Go Back   AnandTech Forums > Software > Security

Forums
· Hardware and Technology
· CPUs and Overclocking
· Motherboards
· Video Cards and Graphics
· Memory and Storage
· Power Supplies
· Cases & Cooling
· SFF, Notebooks, Pre-Built/Barebones PCs
· Networking
· Peripherals
· General Hardware
· Highly Technical
· Computer Help
· Home Theater PCs
· Consumer Electronics
· Digital and Video Cameras
· Mobile Devices & Gadgets
· Audio/Video & Home Theater
· Software
· Software for Windows
· All Things Apple
· *nix Software
· Operating Systems
· Programming
· PC Gaming
· Console Gaming
· Distributed Computing
· Security
· Social
· Off Topic
· Politics and News
· Discussion Club
· Love and Relationships
· The Garage
· Health and Fitness
· Home and Garden
· Merchandise and Shopping
· For Sale/Trade
· Hot Deals with Free Stuff/Contests
· Black Friday 2014
· Forum Issues
· Technical Forum Issues
· Personal Forum Issues
· Suggestion Box
· Moderator Resources
· Moderator Discussions
   

Reply
 
Thread Tools
Old 11-26-2012, 04:21 PM   #1
Chiefcrowe
Diamond Member
 
Chiefcrowe's Avatar
 
Join Date: Sep 2008
Posts: 3,739
Default Kill the Password: Why a String of Characters Canít Protect Us Anymore

http://www.wired.com/gadgetlab/2012/...ord-hacker/all
Chiefcrowe is offline   Reply With Quote
Old 11-27-2012, 01:49 PM   #2
TuxDave
Lifer
 
TuxDave's Avatar
 
Join Date: Oct 2002
Posts: 10,493
Default

I would love to live in a world where we don't have to worry about passwords.
__________________
post count = post count + 0.999.....
(\__/)
(='.'=)This is Bunny. Copy and paste bunny into your
(")_(")signature to help him gain world domination.
TuxDave is offline   Reply With Quote
Old 12-05-2012, 04:25 AM   #3
Visaoni
Senior Member
 
Join Date: May 2008
Posts: 213
Default

I can't say I agree with his conclusion at all.

He isn't wrong about many of the problems with passwords (and more importantly password reset mechanisms), nor is wrong about the extreme privacy that must be forfeit to move beyond it. I'm not willing to give up that privacy.

He lays out a lot of the solutions to common issues with passwords in that article. Don't reuse passwords, keep multiple email accounts for particular purposes, and don't enter actual information into security questions. A lot of the issues with the above can be solved using a proper password manager.

The bigger issues he brings up, I think, relate to over the phone verification using credit card or social security numbers. It is pretty clear those mechanisms are nowhere near as secure as they should be, especially considering these are often used for utilities, banking, etc.. Not only are these accounts that hold a lot of important information about you (or your actual money), they are accounts you can't just abandon and remake. You need to be able to maintain access to these accounts regardless, yet they are also the most critical ones to maintain sole control over. I'm still not a fan of giving up additional privacy for these accounts - perhaps some sort of in-person verification could be set up for such instances.
Visaoni is offline   Reply With Quote
Old 12-05-2012, 01:20 PM   #4
Chiefcrowe
Diamond Member
 
Chiefcrowe's Avatar
 
Join Date: Sep 2008
Posts: 3,739
Default

I agree with you about the password manager and the insecurity of phone verification.
I think the banking/CC systems need a complete redesign but they don't want to do that because it would cost too much.

multiple email accounts could be handy though for those who don't want to or can't use a PW manager.
Chiefcrowe is offline   Reply With Quote
Old 12-05-2012, 02:12 PM   #5
smakme7757
Golden Member
 
smakme7757's Avatar
 
Join Date: Nov 2010
Location: Norway
Posts: 1,316
Default

At the end of the day you always need something to prove who you are. The only something that can't be stolen or easily faked is biometric data and that's a long way away for a complete roll out to everyday consumers.

A username and a password as a combination is a good thing, but it's being weakened now due to everywhere using your email address as your username. The weakest link will always be the human, i can't forsee any major change in the security paradigm in the next 20 years that will solve that problem.

It's worth while noting that it's usually a failing of the system (i.e unencrypted password database leaked, social engineering, virus sown into a PDF etc...) rather than the users password which lets an uninvited guest into an account or system. So i'd say passwords still serve their purpose quite well as long as they are implemented correctly and not re used everywhere on the net
__________________
Currently running Debian 7.1 and Windows 8.1
Blog: http://jack-brennan.com
smakme7757 is offline   Reply With Quote
Old 12-15-2012, 11:42 PM   #6
John Connor
Diamond Member
 
Join Date: Nov 2012
Location: Somewhere with an encrypted radio mocking the NSA
Posts: 8,426
Default

I don't know about the article. He says that he can get into my E-mail by my name, well I don't use my real name. He says you can get into a web site by checking forgot password, well the security question I always use is not a simple answer it's more like a sentence. I use a great add-on for Firefox called PWDhash. Check it out. It was developed by a guy at Stanford.
John Connor is offline   Reply With Quote
Old 01-19-2013, 09:53 AM   #7
dyna
Senior Member
 
Join Date: Oct 2006
Posts: 385
Default

Quote:
Originally Posted by smakme7757 View Post
At the end of the day you always need something to prove who you are. The only something that can't be stolen or easily faked is biometric data and that's a long way away for a complete roll out to everyday consumers.

A username and a password as a combination is a good thing, but it's being weakened now due to everywhere using your email address as your username. The weakest link will always be the human, i can't forsee any major change in the security paradigm in the next 20 years that will solve that problem.

It's worth while noting that it's usually a failing of the system (i.e unencrypted password database leaked, social engineering, virus sown into a PDF etc...) rather than the users password which lets an uninvited guest into an account or system. So i'd say passwords still serve their purpose quite well as long as they are implemented correctly and not re used everywhere on the net
There is already an available technology in RSA token authentication that solves all password problems. When you login you provide your generic password plus a random set of a digits. Blizzard and Bank of America already have had this implemented for years. We need more companies to adopt this to enhance password security.
dyna is offline   Reply With Quote
Old 01-19-2013, 08:02 PM   #8
Oakenfold
Super Moderator
 
Oakenfold's Avatar
 
Join Date: Feb 2001
Posts: 5,741
Default

Quote:
Originally Posted by dyna View Post
There is already an available technology in RSA token authentication that solves all password problems. When you login you provide your generic password plus a random set of a digits. Blizzard and Bank of America already have had this implemented for years. We need more companies to adopt this to enhance password security.
This works great as long as the keys to that algorithm stays secure as witnessed in the RSA hack. Nothing is 100%, humans are the weakest link. We can use MFA to strengthen the process but it's not absolute.

User education, MFA, and password generating tools to ensure complex, unique passwords that are periodically changed are strong controls.
__________________
Heatware

The ten most dangerous words in the English language are "Hi, I'm from the government, and I'm here to help." Ronald Reagan.

Last edited by Oakenfold; 01-19-2013 at 08:04 PM.
Oakenfold is offline   Reply With Quote
Old 01-19-2013, 08:19 PM   #9
Nintendesert
Diamond Member
 
Nintendesert's Avatar
 
Join Date: Mar 2010
Location: LOLorado.
Posts: 7,761
Default

Quote:
Originally Posted by smakme7757 View Post
At the end of the day you always need something to prove who you are. The only something that can't be stolen or easily faked is biometric data and that's a long way away for a complete roll out to everyday consumers.

A username and a password as a combination is a good thing, but it's being weakened now due to everywhere using your email address as your username. The weakest link will always be the human, i can't forsee any major change in the security paradigm in the next 20 years that will solve that problem.

It's worth while noting that it's usually a failing of the system (i.e unencrypted password database leaked, social engineering, virus sown into a PDF etc...) rather than the users password which lets an uninvited guest into an account or system. So i'd say passwords still serve their purpose quite well as long as they are implemented correctly and not re used everywhere on the net


The problem I find with Biometric data that once compromised the person compromised can't ever use that biometric data again. It's not like you can go get a new iris or fingerprints.

I find the one time passwords via token devices as mentioned offered by blizzard etc. to be far superior. If the system is compromised you can reissue the authenticators and move on.

The biggest issue with passwords is reuse as mentioned in the article and simplicity, this however is a byproduct of too many sites each having their own login requirements and each site using your email address as your username.

Once one of these sites fails to secure their passwords via encryption or properly salting their hashes all your sites are compromised. Anyways, I figure we all know the problems with all this and I think some of the stories of Google looking to push a token like login system is nice. I have my issues with Google though and don't have the greatest trust in them doing this. I'm not sure who else would do this but really wish a larger consortium of companies would get together and come to an agreement on a standard for widespread use and deployment of a one time password token system that all sites would use.
__________________
TFP4Life!
Nintendesert is offline   Reply With Quote
Reply

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump


All times are GMT -5. The time now is 06:49 PM.


Powered by vBulletin® Version 3.8.7
Copyright ©2000 - 2014, vBulletin Solutions, Inc.