Kill the Password: Why a String of Characters Can’t Protect Us Anymore

Discussion in 'Security' started by Chiefcrowe, Nov 26, 2012.

  1. Loading...

    Similar Threads - Kill Password String Forum Date
    Why do password systems have so many stupid rules? Security Jan 22, 2017

  2. TuxDave

    TuxDave Lifer

    Joined:
    Oct 8, 2002
    Messages:
    10,577
    Likes Received:
    1
    I would love to live in a world where we don't have to worry about passwords.
     
  3. Visaoni

    Visaoni Senior member

    Joined:
    May 15, 2008
    Messages:
    213
    Likes Received:
    0
    I can't say I agree with his conclusion at all.

    He isn't wrong about many of the problems with passwords (and more importantly password reset mechanisms), nor is wrong about the extreme privacy that must be forfeit to move beyond it. I'm not willing to give up that privacy.

    He lays out a lot of the solutions to common issues with passwords in that article. Don't reuse passwords, keep multiple email accounts for particular purposes, and don't enter actual information into security questions. A lot of the issues with the above can be solved using a proper password manager.

    The bigger issues he brings up, I think, relate to over the phone verification using credit card or social security numbers. It is pretty clear those mechanisms are nowhere near as secure as they should be, especially considering these are often used for utilities, banking, etc.. Not only are these accounts that hold a lot of important information about you (or your actual money), they are accounts you can't just abandon and remake. You need to be able to maintain access to these accounts regardless, yet they are also the most critical ones to maintain sole control over. I'm still not a fan of giving up additional privacy for these accounts - perhaps some sort of in-person verification could be set up for such instances.
     
  4. Chiefcrowe

    Chiefcrowe Diamond Member

    Joined:
    Sep 15, 2008
    Messages:
    4,394
    Likes Received:
    10
    I agree with you about the password manager and the insecurity of phone verification.
    I think the banking/CC systems need a complete redesign but they don't want to do that because it would cost too much.

    multiple email accounts could be handy though for those who don't want to or can't use a PW manager.
     
  5. smakme7757

    smakme7757 Golden Member

    Joined:
    Nov 20, 2010
    Messages:
    1,482
    Likes Received:
    0
    At the end of the day you always need something to prove who you are. The only something that can't be stolen or easily faked is biometric data and that's a long way away for a complete roll out to everyday consumers.

    A username and a password as a combination is a good thing, but it's being weakened now due to everywhere using your email address as your username. The weakest link will always be the human, i can't forsee any major change in the security paradigm in the next 20 years that will solve that problem.

    It's worth while noting that it's usually a failing of the system (i.e unencrypted password database leaked, social engineering, virus sown into a PDF etc...) rather than the users password which lets an uninvited guest into an account or system. So i'd say passwords still serve their purpose quite well as long as they are implemented correctly and not re used everywhere on the net
     
  6. John Connor

    John Connor Lifer

    Joined:
    Nov 30, 2012
    Messages:
    19,741
    Likes Received:
    204
    I don't know about the article. He says that he can get into my E-mail by my name, well I don't use my real name. He says you can get into a web site by checking forgot password, well the security question I always use is not a simple answer it's more like a sentence. I use a great add-on for Firefox called PWDhash. Check it out. It was developed by a guy at Stanford.
     
  7. dyna

    dyna Senior member

    Joined:
    Oct 20, 2006
    Messages:
    409
    Likes Received:
    1
    There is already an available technology in RSA token authentication that solves all password problems. When you login you provide your generic password plus a random set of a digits. Blizzard and Bank of America already have had this implemented for years. We need more companies to adopt this to enhance password security.
     
  8. Oakenfold

    Oakenfold Diamond Member

    Joined:
    Feb 8, 2001
    Messages:
    5,741
    Likes Received:
    0
    This works great as long as the keys to that algorithm stays secure as witnessed in the RSA hack. Nothing is 100%, humans are the weakest link. We can use MFA to strengthen the process but it's not absolute.

    User education, MFA, and password generating tools to ensure complex, unique passwords that are periodically changed are strong controls.
     
    #8 Oakenfold, Jan 19, 2013
    Last edited: Jan 19, 2013
  9. Nintendesert

    Nintendesert Diamond Member

    Joined:
    Mar 28, 2010
    Messages:
    7,761
    Likes Received:
    3


    The problem I find with Biometric data that once compromised the person compromised can't ever use that biometric data again. It's not like you can go get a new iris or fingerprints.

    I find the one time passwords via token devices as mentioned offered by blizzard etc. to be far superior. If the system is compromised you can reissue the authenticators and move on.

    The biggest issue with passwords is reuse as mentioned in the article and simplicity, this however is a byproduct of too many sites each having their own login requirements and each site using your email address as your username.

    Once one of these sites fails to secure their passwords via encryption or properly salting their hashes all your sites are compromised. Anyways, I figure we all know the problems with all this and I think some of the stories of Google looking to push a token like login system is nice. I have my issues with Google though and don't have the greatest trust in them doing this. I'm not sure who else would do this but really wish a larger consortium of companies would get together and come to an agreement on a standard for widespread use and deployment of a one time password token system that all sites would use.