Why 20 years?
Passwords have been used for centuries because they work.
Late last year IBM reckoned biometrics would finally replace the password within the next five years. The prediction was part of a series that also speculated that the digital divide would cease to exist and that mind-reading technology would become a possibility. But, at least on the subject of passwords, new research from …
That was when you only had to remember one, and it was 'simple', and invariably permanent.
Now we have literally dozens, most must meet a minimum strength criteria, and all expire after xx days.
You're correct - passwords do work. but it's the fleshy bit using them that's reaching it's operational limit.
I share your concerns but not your opinion. I mean; while it is true that we now have a dozen different passwords to consider, we now /also/ have a dozen different tools which can help us in that process.
For starters; using programs like pwgen (also available on Windows). And second; using a password vault. Even modern browsers like firefox or seamonkey can store your passwords in a database so that you can still have dozens different passwords while its still easy to use.
So I don't think its reaching its limits; we simply need to extend on it. Use the 'One' password to protect the rest.
Then you have the issue that oppressive regimes will routinely take biometrics of their citizens for ID purposes - passport anyone? Oh, we'll need your fingerprints and an iris scan. Wow, we can now access your bank details, computer etc and share these biometrics with the local council just like we allow them to use RIPA terrorism intended laws to investigate rogue dogshit. I'd rather forget a password than carry around a biometric anyone can access.
add to that, the technology involved is likely to have many flaws that can and will be compromised.
the simplicity of a password is its strength. its easy to use and so long as a large enough word is used using upper and lower case, including numbers and punctuation is quite secure. its just a matter of how secure the platform that is is being used on is.
ATM's should have two pin numbers in use. your real oner and a duress code. the duress code should still issue funds, but alert the local law enforcement and automatically focus the local cctv system to the area....the money it issues should have some sort of trace attached to it, like smart water so that the perpetrator can be traced more easy. or get rid of cash all together
The best way to beat criminals it to make it not worth while or worth the risk.
now, where the hell did i put my wallet?
You're much better off using a correctly punctuated pass phrase than some 8 character alphanumeric password
It is many orders of magnitude easier to bust :
'ytZo0&5x' (100ish hours)
than it is to bust
"My mum really likes a mango on a Monday" (10^50ish years)
On you will not remember 1s after reading it, the other you have already remembered.
If you shop with a CC (In the US at least - I havent been able to verify if something similar exists in the UK) and hear your clerk say the words "I have a Code 10 Authorisation Request" whilst manually attemping your payment, prepare yourself for a visit from the Fraud Squad...
Fingerprint is fine for a closed system like a bank ATM, I already don't trust no-name ATMs and finger print scanner would not help.
But if I use a fingerprint (or other biometric) reader to log onto internet banking then that fingerprint has to be converted into a number, and if that is intercepted by bad guys (the same way a password can be today) then I'm screwed. I can change my password but I can't change my fingerprint.
Sure they are going to transmit the fingerprint encrypted but I'm sure someone is going to crack it when there is lots of money involved. Or we will see fake fingerprint scanners like the fake card readers they have today.
"Sure they are going to transmit the fingerprint encrypted but I'm sure someone is going to crack it when there is lots of money involved"
when they are designing such a system, they are going to make some assumptions.
The first assumption is going to be that the system is going to be secure enough that nobody is going to be able to intercept the digitized fingerprint.
the second assumption is going to be that if someone was to possibly intercept the digitized fingerprint, then injecting the numbers back in is going to be twice as hard.
The third assumption is going to be, that it is going to be impossible to get past the first two assumptions, so encrypting the fingerprint ingo is going to be time consuming and a waste of man hours...
they will most likely buy in some cheap encryption (probably already compromised ( like ON Digital / ITV digital did)) or just reverse the data stream of the digitized fingerprint .... then go the pub....
these are the people entrusted in keeping our money safe dont forget... look at the track record...
Many organizations have a clause in their Ts&Cs stating that passwords must not be written down. Many people who have, say, 40+ logins to remember write their passwords down in some way or other. I foresee a court case in the not too distant future where, after losing money due to someone stealing his/her list of passwords, a user claims that such a contract clause is unreasonable on the basis that an average person cannot be expected to remember dozens of different passwords- after which banks, shopping sites, etc will find an alternative to passwords.
I paste them into a little c program that mangles them and it spits out a horrible password like "fjbit1eUuQspStjfphxt"
which I then paste into whatever.
Needless to say the password program is owned by root and is only executable.
For SSH access I also use a highly unusual username which is the only account on my server that is allowed SSH access
Rainbow tables only 'work' if you have access to the hash on the target system. If you are having to attack it as a normal user then anything that puts the mean-time-to breach at a few attempts per second (or whatever limit is applied on multiple failures) to hundreds of years is fine.
The XKCD argument was based on that premise.
If they have full access to the target to get the hashes, they probably have that system owned. They also can reverse your password, but if you have easy phrases that differ, no advantage to other site.
What is needed is:
A) Easy but strong choices.
B) Several of them so little shared to compromise vis honeypot sites.
C) Means of dealing with infested PCs that allow a local attack using the just-gathered information for a given site.
I think (C) is the hardest to deal with following XKCD-like education.
There are 225,000 words in Websters dictionary.
Four random words produces a possible 2562890625000000000000 combinations.
A ten character password using entirely random characters, assuming 100 available characters, produces a possible 100000000000000000000 combinations, or rather 1/25 as many as the four words option.
That's a little silly...
To meet the requirement of being easy to remember, the password must be limited to words that the owner actually knows. To the average English speaker, that limits the range to something between 15,000 and 30,000 words.
If you put someone on the spot and tell them to 'think of four words', I'd bet a small fortune that at least 50% of the subjects would come up with four words chosen from a pool of no more than 2,000 in total, and 90% would have two or three words chosen from that pool.
So the *probable* range of passwords using this system is closer to 16,000,000,000,000.
Of course the *probable* range of passwords using 'random' characters is much smaller, too, since the huge majority of people base their 'random characters' on English words, and even serious security geeks tend heavily towards letters and numbers.
Bottom line: this is a silly calculation.
Rainbow tables are exactly the reason that one should, at the very least, sprinkle a decent amount of salt over passwords - about 128 crypto-random bits on each password should get the ball rolling.
As for brute force or basic dictionary attacks, these are a different kettle-o-fish, but there are relatively trivial ways to /assist/ in reducing exposure.
The problem is there are a lot of commercial systems out there that still dont even take the most rudimentary of data security precautions. 'Reap what you sow' I suppose.
"But that’s fiction. In reality, ATM cameras using facial and iris recognition may be able to detect stress, pupil dilation, and changes in heart rate and breathing patterns to establish a confidence level that the user is not in danger."
Great, so you have to be a nice calm state in order to get in to a system?? Buggered any time I'm running late, just been to the gym, stressed 'cos the boss needs something NOW, shivering 'cos it's cold, etc...
We've got nice things like TOTP these days; that's the sort of stuff that google uses to provide 2-factor authentication for gmail using, eg. an android app. Hardware token systems could work just fine if they could be configured by the end user (or employer). I have some nice TOTP and HOTP tokens here... the security issue with those is that the vendor knows which serial numbers they sold to me, which presents an avenue of attack, assuming the attackers could also get my password.
Don't assume that one corporation's greed (they wanted centralised control of the system to protect their income stream) and ineptitude means the underlying system is broken.
I'd also suggest that public key cryptosystems can exist separately from a formal PKI. I've been quite happy with my SSH keys, for example, though they require a little more care than 'normal' users might be expected to exercise.
I've given up trying to remember passwords. Where I can, I set a long password completely at random and make no attempt to remember it. Then, the next time I need to log in, I request a new password.
There are two flaws in this approach, but I feel the freedom from having to remember random alphanumeric words that need to be changed every 30 days is worth it.
Flaw 1: I have to wait around for the new password to be generated and emailed to me.
Flaw 2: I'd be completely unable to reveal my amazon.com password even if under torture and at risk of death.
Why not use a password manager?
I use 1password on my macs & iPhone. When creating an account on any website, I let 1password generate a random 16 digit password [mixture of upper and lower case and digits]. Then when I revisit that site, I just hit CMD+\ and enter my password for 1password itself in a popup and 1password automatically fills in the login details for me.
I've no idea what my passwords are, for most of the sites I frequent. I just let 1password remember all that crap for me. And it syncs wirelessly across all my gadgets too, which is nice.
[Disclaimer: No relation. No personal interest in the company etc. Just a satisfied customer. Other password managers are available]
Nah, you just save the super password inside an unrelated excel or txt document somewhere in your PC. That's what I do, and unless someone starts reading each and every file in my computer (and knowing what are they looking for) I think it's secure enough.
Now, if you manage to forget not only the super password but also the place where you saved it... you have bigger things to worry about, such as that Alzheimer...
...the fact that your hard drive crashed and the backup failed. Or you're trying to access the passwords from your phone where the secret password isn't kept for security reasons.
1Password sounds interesting, but I hear the Android interface isn't well polished. I would also like to have a cloud sync to say Dropbox in case I change machines or phones (had a phone break--thank goodness for a phone insurance plan). Perhaps if there was an alternative...
when you have to enter it about a dozen times a day. the (current) super password for my password database will likely be the very last thing that sticks in my rapidly declining grey matter at the terminal moment. what a sad thought...
(actually, I've started to memorize some of the *completely random* passwords my password generator generates. amazing that you can memorize 12 random characters, which don't form anything even vaguely pronounceable, if you have to enter them manually maybe twenty times...the one i always recall is my wireless password, which I'm always entering on different devices and so can't just copy/paste from the manager.)
Nowadays a password that lets you into the bank has to be inconveniently long to be safe. So some arrangement is needed whereby you input a short personal authentication into a device that you and the service that you're using both trust - like an ATM. That device is the other part of the dual key.
Someone has probably thoguht of this already, but if someones phone is fitted with an NFC device, even something inocuous fitted in the battery compartment, then the physical presence of the phone can also be used as a partial authorisation.
if the person leaves the workstation and takes their phone with them, then the system logs them off, or locks the workstation, etc.
Good idea, or a load of crap?
"In reality, ATM cameras using facial and iris recognition may be able to detect stress, pupil dilation, and changes in heart rate and breathing patterns to establish a confidence level that the user is not in danger."
"It says it won't let me take any money out as I am stressed by all this mugging business, so put the knife away OK Mr Mugger?"
So how long before the knife is put to good use cutting out/off the required body part to get the scanner to work?
As a consultant working at multiple sites, they really have become a pain in the backside.
Each site has different timeouts, different rules (and they sometimes change).
The amount of time lost, due to having to reset passwords mounts up fairly quickly.
Even a well maintained encrypted password solution has it's limitations (i.e. I forgot the password that was reset just before I went on holiday). Hard disk crashed and the last good backup was two weeks old. (how many of us have nightly backups of our laptops)
What really winds me up is when sites ask you to set a password and then reject it for failing to meet various requirements that [and this is the really teethgrindingly annoying bit] they didn't tell you about in the first place:
• Sorry. Your password must be at least six letters
• Sorry. Your password must contain at least one number
• Sorry. Your password cannot contain all numbers
• Sorry. Your password must contain both upper and lower case
• Sorry. Your password cannot be a dictionary word
I start out with an idea for a password, which is secure enough for he risk-level associated with the site in question, and which I can remember but then, by the time I've jumped through all their ridiculous hoops to make it conform to their idea of what constitutes a secure password, it's so far removed from what I started off with that I have to write it down myself, so I'll remember it. Which kinda defeats the purpose!
Choose your password - must contain at least 8 characters:
"Try h@cking this 5uckaz!!! &" Secure Meter: 
***Special chars not allowed!***
"Try hacking this 5uckaz" Secure Meter: 
***Spaces not allowed!***
"Tryhackingthis5uckaz" Secure Meter: 
"passw0rd" Secure Meter:  OGMZ SO SECURE!
*** This is good - Proceed! ***
or my most hated one:
"your password contains an illegal character"
Which is fucking useless considering it doesn't tell you which character exactly is forbidden (and they change with every site). Financial institutions pulling this garbage is particularly frustrating because this is one of the cases where I'm willing to go out of my way to use a particularly strong password.
They're protecting themselves. They don't care if your password is weak - as long as there is a password. if it's compromised and you lose money then as long as the site can show that the loss was caused by someone using correct account and password information then the problem must be that you told someone your password or wrote it down somewhere. This way they don't have to pay up.
It's got so ridiculous I spent two hours finding software for storing passwords that works on my desktop, my tablet and my phone, then syncs amongst them as at the last count I need to hold 86 personal passwords with associated websites, 19 gadget passwords at home and 53 work related passwords!
All I have to do is lose my main password to the password safe and my life is for all intents purposes kaput!
I was told that banks (and other organisations) use your pin Plus or minus one as the duress password. This was from an annoyed secruity guard after I had just "almost" got my little used pin to a secure area right
Took me a while to submit this as I couldn't remember what username and password I had used when I created this account years ago!!!
New DNA-based system: There is a pinkie finger-sized hole. It says "insert finger here."
When I insert a finger, a clamp locks the finger in place, then a solenoid pricks the finger - drains out some blood for a DNA test - then the clamp unlocks. Five minutes later, the DNA test is complete and I have access. (The system would also check for a pulse and oxygen in the blood to ensure I'm not putting someone else's finger in; it could also scan the fingerprint).
Its partly personal interest and partly for work; but right now I'm checking how well Windows 7 operates using an rfid card reader. SO basically assigning specific cards to a specific user account.
Well, needless to say but Windows 7 is very extensive with this. Merely plugging in the cardreader (USB) will already trigger a change in "Admin pop-ups". Instead of having to type in a password you can now also "insert" the assigned card.
But the problem with this setup should be obvious.. Its much easier to simply keep your card lying on the rfid reader and click "ok" as soon as the prompt shows up. As such; while it makes authentication easier, it also increases the risk factor tremendously when dealing with common end-users.
End users care more about ease of use than security whereas admins and techies sometimes tend to swing a bit too much to the other side of the fence.
So yes; I think passwords will indeed be around for quite some time to go.
the problem is that while there are some quite viable alternatives - yubiKey or the RSA SecureID/VIP app there's no interoperability and everyone wants to roll their own... and totally pointlessly sites require users to sign up for an account (true even in many cases where you can log-in via OAuth.. you still have to fill out a profile)
the niggly little differences in detail (8 characters, 6 characters plus 2 digits, 10 characters at least one upper case, one digit and one special character, no special characters) just lead to frustration and security busting solutions like post-it notes. even though I know better I use a password manager solution (though it is one secured with a yubiKey token) but it doesn't help with some banking sites that additionally want me to use an on-screen keyboard and enter specific characters from the password.... aaaaaargh
I would have thought one simple way of improving password security is limiting the number of false entries you can make when trying to enter a password and in the simplest cases require a captcha or similar system to reset the count or require separate verification over the phone or in person (with banks). Also stop requesting the entire password, instead only ask for extracts of it (my bank does that for example). Use onscreen keyboards where you have to click with the cursor to enter the password / pin would reduce the risk of keystroke captures. Where pin numbers or passwords are entered on touch screens they should randomize the position of the entry keypad to reduce the risk of reading your fingerprint smudges. There are numerous methods you could easily use to make passwords & pins more secure without increasing their complexity.
Excerpts of passwords only work if you're able to arbitrarily memorize PARTS of a password, but many people memorize the password by some sort of mnemonic and so go from start to finish: otherwise, they mess up. That could be frustrating in a scenario where you can't type the whole thing and than backtrack (think ATMs). In any event, extracts simply make the malware get a little smarter and recognize that passwords being entered are incomplete. If the malware records the card number, the excerpt, and what the excerpt represents, they'll reconstruct the entire thing after enough fishing. On-screen keyboards with random layouts? Useless to the blind (they need to be able to FEEL the keys—usually by Braille) and powerless against screenreader malware and overlays that can point a camera at the screen. And since you can't physically rearrange a physical keyboard...
Organisations should think long and hard about how people actually use passwords and how important the data being secured is?
And remember that the more difficult it is, the more users will write it down (and often stick it on a post it note on the their desk!)
The Olympic volunteer web site required IIRC alpha numeric, mixed case >8 chars and the information is held is of low to medium importance. I hate to think of the password requirements for their financial and anti terrorist security depts!
Biometric data should only really be used to complement the password authentication.
So ideally something like this: You walk up to the ATM and the screen reads, "Hello and welcome back! Your last name begins with "R" and your first name contains the letter "E", is this correct? Then there could be 3 names to choose from for you to select, then enter your password. This could then be used for panic mode... the delay in answering the questions about your identity serve to keep the mugger in the same spot whilst security arrive.
Rather than using facial recognition though, a much more secure and simpler implementation, would be combining methods to identify if more than one person was present at the ATM. So have the customer stand on a pressure pad that calculates the weight, along with a camera that identifies number of bods present. You could also have a rotating screen slide around the ATM which only has room for one person.
I've actually seen this kind of thing (weight + sliding screen door) implemented in a security door in Austria. It occasionally refused you access and you had to step out and in again - but this is something the hoi polloi is already conditioned to deal with in other areas.
Biting the hand that feeds IT © 1998–2019