is like giving us nails without giving us a hammer. What can we do when we cannot remember any more text passwords, we cannot reuse the same passwords over many accounts and we cannot carry around a memo with passwords on it? And, where 2 factor solutions involves a password, where biometrics involve a password for self-rescue in case of false rejection and where ID federations (single-sign-on services and password management tools) require the password called a master-password?

1
0

Samsung mobes to get an eyeful of your EYE in biometric security bid

Jin

Lower security than passcode-only models

I wonder how many people are aware of the fact that the mobile devices with biometric sensors offers lower security than the passcode-only models.

What the users is expected to do when he is falsely rejected when he is in the outdoor environment? Use the passcode. This means that the criminals can impersonate the legitimate user by breaking either the biometric sensor or the passcode, meaning that the criminals are given more chances to break, say, lower security.

It is really ridiculous to be offered a lower-security solution where higher security is required.

0
0

Adobe hackers strike again: PR Newswire grovels to clients after latest hack'n'grab

Jin

sticky fingerprints left onserver

Where can we read more about "Sticky fingerprints left on server used for Adobe code slurp"?

0
0

Microsoft's swipe'n'swirl pic passwords LESS secure than PINs, warn researchers

Jin

This should be called a picture-assisted gesture password, not a picture password.

Some picture passwords are designed far more wisely. A good example is shown at

http://mneme.blog.eonet.jp/default/files/expanded_password_system.pdf

0
0

Pulse-taking ticker tech cuff to sniff out cash-snafflers

Jin

false rejection versus false acceptance

This could be taken seriously provided the false rejection rates are zero or very close to zero so that the user will not have to depend on a password for self-rescue in the outdoor environment where there is no such manager who takes care of the falsely rejected user. If not, it must be an expensive joke.

0
0

New Android plan: Gurn at your phone to unlock it

Jin

Entertaining indeed

It sounds absolutely entertaining, though it will not help solve the issue of vulnerable passwords. Any personal verification solution which requires a self-rescue password (a password for self-rescue in case of false rejection) can by no means be an alternative to passwords.

0
0

My bleak tech reality: You can't trust anyone or anything, anymore

Jin

Why not try to expand the password memory capcity?

At the bottom of all these headaches is a simple fact that humans cannot firmly remember any more than 5 passwords on average so long as we stick to numbers and texts. But it is not impossible to expand the password memory capacity. One such proposition can be found at

http://mneme.blog.eonet.jp/default/files/expanded_password_system.pdf

0
0

Twitter locks down logins by adding two-factor authentication

Jin

Do not forget the value of passwords.

Should the 2-factor authentication be thought to justify the re-use of passwords, our left hand could be losing what we grasped by the right hand.

0
0

Syrian hacktivists hijack Telegraph's Facebook, Twitter accounts

Jin

For safe operation of 2-factor authentication

2-factor solutions would be useful only if the user is well aware that

1. the presence of the 2nd factor does not mean that a weaker password will suffice.

and

2. the 2-factor authentication is far less effective in the outdoor environment than in the indoor environment. In the outdoor environment what critically matters is the remembered password, not the 2nd factor .

0
0

Yahoo! Japan says 22 MEELLION User IDs may have been nabbed

Jin

For those who forgot the password and got locked out, the simplest solution is to forget the locked-out ID and create a new ID. Many of us repeat this many times and it would be easy for a country with 124 million population to have 200 million IDs. The root of this problem is our inherent inability to remember any more than 5 textual passwords, with the difficulty of remembering the relations between the ID and the corresponding password included.

0
0

Ofcom to UK: Really - you're using the same password for everything?

Jin

What is needed is expanding our memory capacity for passwords

This sort of headache can be quickly solved by expanding our memory capacity for passwords. It is not only possible but easily simple, say, just by expanding our memory capacity for passwords by way of making use of pictures, those of autobiographic memory in particular, as well as texts.

0
0

Mozilla's Persona beta adds password-free Yahoo! logins

Jin

Convenient indeed for criminals

Wise people will not put many eggs in a basket.

1
0

Page:

Forums