The great password dilemma has been a perennial topic here.
I've argued that the need to remember 40 or 50 passwords for different purposes inevitably pushes us toward choosing repetitive, simple formulations, and encourages us to write them down -- or, worse, store them online. Stephen Gallagher made the case that the need to defend passwords from "brute force attacks" has led to the imposition of 15 or more character minimums, practically guaranteeing that people have to keep password records.
One thing seems clear: We're not going to fix the password problem. The faster computers get, the clearer it is that passwords can't be both unbreakable and easily remembered. We need an alternative.
In the past, I've considered the possibility of using biomarkers such as fingerprints as surrogates for passwords. This seems superficially attractive: fingerprints are hard, if not impossible, to steal. Unfortunately, such a system would rely on a biomarker database, and databases -- as we know -- exist to be breached. What's more, getting a population to re-set the fingerprints following a breach would be harder, even, than getting 24 million Zappos customers to re-set their passwords.
We do, however, have a biomarker which is almost as distinctive as our fingerprints, and I'm not even talking about DNA. We have faces. That's the direction in which Apple and Google have recently been looking in order to better secure smartphones.
If password security is generally shabby, the state of smartphone PIN security is laughable. Perhaps because a false sense of security is created by carrying smartphones about with us, we have a demonstrated tendency to use such cryptic inventions as "0000," "1234," and "2580" as PINs.
That may be one reason Apple applied to the US Patent Office, earlier this month, to register facial recognition software for smartphones and tablets. Google too has been playing around with something called "Face Unlock."
Now, there's one fairly obvious loophole in facial recognition security -- show the phone a photo. Google has bluntly denied that this works, saying "give us some credit." That issue seems unresolved, but it occurs to me that there's a much more important one.
Let's say that unlocking your smartphone with your face requires you -- really you -- to be present. That's helpful when it comes to losing your smartphone. A bad actor, finding your abandoned device, is not going to be able to unlock it, perhaps not even if he or she happens to have a photo of you, too.
But is this really the problem? News Corporation this week began settling countless phone hacking lawsuits. Sixty claims have been brought against the company so far, but the police say there may be 6,000 victims. Are we to suppose that 6,000 people dropped their smartphones in pubs? Of course not.
Phone hacking, for the most part, depends on remote access. Hackers obtain unprotected phone numbers from a variety of sources -- Facebook must be a favorite -- or by social engineering. PINs, for the most part, are easy to guess. Hacking typically takes place in the legitimate user's absence.
Unless Apple or Google plans to bar remote access to devices, facial recognition security surely only solves a small part of the problem. Back to the drawing board.
if the facial recognition program were based on 3D geometry, much like slit aperature radar, that it would be difficult if not impossible to reproduce. I saw an attempt to reproduce this with a similar program on a discovery channel show, using a mask of the individual, and it didn't work; but if the face were reproduced using the very scanning radar used to gather the original data, and output it to a 3D printer, this may be a different result.
I think combining advanced facial recognition with a 3D iris scan, it could be next to impossible to crack this as a bio-metric. Trying to combine all those features and get them to replay would be exceedingly difficult, and humans have ticks and habits that could indroduce a geometric analysis that would be darn near impossible to copy in two seperate scans. If a replay were attempted, the ID system would reject it as a replay, and as for further authentication. The original data base would not be invulnerable to cracking, just as is posed in the article, but because of the chaotic changes in geometry between the angle of the eye and facial features subject to human emotion and blood pressure, this could make copying the data and reusing it nearly impossible.
I will admit it would take a monster server and fast calculations to develope such a system, but this should not be impossible at all; with todays dizzying advancements. Perhaps it would take a server system as sophisticated as that crazy computer IBM put on TV to play JEOPARDY! (WATSON) But that will be quickly equalled by industry, and the benefits will out-weigh the cost very soon.
As far as that goes the resolution and accuracy could be reduced to a point that made the process faster, and used less bandwidth, and could still keep ahead of the crackers. As scalable as it is, I can definitely see a silver lining on that cloud.
I just don't see this catching on anytime soon. The man reason is that people have to speak their passwords into a system. This would leave open a ton of brute force options, plus happens when a user gets a cold :)
Two form factor authentication is always better than one form factor, but it seems that everytime we come up with a solution its just going to be hacked again.
Look at the Zeus out of band attack against mobile phones. We all thought this was going to be secure, but hackers were able to prepare of this type of authentication by putting malware on phones looking for these pins.
Its important to note that most password crackers are normally based of cracking the hash instead of bruteforcing the password itself, but with many people still allowing insecure passwords to their systems their going to leave themselves up to a bruteforce attack. The IBM thinkpads we were using were actually open to biometric attacks by the way that they were storing the hashs afterwords. You never need to know a password, just the hash.
With keyloggers, rainbow tables and whatever else might be around right now, its hard to say what will actually help with the issue of our most vitale security concern: The Password.
This is something that we're always going to be playing cat-and-mouse with. We have to find the option that reduces the risk the most. If we start mandating that people have a 20 character complex password we'll start finding them posted to their monitors for everyone to see. Don't even get me started on social engineering, this is the best way yet to get a passowrd.
When it comes to security, there's plenty of blame to go around. IMO, pointing fingers at end users isn't constructive. People who are hurried and under enormous pressure to perform will likely not make security a priority unless they are compelled to so so. At the same time, IT has been known to be lax when under pressures of its own.
Instead of blaming, it's time to call for solutions, and to implement those solutions in a focused way.
="There is a very real password problem: Human Nature. "
your response exposes the flaw: the problem is in training not in the password mechanism. Please be accurate in your writing.
Your statement demonstrates you argument's flaw. One of the points of the article is that the password problem goes beyond the simple mechanics of passwords, and that was exactly the point I was trying to make when I brought human nature into the equastion in the first place.
After all, the passwords have to deal with people, which makes them part of the mechanism. If we didn't need the people then we wouldn't need the mechanism, would we? Your argument is that because there's nothing mechanically wrong with the system there's no problem, despite the fact that nobody wants to use the system.
That's a problem.
To put it in another way for those fixiated on mechanics, password authentication systems are fine when a person only has to deal with a very small number. -- that's what they were designed for. We are dealing with a large number of authentication systems, and this old design no longer works. We now need to authenticate for a very large number of systems, and while the power to circumvent systems has increased greatly, human nature and limitations remain the same.
Sorry Mike, but you're dead wrong. There is a very real password problem: Human Nature. You can talk all you want about the proper way of handling security, that everyone should do X, but if the users think it's too much trouble then security is sunk.
Plain and simple -- unless the users (and this includes CEO's) are sold on security, it's not going to happen. It's not something that can be strong-armed or lectured -- if they view the security as a hassle or an obstacle to productivity they will do whatever it takes to circumvent it or make it easy for them, and now the security team is not just fighting outside threats but inside indirect sabotage! No, the security has to be sold and that's not easy.
Not that other forms of security don't have to be sold, but people will naturally be drawn to the solution that is the least work on their part. So if given the choice between passwords and say, a USB key device -- they'll choose the latter because it's just ONE item. It doesn't matter to them that it can be lost or stolen (ugh) because it's just easier to use.
Whoah, don't get me wrong -- I'm not against better password security, but I'm saying that the article's got a valid point in that even if you have the best passwords in the world it doesn't mean cybercrooks can't just bust in through a fragile wall.
Ever see the scene in "RED" where Bruce Willis' character is faced with an inpenetrable steel door with a passcode that changes every hour? He kicks through the drywall and accesses the lock directly.
There is no easy solution, but still you can't let your door unlocked because you think the thieves might break in whatever you do. The first hting to do is change your password(s) on a regular basis. That is not "the" solution, but at least you might make the job a little harder to hackers
1. properly administered passwords provide adequate security. a properly administered password has a minimum complexity, AND the logon system administers a 3 strikes and out rule to prevent guessing.
2. as far as password proliferation goes there are password admin tools you can use but I don't do that. for critical stuff, i.e. stuff that has access to money or sensitive data -- i use a separate password for each system. there only a few of these. everything else gets a general use password, one size fits all. I really like the DUS
3. as mentioned there are software tools to manage this as well; Norton Security, standard on HP Computers -- is one. Firefox does a pretty good job
But if you computer is pwned you are toast regarless of anything you think you can do.
how do you know, for sure, whether you computer has been pwned?
The ThinkerNet does not reflect the views of TechWeb. The ThinkerNet is an informal means of communication to members and visitors of the Internet Evolution site. Individual authors are chosen by Internet Evolution to blog. Neither Internet Evolution nor TechWeb assume responsibility for comments, claims, or opinions made by authors and ThinkerNet bloggers. They are no substitute for your own research and should not be relied upon for trading or any other purpose.
Extending existing US wiretap laws to give federal agencies easier backdoor access to Internet communications -- especially real-time P2P services like VoIP -- will give, not only aid and comfort, but also technical assistance, to the country's enemies. Not to mention cyberthieves.
When David E. Sanger of The New York Times broke the news that the United States was responsible for the Stuxnet malware exploit against Iran's nuclear program, Senator John McCain accused the administration of deliberately leaking the story to enhance President Obama's national security record.
The Gamma Group's business of supplying surveillance technology exclusively for use by government agencies may be legitimate. But not when it poses as the popular, free, open-source web browser Firefox.
Yesterday's hack of the official Associated Press Twitter feed demonstrated the enormous risk attached to the platform's lazy, single factor approach to security.
Law enforcement agencies are poised to use iPhones as facial recognition systems in the coming months. The technical advance promises efficiency but has created a backlash among civil liberties proponents.
It's not Apple or Google "tracking" us that we have to worry about, it's their app developers and their policies on disclosing just what phone data they grab for their apps, and what they do with it. Apple and Google need to force them to disclose.
Apple is falling further behind in the smartphone space but it looks as if Google is falling behind in the tablet world, and that may be the most important device in the mobile market. But there's still time for Google to catch up.
Mozilla's Firefox OS could be a major advance in building smartphones and tablets with a more cloud-friendly and open interface, but there are still questions of performance and security that will have to be managed.
Nicole and Kim have heard the news that Google's new mobile OS, "Jelly Bean," has a voice assistant that's poised to defeat their precious Siri. It's time for another test!
Verizon's one-data-plan-for-all-devices could revolutionize mobile data by making it practical to have multiple devices share a plan, and thus encourage users to cellular-equip all their portable appliances.
The Murdoch/News International scandal has all the elements of the digital age, from phone-hacking through embarrassing emails to agile digital reporting.
New York's Metropolitan Transit Authority is conducting a pilot test of digital kiosks to guide subway users to where they want to go more efficiently and at lower cost.
The whole Amazon.reader debate is a double-stupid. It's stupid to think that there's any e-book buyer who doesn't know Amazon's URL, and it was stupider to let ICANN launch the whole free-form TLD initiative to start with.
While NFC's original goal was to enhance mobile commerce applications, it is finding its way into a number of other uses, which is creating both opportunity as well as challenges for IT departments.
Enterprises would like to move to cloud computing but are hesitant because they are concerned about providers’ ability to secure company data. Here are some tips that help to ensure that if breaches occur, the business is not left holding the bag.
Edmunds separates customers into segments based on the info it collects on its site and from partners, and uses that to push out custom content, said Brian Baron, director of business analytics for Edmunds.com, at Predictive Analytics Innovation Summit.
The automotive website uses propensity modeling to target ads and customer registration forms, said Brian Baron, director of business analytics for Edmunds.com, at Predictive Analytics Innovation Summit.
Expert Integrated Systems: Changing the Experience & Economics of IT In this e-book, we take an in-depth look at these expert integrated systems -- what they are, how they work, and how they have the potential to help CIOs achieve dramatic savings while restoring IT's role as business innovator. READ THIS eBOOK
your weekly update of news, analysis, and
opinion from Internet Evolution - FREE! REGISTER HERE
Wanted! Site Moderators Internet Evolution is looking for a handful of readers to help moderate the message boards on our site – as well as engaging in high-IQ conversation with the industry mavens on our thinkerNet blogosphere. The job comes with various perks, bags of kudos, and GIANT bragging rights. Interested?
To save this item to your list of favorite Internet Evolution content so you can find it later in your Profile page, click the "Save It" button next to the item.
M2M: Rise of the Machines? Not Yet David Weldon In the 1970 science fiction thriller Colossus: The Forbin Project, two giant supercomputers from the United States and Soviet Union secretly join forces to take control of the collective nuclear might of the two countries. In the film, the two machines discover each other's existence, communicate back-and-forth, share their collective data, and cut their human creators out of the process. It is the ultimate example of machine-to-machine communications, or M2M. CLICK FOR MORE
M2M: Rise of the Machines? Not Yet David Weldon In the 1970 science fiction thriller Colossus: The Forbin Project, two giant supercomputers from the United States and Soviet Union secretly join forces to take control of the collective nuclear might of the two countries. In the film, the two machines discover each other's existence, communicate back-and-forth, share their collective data, and cut their human creators out of the process. It is the ultimate example of machine-to-machine communications, or M2M. CLICK FOR MORE
Email This
