* Posts by Jin

45 posts • joined 28 Aug 2012

Citadel Trojan snooped on password managers to snatch victims' logins

Jin

No surprise at all

What have long been anticipated are now happening as have been anticipated. As repeatedly pointed out by many, password managers should be operated in a decentralized formation or should be considered mainly for low-security accounts.

0
0

HALF A BILLION TERRORISTS: WhatsApp encrypts ALL its worldwide jabber

Jin

Need only to break the user's password

Assume that the entropy of the decryption key be 256 bits and that of the user's password be 13 bits (= 4 digit PIN), and the chances are that the data are lost to criminals who broke the password. It would be no use talking about encryption without talking about the reliable password or identity authentication of the user.

0
3

EVERYTHING needs crypto says Internet Architecture Board

Jin

Not forget password when talking crypto

Assuming that a classified data be protected by an encryption key of 256-bit entropy and the program to manage the system be protected by a manager’s password such as P@$$WoRd1234, the chances may well be that the system will have been taken over by the criminals or spooks who broke the password rather than those who tried to attack the 256-bit encryption key. It could be emphasized that sufficiently strong passwords are the key for the safe deployment of cryptography..

0
1

Mastercard and Visa to ERADICATE password authentication

Jin

Re: Biometrics

There is another issue to look at.

Whether static, behavioral or electromagnetic, biometrics can theoretically be operated together with passwords in two ways, (1) by AND/conjunction or (2) by OR/disjunction. I would appreciate to hear if someone knows of a biometric product operated by (1). The users of such products must have been notified that, when falsely rejected by the biometric sensor with the devices finally locked, they would have to see the device reset. It is the same with the biometrics operated without passwords altogether.

Biometric products like Apple's Touch ID are generally operated by (2) so that users can unlock the devices by passwords when falsely rejected by the biometric sensors. This means that the overall vulnerability of the product is the sum of the vulnerability of biometrics (x) and that of a password (y). The sum (x + y - xy) is necessarily larger than the vulnerability of a password (y), say, the devices with Touch ID and other biometric sensors are less secure than the devices protected only by a password.

What makes us nervous is the possibility of seeing such pictures that many of the consumers, who are trapped in the false sense of security, are piling up their assets and privacy in the cyber space while some of the criminal wolves, who are aware that those consumers are now less safe, are silently waiting for the pig to grow fat.

As such, it is really worrying to see so many ICT people being indifferent to the difference between AND/conjunction and OR/disjunction when talking about “using two factors together”.

0
0
Jin

Ghosts cannot kill the password

Many people shout that the password is dead or should be killed dead. The password could be killed only when there is an alternative to the password. Something belonging to the password (PIN, passphrase, etc) and something dependent on the password (ID federations, 2/multi-factor, etc) cannot be the alternative to the password. Neither can be something that has to be used together with the password (biometrics, auto-login, etc). Claiming that one of them can kill the password is like claiming to have found a substance that floats in the air and yet sinks in the water.

What can be killed is the text password, not the password. At the root of the password headache is the cognitive phenomena called “interference of memory”, by which we cannot firmly remember more than 5 text passwords on average. What worries us is not the password, but the textual password. The textual memory is only a small part of what we remember. We could think of making use of the larger part of our memory that is less subject to interference of memory. More attention could be paid to the efforts of expanding the password system to include images, particularly KNOWN images, as well as conventional texts.

0
0

Home Depot: Someone's WEAK-ASS password SECURITY led to breach

Jin

Need to cope with "Interference of Memory"

Using a strong password does help a lot even against the attack of cracking the leaked/stolen hashed passwords back to the original passwords. The problem is that few of us can firmly remember many such strong passwords. We cannot run as fast and far as horses however strongly urged we may be. We are not built like horses.

At the root of the password headache is the cognitive phenomena called “interference of memory”, by which we cannot firmly remember more than 5 text passwords on average. What worries us is not the password, but the textual password. The textual memory is only a small part of what we remember. We could think of making use of the larger part of our memory that is less subject to interference of memory. More attention could be paid to the efforts of expanding the password system to include images, particularly KNOWN images, as well as conventional texts.

0
0

Shove over, 2FA: Authentication upstart pushes quirky login tech

Jin

False Acceptance & False Rejection

Excessively depending on "contexts" could well bring the same sort of dilemma as biometrics, i.e., false acceptance versus false rejection, which can be summarized below.

Biometrics can theoretically be operated together with passwords in two ways, (1) by AND/conjunction or (2) by OR/disjunction. I would appreciate to hear if someone knows of a biometric product operated by (1). The users of such products must have been notified that, when falsely rejected by the biometric sensor with the devices finally locked, they would have to see the device reset. It is the same with the biometrics operated without passwords altogether.

Biometric products like Apple's Touch ID are generally operated by (2) so that users can unlock the devices by passwords when falsely rejected by the biometric sensors. This means that the overall vulnerability of the product is the sum of the vulnerability of biometrics (x) and that of a password (y). The sum (x + y - xy) is necessarily larger than the vulnerability of a password (y), say, the devices with Touch ID and other biometric sensors are less secure than the devices protected only by a password.

0
0

LastPass releases Open Source command line client

Jin

Caveats for ID federations

ID federations (single-sign-on services and password managers) create a single point of failure, not unlike putting all the eggs in a basket. It remembers all my passwords when un-hacked and loses all my passwords to criminals when hacked. It should be operated in a decentralized formation or should be considered mainly for low-security accounts, not for high-security business which should desirably be protected by all different strong passwords unique to each account. Needless to say, the strength of the master-password is crucially important.

Incidentally, at the root of the password headache is the cognitive phenomena called “interference of memory”, by which we cannot firmly remember more than 5 text passwords on average. What worries us is not the password, but the textual password. The textual memory is only a small part of what we remember. We could think of making use of the larger part of our memory that is less subject to interference of memory. More attention could be paid to the efforts of expanding the password system to include images, particularly KNOWN images, as well as conventional texts.

0
0

Apple releases MEGA security patch round for OS X, Server and iTunes

Jin

False Sense of Security

Apple is also expected do something about the vulnerability that their Touch ID brings: Biometrics operated with a password in the OR/disjunction way (as in the case of iPhone) offers a lower security than when only the password is used.

Biometrics can theoretically be operated together with passwords in two ways, (1) by AND/conjunction or (2) by OR/disjunction. I would appreciate to hear if someone knows of a biometric product operated by (1). The users of such products must have been notified that, when falsely rejected by the biometric sensor with the devices finally locked, they would have to see the device reset. It is the same with the biometrics operated without passwords altogether.

Biometric products like Apple's Touch ID are generally operated by (2) so that users can unlock the devices by passwords when falsely rejected by the biometric sensors. This means that the overall vulnerability of the product is the sum of the vulnerability of biometrics (x) and that of a password (y). The sum (x + y - xy) is necessarily larger than the vulnerability of a password (y), say, the devices with Touch ID and other biometric sensors are less secure than the devices protected only by a password.

It is very worrying to see so many ICT people being indifferent to the difference between AND/conjunction and OR/disjunction when talking about “using two factors together”.

0
0

Forget passwords, let's use SELFIES, says Obama's cyber tsar

Jin

The problem is not the password but the text password

Many people shout that the password is dead. The password could be killed only when there is an alternative to the password. Something belonging to the password (PIN, passphrase, etc) and something dependent on the password (ID federations, 2/multi-factor, etc) cannot be the alternative to the password. Neither can be something that has to be used together with the password (biometrics, auto-login, etc).

At the root of the password problem is the cognitive phenomena called “interference of memory”, by which we cannot firmly remember more than 5 text passwords on average. What worries us is not the password, but the textual password. The textual memory is only a small part of what we remember. We could think of making use of the larger part of our memory that is less subject to interference of memory. More attention could be paid to the efforts of expanding the password system to include images, particularly KNOWN images, as well as conventional texts.

It is nice for the cyber czar to have noticed that mobile devices come with cameras. However, neither fingerprints nor selfies sound attractive. Biometrics like fingerprints and face recognition operated together with a password by OR/disjunction (as in the case of Apple’s Touch ID) would lower the security than when only a password is used. As for selfies, how would it be possible to use the selfies as an alternative to the password (shared secrets) when our faces are very often exposed with our identity on the network?

0
0

'Bill Gates swallowing bike on a beach' is ideal password say boffins

Jin

Interference of Memory

That some people can do it does not automatically mean that all or many people can do it. That some can finish the marathon for less than 2.5 hours does not mean that many of us can do the same.

At the root of the password problem is the cognitive phenomena called “interference of memory”, by which we cannot firmly remember more than 5 text passwords on average. What worries us is not the password, but the textual password. The textual memory is only a small part of what we remember. We could think of making use of the larger part of our memory that is less subject to interference of memory. More attention could be paid to the efforts of expanding the password system to include images, particularly KNOWN images, as well as conventional texts.

Most of the humans are thousands times better at dealing with image memories than text memories. The former dates back to hundreds of millions of years ago while the latter's history is less than a fraction of it. I wonder what merits we have in confining ourselves in the narrow corridor of text memories when CPUs are fast enough, bandwidth broad enough, memory storage cheap enough, and cameras built in mobile devices.

0
0
Jin

Generating high-entropy passwords from hard-to-forget passwords

Generally speaking, hard-to-break passwords are hard-to-remember. But it is not the fate. It would be easily possible to safely manage many of such high-entropy passwords with the Expanded Password System that handles images as well as characters. Each image/character is identified by the image identifier data which can be any long. Assume that your password is “ABC123” and that those characters are identified as X4s&, eI0w, and so on. When you input ABC123, the authentication data that the server receives is not the easy-to-break “ABC123”, but something like “X4s&eIwdoex7RVb%9Ub3mJvk”, which might be automatically altered periodically or at each access if required.

When such high-entropy data are hashed, it would be next to impossible to quickly crack the hashed data back to the original password. Give different sets of identifier data to “ABC123” and the different servers will receive all different high-entropy authentication data. Brute-force attacking of “ABC123” and other similarly silly passwords would perhaps take less than a few seconds with dictionary and automatic attack programs but it could be an exhausting job when criminals have to manually touch/click on the display with their fingers.

This function of managing strong passwords by weak text passwords is one of the secondary merits of the Expanded Password System.

At the root of the password problem is the cognitive phenomena called “interference of memory”, by which we cannot firmly remember more than 5 text passwords on average. What worries us is not the password, but the textual password. The textual memory is only a small part of what we remember. We could think of making use of the larger part of our memory that is less subject to interference of memory. More attention could be paid to the efforts of expanding the password system to include images, particularly KNOWN images, as well as conventional texts.

Most of the humans are thousands times better at dealing with image memories than text memories. The former dates back to hundreds of millions of years ago while the latter's history is less than a fraction of it. I wonder what merits we have in confining ourselves in the narrow corridor of text memories when CPUs are fast enough, bandwidth broad enough, memory storage cheap enough, and cameras built in mobile devices.

0
0

Apple slaps a passcode lock on iOS 8 devices, but cops can still inhale your iCloud

Jin

False sense of security that Touch ID brings

I am of the opinion that Apple is expected do something about the vulnerability that their Touch ID brings: Biometrics operated with a password in the OR/disjunction way (as in the case of iPhone) offers a lower security than when only the password is used.

Biometrics can theoretically be operated together with passwords in two ways, (1) by AND/conjunction or (2) by OR/disjunction. I would appreciate to hear if someone knows of a biometric product operated by (1). The users of such products must have been notified that, when falsely rejected by the biometric sensor with the devices finally locked, they would have to see the device reset.

Biometric products like Apple's Touch ID are generally operated by (2) so that users can unlock the devices by passwords when falsely rejected by the biometric sensors. This means that the overall vulnerability of the product is the sum of the vulnerability of biometrics (x%) and that of a password (y%). The sum (x% + y% - xy%) is necessarily larger than the vulnerability of a password (y%), say, the devices with Touch ID and other biometric sensors are less secure than the devices protected only by a password.

Am I wrong in thinking that this fact should be known to the public?

0
0

Apple is too shallow, must go deeper to beat TouchID fingerprint hack, say securo-bods

Jin

Touch ID and Password/code

Biometrics operated with a password in the OR/disjunction way (as in the case of iPhone) offers a lower security than when only the password is used.

Users can unlock the devices by passwords when falsely rejected by the biometric sensors, which means that the overall vulnerability of the product is the sum of the vulnerability of biometrics and that of a password. It is necessarily larger than the vulnerability of a password, say, the devices with Touch ID and other biometric sensors are less secure than the devices protected only by a password.

As for an additional vulnerability unique to biometrics, we could refer to

http://mashable.com/2013/09/11/girl-fingerprint-scanner/

Apple should do something about these vulnerabilities if it claims to be security-sensitive.

1
0

Bracelet could protect user herds from lurking PREDATORS

Jin

Nice convenience obtained by abandoning security

Auto-authentication is what we cannot achieve with the passwords but we can so easily achieve with the likes of this kinds of bracelet and swallowed chips.

We know that the function of having someone else login to our phone/tablet/PC on our behalf while we are unconscious is already realized by biometrics as shown in

http://mashable.com/2013/09/11/girl-fingerprint-scanner/

But with the likes of electronic tattoos and hypodermic or swallowed microchips, we can expect the third persons to login to our accounts on our behalf a bit more gently and silently. The third persons would not have to behave very carefully not to wake us up. All that they have to do is just placing our PC/tablet/phone in the vicinity of our unconscious bodies. Then they would have a freehand over our accounts on our behalf.

Some people, for whom convenience is the top priority, might regard this as a proof that the passwords have the fatal drawbacks. I am, however, of the view that this tells us how critical it is to involve the confirmation of the users’ volition to make the login for identity authentication.

0
0

Apple's new iPhone 6 vulnerable to last year's TouchID fingerprint hack

Jin

False sense of security

It is very worrying to see so many ICT people being indifferent to the difference between AND/conjunction and OR/disjunction when talking about “using two factors together”.

Biometrics can theoretically be operated together with passwords in two ways, (1) by AND/conjunction or (2) by OR/disjunction. I would appreciate to hear if someone knows of a biometric product operated by (1). The users of such products must have been notified that, when falsely rejected with the devices finally locked, they would have to see the device reset.

Touch ID and other biometric products are operated by (2) so that users can unlock the devices by passwords when falsely rejected, which means that the overall vulnerability of the product is the sum of the vulnerability of biometrics and that of a password. It is necessarily larger than the vulnerability of a password, say, the devices with Touch ID and other biometric sensors are less secure than the devices protected only by a password.

As for an additional vulnerability unique to biometrics, we could refer to

http://mashable.com/2013/09/11/girl-fingerprint-scanner/

Needless to say, so-called 2-factor systems with a password remembered as the first factor and something possessed as the second factor are generally operated by (1), providing raised security at the sacrifice of lowered convenience.

I do not quite understand why the clever Apple is doing such a silly thing as spreading the false sense of security under the name of security.

0
0

Got your NUDE SELFIES in the cloud? Two-factor auth's your best bet for securing them

Jin

2-factors: Operated by AND/Conjunction or by OR/Disjunction?

2 is larger than 1 on paper, but two weak boys in the real world may well be far weaker than a toughened guy. Physical tokens and phones are easily lost, stolen and abused. Then the password would be the last resort. It should be strongly emphasized that a truly reliable 2-factor solution requires the use of the most reliable password.

I wonder how many people are aware that biometrics operated with a password in the OR/disjunction way (as in the case of iPhone) offers a lower security than when only the password is used. Media should let this fact be known to the public lest consumers should be misguided.

I am really worried to see so many people being indifferent to the difference between AND/conjunction and OR/disjunction.

Biometrics can theoretically be operated together with passwords in two ways, (1) by AND/conjunctiion or (2) by OR/disjunction.

I would appreciate to hear if someone knows of a biometric product operated by (1). The users must have been notified that, when falsely rejected with the device finally locked, they would have to see the device get reset.

Like other biometric products, Apple's iPhones are operated by (2) so that users can unlock the phones by passcodes when falsely rejected, which means that the overall vulnerability is the sum of the vulnerability of biometrics and the vulnerability of a password. It is necessarily larger than the vulnerability of a password.

As for an additional vulnerability unique to biometrics, you may refer to

http://mashable.com/2013/09/11/girl-fingerprint-scanner/

Needless to say, so-called 2-factor systems with a password as the first factor and something possessed as the second factor are generally operated by (1), providing raised security at the sacrifice of lowered convenience.

0
0

Apple promises iCloud security alerts, better 2FA after, er, NAKED Internet of Thingies flap

Jin

Two caveats

(1) The two-factor authentication could be reliable only when it comes with a reliable password.

2 is larger than 1 on paper, but two weak boys in the real world may well be far weaker than a toughened guy. Physical tokens and phones are easily lost, stolen and abused. Then the password would be the last resort. It should be strongly emphasized that a truly reliable 2-factor solution requires the use of the most reliable password.

(2) Biometrics, whether static or behavioral or electromagnetic, cannot be claimed to be an alternative to passwords UNTIL it stops relying on a password for self-rescue against the false rejection altogether while retaining the near-zero false acceptance in the real outdoor environment. A dog which depends on a man cannot be an alternative to the man.

I wonder how many people are aware that biometrics operated with a password in the OR/disjunction way (as in the case of iPhone) offers a lower security than when only the password is used. Biometrics industries should let this fact be known to the public lest consumers should be misguided,

0
0

Google recommends pronounceable passwords

Jin

Managing very strong password by pronouceable passwords

Generally speaking, hard-to-break passwords are hard-to-remember. But it is not the fate. It would be easily possible to safely manage many of high-entropy passwords with the Expanded Password System that handles images as well as characters.

Each image/character is identified by the image identifier data which can be any long. Assume that your password is “bowbow” and that those characters (treated as images) are identified as X4s&, eI0w, and so on. When you input bowbow, the authentication data that the server receives is not the easy-to-break “bowbow”, but something like “X4s&eIwdoex7RVb%9Ub3mJvk”, which might be automatically altered periodically or at each access if required.

When such high-entropy data are hashed, it would be next to impossible to quickly crack the hashed data back to the original password. Give different sets of identifier data to “bowbow” and the different servers will receive all different high-entropy authentication data. Brute-force attacking of “bowbow” and other similarly silly passwords would perhaps take less than a few seconds with dictionary and automatic attack programs but it could be an exhausting job when criminals have to manually touch/click on the display with their fingers.

2
4

Scared of brute force password attacks? Just 'GIVE UP' says Microsoft

Jin

A way to safely manage hard-to-break passwords

Sufficiently strong passwords are the key. Generally speaking, hard-to-break passwords are hard-to-remember. But it is not the fate. It would be easily possible to safely manage many of such high-entropy passwords with the Expanded Password System that handles images as well as characters.

Each image/character is identified by the image identifier data which can be any long. Assume that your password is “ABC123” and that those characters are identified as X4s&, eI0w, and so on. When you input ABC123, the authentication data that the server receives is not the easy-to-break “ABC123”, but something like “X4s&eIwdoex7RVb%9Ub3mJvk”, which might be automatically altered periodically or at each access if required.

When such high-entropy data are hashed, it would be next to impossible to quickly crack the hashed data back to the original password. Give different sets of identifier data to “ABC123” and the different servers will receive all different high-entropy authentication data. Brute-force attacking of “ABC123” and other similarly silly passwords would perhaps take less than a few seconds with dictionary and automatic attack programs but it could be an exhausting job when criminals have to manually touch/click on the display with their fingers.

Incidentally, ID federations (single-sign-on services and password managers) create a single point of failure, not unlike putting all the eggs in a basket. It remembers all my passwords when un-hacked and loses all my passwords to criminals when hacked. It could be considered mainly for low-security accounts, not for high-security business. Needless to say, the strength of the master-password is crucially important.

0
0
Jin

Nice logic!

"They found that requiring strong passwords is a waste of time when other security mechanisms, such as encryption and hashing, are absent or badly implemented." Then requiring safer automobile mechanism and better traffic regulations would be a waste of time when there are people who drive cars drunken. What a nice logic!!

0
0

Hot Celebrity? Stash of SELFIES where you're wearing sweet FA? Get 2FA. Now

Jin

2 may be weaker than 1 in the real world

2 is larger than 1 on paper, but in the real world two weak boys may well be far weaker than one toughened guy. Physical tokens and phones are easily lost or stolen. Then the password would be the last resort. It should be strongly emphasized that a truly reliable 2-factor solution requires the use of the most reliable password.

A sufficiently strong password alone could well be more effective than the combination of a weak password and a vulnerable second factor.

1
0

Password manager LastPass goes titsup: Users LOCKED OUT

Jin

Do not put all your eggs in a basket

ID federations (single-sign-on services and password managers) create a single point of failure, not unlike putting all the eggs in a basket. It remembers all my passwords when un-hacked and loses all my passwords to criminals when hacked. And it is now demonstrated that we could be locked out. It could be considered mainly for low-security accounts, not for high-security business. Needless to say, the strength of the master-password is crucially important, if required in fewer numbers.

0
2

Microsoft: You NEED bad passwords and should re-use them a lot

Jin

Humans are still poor at dealing with texts

What worries us is not the password, but the textual password. The textual memory is only a small part of what we remember. We could think of making use of the whole memory of ours. More attention could be paid to the efforts of expanding the password system to include images, particularly KNOWN images, as well as conventional texts.

0
0

Popular password protection programs p0wnable

Jin

Only for low security jobs

The maxim is reconfirmed that it is not wise to put many eggs in a basket. Password managers should be recommended only for low-security jobs.

0
0

L337 crackrz use dumb passwords too

Jin

Interference of Memory

It is probably because shrewd hackers also suffer the strong "interference of memory" when using text passwords. This report probably proves how common this cognitive phenomenon is among human beings.

0
0

EBay, you keep using the word 'SECURITY'. I do not think it means what you think it means

Jin

Nails given but no hammer given

To say only "changing passwords is a best practice and will help enhance security" is like giving us nails without giving us a hammer. What can we do when we cannot remember any more text passwords, we cannot reuse the same passwords over many accounts and we cannot carry around a memo with passwords on it? And, where 2 factor solutions involves a password, where biometrics involve a password for self-rescue in case of false rejection and where ID federations (single-sign-on services and password management tools) require the password called a master-password?

1
0

Samsung mobes to get an eyeful of your EYE in biometric security bid

Jin

Lower security than passcode-only models

I wonder how many people are aware of the fact that the mobile devices with biometric sensors offers lower security than the passcode-only models.

What the users is expected to do when he is falsely rejected when he is in the outdoor environment? Use the passcode. This means that the criminals can impersonate the legitimate user by breaking either the biometric sensor or the passcode, meaning that the criminals are given more chances to break, say, lower security.

It is really ridiculous to be offered a lower-security solution where higher security is required.

0
0

Adobe hackers strike again: PR Newswire grovels to clients after latest hack'n'grab

Jin

sticky fingerprints left onserver

Where can we read more about "Sticky fingerprints left on server used for Adobe code slurp"?

0
0

Microsoft's swipe'n'swirl pic passwords LESS secure than PINs, warn researchers

Jin

This should be called a picture-assisted gesture password, not a picture password.

Some picture passwords are designed far more wisely. A good example is shown at

http://mneme.blog.eonet.jp/default/files/expanded_password_system.pdf

0
0

Pulse-taking ticker tech cuff to sniff out cash-snafflers

Jin

false rejection versus false acceptance

This could be taken seriously provided the false rejection rates are zero or very close to zero so that the user will not have to depend on a password for self-rescue in the outdoor environment where there is no such manager who takes care of the falsely rejected user. If not, it must be an expensive joke.

0
0

New Android plan: Gurn at your phone to unlock it

Jin

Entertaining indeed

It sounds absolutely entertaining, though it will not help solve the issue of vulnerable passwords. Any personal verification solution which requires a self-rescue password (a password for self-rescue in case of false rejection) can by no means be an alternative to passwords.

0
0

My bleak tech reality: You can't trust anyone or anything, anymore

Jin

Why not try to expand the password memory capcity?

At the bottom of all these headaches is a simple fact that humans cannot firmly remember any more than 5 passwords on average so long as we stick to numbers and texts. But it is not impossible to expand the password memory capacity. One such proposition can be found at

http://mneme.blog.eonet.jp/default/files/expanded_password_system.pdf

0
0

Twitter locks down logins by adding two-factor authentication

Jin

Do not forget the value of passwords.

Should the 2-factor authentication be thought to justify the re-use of passwords, our left hand could be losing what we grasped by the right hand.

0
0

Syrian hacktivists hijack Telegraph's Facebook, Twitter accounts

Jin

For safe operation of 2-factor authentication

2-factor solutions would be useful only if the user is well aware that

1. the presence of the 2nd factor does not mean that a weaker password will suffice.

and

2. the 2-factor authentication is far less effective in the outdoor environment than in the indoor environment. In the outdoor environment what critically matters is the remembered password, not the 2nd factor .

0
0

Yahoo! Japan says 22 MEELLION User IDs may have been nabbed

Jin

For those who forgot the password and got locked out, the simplest solution is to forget the locked-out ID and create a new ID. Many of us repeat this many times and it would be easy for a country with 124 million population to have 200 million IDs. The root of this problem is our inherent inability to remember any more than 5 textual passwords, with the difficulty of remembering the relations between the ID and the corresponding password included.

0
0

Ofcom to UK: Really - you're using the same password for everything?

Jin

What is needed is expanding our memory capacity for passwords

This sort of headache can be quickly solved by expanding our memory capacity for passwords. It is not only possible but easily simple, say, just by expanding our memory capacity for passwords by way of making use of pictures, those of autobiographic memory in particular, as well as texts.

0
0

Mozilla's Persona beta adds password-free Yahoo! logins

Jin

Convenient indeed for criminals

Wise people will not put many eggs in a basket.

1
0

Bank whips out palm-recognition kit - and a severed hand won't work

Jin

Are all the would-be criminals so educated as to know this?

The claim that severed hands will not work does not mean that we are safe. How can the bank and Fujitsu be sure that all the would-be criminals are so educated as to be fully aware that severed hands will not work for these or those scientific reasons? The users of this bank should be prepared to be attacked by poorly-educated criminals.

0
0

Evernote joins the notably hackable club

Jin

PASSWORD RESET: Dumping the burden on users' shoulders

Those institutions from whose systems users’ passwords have been leaked might be able to claim that they have done what they should have done by declaring the password reset. But it is not the end of the event. As more and more leaks continue, such password resetting will only shift the burden from their shoulders to those of users who can remember and recall no more than 5 passwords and will now have to

- reuse the limited number of remembered passwords across more of the different accounts, or

- carry around a memo with more of the passwords written on it, or

- put more of the eggs in a basket in case SSO/ID federation is involved

It reads “The usual suggestion, that users choose strong passwords that they don't re-use, will no doubt be ignored by a small-but-significant number of Evernote's customers”. It will certainly be ignored by many, who will perhaps keep grumbling indefinitely without seriously thinking about the practicable alternative to alphanumeric passwords.

1
0

Google squishes login-bypass bug that opened door to hijackers

Jin

2 is larger than 1. Is it "advanced"?

Solutions based on the 2-factor authentication generally provide more or less higher security than 1-factor solution unless deployed stupidly, not the least because 2 is larger than 1. But it does means that it is advanced. The honour of being "advanced" should be given to our ancestors who found that 2 is larger than 1.

0
0

We've slashed account hijackings by 99.7% - Google

Jin

2 is indeed larger than 1

Because 2 is larger than 1, the two-step verification should help increase security. For the same reason the two-step verification is more inconvenient, possibly discouraging the users from signing out.

0
0

Lenovo, PayPal, launch post-password plan

Jin

It sounds another hype.

2 being larger than 1, it looks obvious that the 2-factor solutions should provide more or less higher security than 1-factor solutions, but with caveats.

1. What works in the unguarded outdoor environment necessarily works as well in the guarded indoor environment, but what works indoor does not necessarily work as well outdoor.

However sophisticated the physical tokens may be, the security obtained by the possession of the token would be lost altogether when the PC/tablet/phone gets stolen together with the physical token. We should not assume that attackers who have the chance to steal the PC/tablet/phone will always refrain from stealing the physical token.

If a password is supposed to stay as another factor against such threats, it is not appropriate to call the scheme a post-password plan.

2. Biometric solutions could be one of the 2 factors only if their false rejection rates are zero when the false acceptance rates are close to zero in the outdoor environment. For they would otherwise require something else (possibly a password) for self-rescue in the outdoor environment where there is no such manager who takes care of the falsely rejected user. The overall security cannot be higher than when only that “something” was used.

Convenience should not be a replacement for security.

0
0

Microsoft beefs up cloud login security in PhoneFactor gobble

Jin

How secure outdoor?

I wonder how safe the scheme is outdoor. It is 100% certain that the user has both the PC/tablet and the phone in/around their body or bags. Can we expect a knowledgeable thieve to forget the phone when he can steal the PC/tablet?

This scheme is indeed a 2-factor authentication when the user stays indoor but it is 1.5-factor authentication at best when they move around outdoor. People should be advised to remember the secure enough password/PIN without depending too much on the possession of a phone.

0
1

Dropbox joins the security two-step party

Jin

2-factor authentication: indoor use or outdoor use?

It appears that the benefit of 2-factor authentication is broadly recognized, not the least because OTP can now be sent to smart phones by SMS at very low costs. The benefit is indeed remarkable when the users are in the indoor environment. Is the benefit the same when the users are in the outdoor environment?

What can be relied upon in a dangerous environment can be relied upon in a safe environment, but we cannot say that the reverse is also true. I mean that the indoor environment is relatively much safer than the outdoor.

Some banks tell us that it is a “mistake” to carry a bank card together with a paper with the PIN on it. Then it should also be a mistake to carry a mobile computer, tablet or phone together with a paper with the password on it. Replace such a paper with a token generating OTP or a phone receiving OTP, and what conclusion do you think you would reach?

The PIN/password on a paper proves the identity of the paper, not the identity of the person who holds the paper. OTP generated on a token proves the identity of the token, not the identity of the person who holds the token. OTP received on a phone proves the identity of the phone, not the identity of the person who holds the phone. The structure is the same in all of them.

Those banks abovementioned may be wrong in using the word “mistake”,, but we could at least learn that the 2-factor authentication in the outdoor environment is not as beneficial as in the indoor environment, and that, in the outdoor environment, what matters most is the security of remembered PIN/password rather than the reliability of a paper with PIN/password on it or a token generating OTP or a phone receiving OTP.

Whether or not we use OTP-generating/receiving tokens/phones, it should still be imperative to enhance the remembered password itself if we want the safe cyber-life in the outdoor environment.

0
0

Forums