23 posts • joined 28 Aug 2012
Do not put all your eggs in a basket
ID federations (single-sign-on services and password managers) create a single point of failure, not unlike putting all the eggs in a basket. It remembers all my passwords when un-hacked and loses all my passwords to criminals when hacked. And it is now demonstrated that we could be locked out. It could be considered mainly for low-security accounts, not for high-security business. Needless to say, the strength of the master-password is crucially important, if required in fewer numbers.
Humans are still poor at dealing with texts
What worries us is not the password, but the textual password. The textual memory is only a small part of what we remember. We could think of making use of the whole memory of ours. More attention could be paid to the efforts of expanding the password system to include images, particularly KNOWN images, as well as conventional texts.
Only for low security jobs
The maxim is reconfirmed that it is not wise to put many eggs in a basket. Password managers should be recommended only for low-security jobs.
Interference of Memory
It is probably because shrewd hackers also suffer the strong "interference of memory" when using text passwords. This report probably proves how common this cognitive phenomenon is among human beings.
Nails given but no hammer given
To say only "changing passwords is a best practice and will help enhance security" is like giving us nails without giving us a hammer. What can we do when we cannot remember any more text passwords, we cannot reuse the same passwords over many accounts and we cannot carry around a memo with passwords on it? And, where 2 factor solutions involves a password, where biometrics involve a password for self-rescue in case of false rejection and where ID federations (single-sign-on services and password management tools) require the password called a master-password?
Lower security than passcode-only models
I wonder how many people are aware of the fact that the mobile devices with biometric sensors offers lower security than the passcode-only models.
What the users is expected to do when he is falsely rejected when he is in the outdoor environment? Use the passcode. This means that the criminals can impersonate the legitimate user by breaking either the biometric sensor or the passcode, meaning that the criminals are given more chances to break, say, lower security.
It is really ridiculous to be offered a lower-security solution where higher security is required.
sticky fingerprints left onserver
Where can we read more about "Sticky fingerprints left on server used for Adobe code slurp"?
This should be called a picture-assisted gesture password, not a picture password.
Some picture passwords are designed far more wisely. A good example is shown at
false rejection versus false acceptance
This could be taken seriously provided the false rejection rates are zero or very close to zero so that the user will not have to depend on a password for self-rescue in the outdoor environment where there is no such manager who takes care of the falsely rejected user. If not, it must be an expensive joke.
It sounds absolutely entertaining, though it will not help solve the issue of vulnerable passwords. Any personal verification solution which requires a self-rescue password (a password for self-rescue in case of false rejection) can by no means be an alternative to passwords.
Why not try to expand the password memory capcity?
At the bottom of all these headaches is a simple fact that humans cannot firmly remember any more than 5 passwords on average so long as we stick to numbers and texts. But it is not impossible to expand the password memory capacity. One such proposition can be found at
Do not forget the value of passwords.
Should the 2-factor authentication be thought to justify the re-use of passwords, our left hand could be losing what we grasped by the right hand.
For safe operation of 2-factor authentication
2-factor solutions would be useful only if the user is well aware that
1. the presence of the 2nd factor does not mean that a weaker password will suffice.
2. the 2-factor authentication is far less effective in the outdoor environment than in the indoor environment. In the outdoor environment what critically matters is the remembered password, not the 2nd factor .
For those who forgot the password and got locked out, the simplest solution is to forget the locked-out ID and create a new ID. Many of us repeat this many times and it would be easy for a country with 124 million population to have 200 million IDs. The root of this problem is our inherent inability to remember any more than 5 textual passwords, with the difficulty of remembering the relations between the ID and the corresponding password included.
What is needed is expanding our memory capacity for passwords
This sort of headache can be quickly solved by expanding our memory capacity for passwords. It is not only possible but easily simple, say, just by expanding our memory capacity for passwords by way of making use of pictures, those of autobiographic memory in particular, as well as texts.
Convenient indeed for criminals
Wise people will not put many eggs in a basket.
Are all the would-be criminals so educated as to know this?
The claim that severed hands will not work does not mean that we are safe. How can the bank and Fujitsu be sure that all the would-be criminals are so educated as to be fully aware that severed hands will not work for these or those scientific reasons? The users of this bank should be prepared to be attacked by poorly-educated criminals.
PASSWORD RESET: Dumping the burden on users' shoulders
Those institutions from whose systems users’ passwords have been leaked might be able to claim that they have done what they should have done by declaring the password reset. But it is not the end of the event. As more and more leaks continue, such password resetting will only shift the burden from their shoulders to those of users who can remember and recall no more than 5 passwords and will now have to
- reuse the limited number of remembered passwords across more of the different accounts, or
- carry around a memo with more of the passwords written on it, or
- put more of the eggs in a basket in case SSO/ID federation is involved
It reads “The usual suggestion, that users choose strong passwords that they don't re-use, will no doubt be ignored by a small-but-significant number of Evernote's customers”. It will certainly be ignored by many, who will perhaps keep grumbling indefinitely without seriously thinking about the practicable alternative to alphanumeric passwords.
2 is larger than 1. Is it "advanced"?
Solutions based on the 2-factor authentication generally provide more or less higher security than 1-factor solution unless deployed stupidly, not the least because 2 is larger than 1. But it does means that it is advanced. The honour of being "advanced" should be given to our ancestors who found that 2 is larger than 1.
2 is indeed larger than 1
Because 2 is larger than 1, the two-step verification should help increase security. For the same reason the two-step verification is more inconvenient, possibly discouraging the users from signing out.
It sounds another hype.
2 being larger than 1, it looks obvious that the 2-factor solutions should provide more or less higher security than 1-factor solutions, but with caveats.
1. What works in the unguarded outdoor environment necessarily works as well in the guarded indoor environment, but what works indoor does not necessarily work as well outdoor.
However sophisticated the physical tokens may be, the security obtained by the possession of the token would be lost altogether when the PC/tablet/phone gets stolen together with the physical token. We should not assume that attackers who have the chance to steal the PC/tablet/phone will always refrain from stealing the physical token.
If a password is supposed to stay as another factor against such threats, it is not appropriate to call the scheme a post-password plan.
2. Biometric solutions could be one of the 2 factors only if their false rejection rates are zero when the false acceptance rates are close to zero in the outdoor environment. For they would otherwise require something else (possibly a password) for self-rescue in the outdoor environment where there is no such manager who takes care of the falsely rejected user. The overall security cannot be higher than when only that “something” was used.
Convenience should not be a replacement for security.
How secure outdoor?
I wonder how safe the scheme is outdoor. It is 100% certain that the user has both the PC/tablet and the phone in/around their body or bags. Can we expect a knowledgeable thieve to forget the phone when he can steal the PC/tablet?
This scheme is indeed a 2-factor authentication when the user stays indoor but it is 1.5-factor authentication at best when they move around outdoor. People should be advised to remember the secure enough password/PIN without depending too much on the possession of a phone.
2-factor authentication: indoor use or outdoor use?
It appears that the benefit of 2-factor authentication is broadly recognized, not the least because OTP can now be sent to smart phones by SMS at very low costs. The benefit is indeed remarkable when the users are in the indoor environment. Is the benefit the same when the users are in the outdoor environment?
What can be relied upon in a dangerous environment can be relied upon in a safe environment, but we cannot say that the reverse is also true. I mean that the indoor environment is relatively much safer than the outdoor.
Some banks tell us that it is a “mistake” to carry a bank card together with a paper with the PIN on it. Then it should also be a mistake to carry a mobile computer, tablet or phone together with a paper with the password on it. Replace such a paper with a token generating OTP or a phone receiving OTP, and what conclusion do you think you would reach?
The PIN/password on a paper proves the identity of the paper, not the identity of the person who holds the paper. OTP generated on a token proves the identity of the token, not the identity of the person who holds the token. OTP received on a phone proves the identity of the phone, not the identity of the person who holds the phone. The structure is the same in all of them.
Those banks abovementioned may be wrong in using the word “mistake”,, but we could at least learn that the 2-factor authentication in the outdoor environment is not as beneficial as in the indoor environment, and that, in the outdoor environment, what matters most is the security of remembered PIN/password rather than the reliability of a paper with PIN/password on it or a token generating OTP or a phone receiving OTP.
Whether or not we use OTP-generating/receiving tokens/phones, it should still be imperative to enhance the remembered password itself if we want the safe cyber-life in the outdoor environment.
- JLaw, Kate Upton exposed in celeb nude pics hack
- Google flushes out users of old browsers by serving up CLUNKY, AGED version of search
- GCHQ protesters stick it to British spooks ... by drinking urine
- China: You, Microsoft. Office-Windows 'compatibility'. You have 20 days to explain
- Something for the Weekend, Sir? If you think 3D printing is just firing blanks, just you wait