I was thinking about password alternatives recently because I was designing a website just for friends and family. I wanted enough security to keep out strangers on the Web, but I didn't want to make people I know memorize a lengthy password.
So I came up with a photo that fills up the screen. A small, invisible grid covers the photo, and the user has to click the image in a special sequence in order to unlock the next image. After a few quick rounds, they open up the content.
I realize that it isn't the most secure approach, but it's much easier to memorize and use than a traditional password (not to mention more fun). If anyone has any advice or interesting anecdotes about visual login systems, I'd be interested in learning more about them.
Something you know, something you have, something you are. Google may be trying to prefer something you have, but that's hardly going to kill "something you know" forever and ever.
I also look forward to the silly "two-factor authentication" that involves having two "something you have"s. It'll complement my bank's silly use of two "something you know"s nicely. (Perhaps they can get together for the true security ultimate, four factor authentication, security so secure that it uses four out of three possible authentication techniques!)
> Something you know, something you have, something you are.
Excellent point - and oddly reflects a subtle point: Something you are (bio-id) is what we are asserting, and using one or both of the others to give the far point a guage of how likely fraud is.
In short:
* Something you are -> Username
* Something you know -> Password
* Something you have -> RSA fob
According to the article, she did say exactly those words:
"password are dead"
"passwords are done at Google"
"our relationship with passwords are done"
Then they go on about how they're experimenting with hardware tokens and stuff, and how all startup should be solving that for them now.
It looks like PR to me, and it also looks like Google has lost it's soul.
Obviously, passwords are far from dead. It's wishful thinking at this point. The only thing everyone can agree on, is that passwords sucks to remember, input, and manage, and that there are many superior technical solutions.
The main issue is and has always been is that those superior solutions are painful to introduce because they're not standard, everyone wants it's proprietary piece of equipment in there, and they're not seamless solution that customers - users, really - are willing to test til something becomes a defacto standard.
Or maybe she didn't really want to divulge how Google plans to make passwords obsolete.
>> Although Adkins didn't offer any real specifics on how Google will innovate beyond today's security, she did say the company is experimenting with hardware-based tokens as well as a Motorola-created system that authenticates users by having them touch a device to something embedded, or held, in their own clothing. "A hacker can't steal that from you," she said.
Maybe I'm too cynical (is that possible about csec anymore?), but as soon as I saw this line from Google, I thought "oh right, it'll be something to get Google inserted into every login interaction".
Well, not quite yet it seems, but this may be part of the set-up for it.
It's funny, but Blizzard's been playing this game for years with their two-factor auth, particularly the part where people's accounts without two-factor would get compromised and the thief would then turn on the two-factor auth, thus making it that much more difficult to recover the account.
Blizzard's been doing this for longer than Google has, maybe Google could learn something.
This thread seems like a valid place to ask a long-standing question of mine.
Are there any projects aiming for a hardware security token with the following properties?
1) Open hardware running open software.
2) Support for many and long keys.
3) Relatively fast signing on-board - i.e. keys are inaccessible to the host computer. (Obviously, I'm not expecting it to be feasible to sign gigabytes using a USB dongle).
4) Some PIN-entry-like low-grade security obsticle to delay an attacker that physically steals the dongle.
I am aware of CryptoStick [1], but the current version is sold out and also does not satisfy 3 and 4 (and only partially 2, since it only takes three RSA keys and there's no support for EC, as far as I can tell).
I really want to move away from passwords, but it seems very hard to do without a device satisfying 1-4 above.
This is not about passwords per se - its about identity verification providers (as-a-service).
There is a fight coming. A few global providers will have the single-sign-on password/biometric/blah of everyone (the UK government is starting to mandate the use of seven such providers.)
This is big not just because of the commercial advantages of being the sign-in point of 1 billion people. But because right now my major identity verifier is my own government (passports, NHS number, Social Security, arrest record etc). But it will not be in 20 years - I expect I will visit the hospital and need to verify who I am through GoogleID.
The thing is. I expect GoogleID will be a heavily regulated industry by then too.
To be fair, isn't Google a bit disreputable for security problems right now? I mean, the last two Google-related security discussions (Google email-change spoof/phish and plaintext-visible passwords in Chrome) have been kind of embarrassing.
"... she did say the company is experimenting with hardware-based tokens as well as a Motorola-created system that authenticates users by having them touch a device to something embedded, or held, in their own clothing. 'A hacker can't steal that from you,' she said."
Something embedded in their clothes? Users have to wear the same jacket or dress every day? Anyone, not just a "hacker" can steal your jacket if you take it off. If it relies on something physical, it's easier for anyone to steal. You still need a password/passphrase.
Passwords are not dead. Simple single factor authentication using short passwords is dead. That's not a new thing either and they're not going away either. Biometric implants are cool but it's a long ways away (and I'm pretty sure I don't want anything inserted into my arm...). Ditto for security rings and other gadgets. Yes they work but the general populace is not going to be using them for a long while.
I'd love to see some stats on two-factor usage at large installation like Gmail, preferably plotted against whether the user works in tech (or uses a VPN with two-factor token for work). I'm guessing the market penetration for it is pretty low for the average person. If that's the case then expecting lots of people to use something new/else (which involves getting a new physical device) is unreasonable.
Even with the "something you have" category (two-factor TOTP device, key ring, etc) it still makes sense to have a "something you know" category too. It covers the case of losing my phone/keyringer (or having my bio-implanted arm chopped off though I'd assume at that point they could just use a $5 rubber hose to get the in memory one).
Since passwords (or more accurately passphrases) aren't going away we at least should use them properly. My suggestions for how folks should handle them varies based on the tech literacy of the person.
For tech savvy folks:
- Use a password manager (ex: KeePassX)
- Long passphrase to unlock the password manager[1]
- Individual random passwords per site using using max length the site allows
- Use multiple email accounts for different functions (friends, shopping, finance, etc)
- Use two-factor auth everywhere that allows it
For the rest of folks:
- Use a passphrase for your email passwords
- Use a site that lets you use long passwords (Google does, Outlook doesn't[2])
- Use a separate email account for "important" accounts (ex: finance and everything else)
- Don't login to anything from other people's computers (net cafe, shared computer in a hotel, etc)
- For the really important ones (ex: your bank) use a very long complicated password and write it down[3]
- Learn more about security!
I make it a point to educate friends/family about tech security whenever I can. Two-factor auth is a good example of something that is a lot easier to grasp when you've got someone you know explaining it's virtues to you ("So a bad guy needs your phone in his hand to login? That's cool!").
In the end, like all security, a lot of it comes down to personal responsibility and hyper vigilance.
[3]: Yes write it down. People are bad at remembering long random strings but pretty good at not losing small bits of paper. It's the same thing as keeping a key in your pocket (or a spare key in your wallet). Plus it's much easier to explain to them that the paper is the key to unlock the account.
In light of Apple's announcement yesterday about Touch ID, a way to unlock the new iPhone with your fingerprint, I was hoping to hear someone weigh in on how safe it is compared to a passcode. I'd love to simply use my fingerprint as long as it meets HIPAA requirements for protecting sensitive emails and other data on my phone, but this Forbes article is suggesting the risk of spoofing fingerprints is still too great:
The problem with a hardware token security is that it relies on every user having one or not leveraging the security. That's something that can be difficult for an IT department to coordinate across an organization, thus would be herculean for a Google scale company to legislate across its user base.
Arguably there is a lot of social/technical space for making passwords better and more secure for the average user. But dropping the knowledge factor isn't a clear improvement.
Passwords have been dead for long, so no news. That's exactly why we're using something called shared secret. That's what I'm using with most sites currently.
And still there are "modern" games and services telling me that my password "May only contain letters and numbers" Really? Are you stupid or something?
I'd like to learn more from these spam-bots about how they are making money off my passwords. Perhaps I can quit my (wonderful) day-job and sell v1agra.
Emails are (almost) free to send, and the payout (identity theft) is generally worth thousands, so all it takes is one or two clicks to make it worth the investment.
There are tricks you can use to remember a strong password. As far as "trivial to intercept, easy to lose, not hard to guess", the point is mute over the network as long as the target system uses something like iptables rate limiting or MaxAuthRetries and LoginGraceTime in SSH.
If it's a local resource only then all an attacker needs is time and computing resources, but, that's true for key based authentication too.
[+] [-] hawkharris|12 years ago|reply
So I came up with a photo that fills up the screen. A small, invisible grid covers the photo, and the user has to click the image in a special sequence in order to unlock the next image. After a few quick rounds, they open up the content.
I realize that it isn't the most secure approach, but it's much easier to memorize and use than a traditional password (not to mention more fun). If anyone has any advice or interesting anecdotes about visual login systems, I'd be interested in learning more about them.
[+] [-] nathos|12 years ago|reply
[+] [-] mstrem|12 years ago|reply
[+] [-] jerf|12 years ago|reply
I also look forward to the silly "two-factor authentication" that involves having two "something you have"s. It'll complement my bank's silly use of two "something you know"s nicely. (Perhaps they can get together for the true security ultimate, four factor authentication, security so secure that it uses four out of three possible authentication techniques!)
[+] [-] lifeisstillgood|12 years ago|reply
Excellent point - and oddly reflects a subtle point: Something you are (bio-id) is what we are asserting, and using one or both of the others to give the far point a guage of how likely fraud is.
In short:
* Something you are -> Username * Something you know -> Password * Something you have -> RSA fob
[+] [-] 16s|12 years ago|reply
[+] [-] JeffJenkins|12 years ago|reply
[+] [-] zobzu|12 years ago|reply
"password are dead"
"passwords are done at Google"
"our relationship with passwords are done"
Then they go on about how they're experimenting with hardware tokens and stuff, and how all startup should be solving that for them now.
It looks like PR to me, and it also looks like Google has lost it's soul.
Obviously, passwords are far from dead. It's wishful thinking at this point. The only thing everyone can agree on, is that passwords sucks to remember, input, and manage, and that there are many superior technical solutions.
The main issue is and has always been is that those superior solutions are painful to introduce because they're not standard, everyone wants it's proprietary piece of equipment in there, and they're not seamless solution that customers - users, really - are willing to test til something becomes a defacto standard.
[+] [-] r0h1n|12 years ago|reply
>> Although Adkins didn't offer any real specifics on how Google will innovate beyond today's security, she did say the company is experimenting with hardware-based tokens as well as a Motorola-created system that authenticates users by having them touch a device to something embedded, or held, in their own clothing. "A hacker can't steal that from you," she said.
[+] [-] ds9|12 years ago|reply
Well, not quite yet it seems, but this may be part of the set-up for it.
[+] [-] diminoten|12 years ago|reply
Blizzard's been doing this for longer than Google has, maybe Google could learn something.
[+] [-] kmeritt|12 years ago|reply
[deleted]
[+] [-] homeomorphic|12 years ago|reply
Are there any projects aiming for a hardware security token with the following properties?
1) Open hardware running open software.
2) Support for many and long keys.
3) Relatively fast signing on-board - i.e. keys are inaccessible to the host computer. (Obviously, I'm not expecting it to be feasible to sign gigabytes using a USB dongle).
4) Some PIN-entry-like low-grade security obsticle to delay an attacker that physically steals the dongle.
I am aware of CryptoStick [1], but the current version is sold out and also does not satisfy 3 and 4 (and only partially 2, since it only takes three RSA keys and there's no support for EC, as far as I can tell).
I really want to move away from passwords, but it seems very hard to do without a device satisfying 1-4 above.
[1] https://www.crypto-stick.com/
[+] [-] lifeisstillgood|12 years ago|reply
There is a fight coming. A few global providers will have the single-sign-on password/biometric/blah of everyone (the UK government is starting to mandate the use of seven such providers.)
This is big not just because of the commercial advantages of being the sign-in point of 1 billion people. But because right now my major identity verifier is my own government (passports, NHS number, Social Security, arrest record etc). But it will not be in 20 years - I expect I will visit the hospital and need to verify who I am through GoogleID.
The thing is. I expect GoogleID will be a heavily regulated industry by then too.
[+] [-] Pxtl|12 years ago|reply
[+] [-] 5555624|12 years ago|reply
Something embedded in their clothes? Users have to wear the same jacket or dress every day? Anyone, not just a "hacker" can steal your jacket if you take it off. If it relies on something physical, it's easier for anyone to steal. You still need a password/passphrase.
[+] [-] sehrope|12 years ago|reply
I'd love to see some stats on two-factor usage at large installation like Gmail, preferably plotted against whether the user works in tech (or uses a VPN with two-factor token for work). I'm guessing the market penetration for it is pretty low for the average person. If that's the case then expecting lots of people to use something new/else (which involves getting a new physical device) is unreasonable.
Even with the "something you have" category (two-factor TOTP device, key ring, etc) it still makes sense to have a "something you know" category too. It covers the case of losing my phone/keyringer (or having my bio-implanted arm chopped off though I'd assume at that point they could just use a $5 rubber hose to get the in memory one).
Since passwords (or more accurately passphrases) aren't going away we at least should use them properly. My suggestions for how folks should handle them varies based on the tech literacy of the person.
For tech savvy folks:
- Use a password manager (ex: KeePassX)
- Long passphrase to unlock the password manager[1]
- Individual random passwords per site using using max length the site allows
- Use multiple email accounts for different functions (friends, shopping, finance, etc)
- Use two-factor auth everywhere that allows it
For the rest of folks:
- Use a passphrase for your email passwords
- Use a site that lets you use long passwords (Google does, Outlook doesn't[2])
- Use a separate email account for "important" accounts (ex: finance and everything else)
- Don't login to anything from other people's computers (net cafe, shared computer in a hotel, etc)
- For the really important ones (ex: your bank) use a very long complicated password and write it down[3]
- Learn more about security!
I make it a point to educate friends/family about tech security whenever I can. Two-factor auth is a good example of something that is a lot easier to grasp when you've got someone you know explaining it's virtues to you ("So a bad guy needs your phone in his hand to login? That's cool!").
In the end, like all security, a lot of it comes down to personal responsibility and hyper vigilance.
[1]: https://xkcd.com/936/
[2]: http://nakedsecurity.sophos.com/2012/08/02/maximum-password-...
[3]: Yes write it down. People are bad at remembering long random strings but pretty good at not losing small bits of paper. It's the same thing as keeping a key in your pocket (or a spare key in your wallet). Plus it's much easier to explain to them that the paper is the key to unlock the account.
[+] [-] Vivtek|12 years ago|reply
Passwords may have insecurity - but they also permit anonymity. I think people haven't even started thinking that far yet.
[+] [-] stephenhuey|12 years ago|reply
http://www.forbes.com/sites/andygreenberg/2013/09/10/apples-...
[+] [-] lifeisstillgood|12 years ago|reply
Trust me, at the point they get the bone-saw out, they can save the 5 dollars on the rubber hose and simply ask ...
[+] [-] walden42|12 years ago|reply
Even over SSL connections?
[+] [-] devx|12 years ago|reply
http://www.kickstarter.com/projects/mclear/nfc-ring
http://www.technologyreview.com/news/512051/google-wants-to-...
[+] [-] marmot1101|12 years ago|reply
[+] [-] Thereasione|12 years ago|reply
[+] [-] mrcactu5|12 years ago|reply
How many passwords does Google hold? Maybe a billion? Google has decide it's more cost effective to completely overhaul the password system.
How can passwords be the only system available?
[+] [-] ijk|12 years ago|reply
[+] [-] Sami_Lehtinen|12 years ago|reply
[+] [-] noptic|12 years ago|reply
[+] [-] mscarborough|12 years ago|reply
[+] [-] mrcactu5|12 years ago|reply
[+] [-] diminoten|12 years ago|reply
[+] [-] guard-of-terra|12 years ago|reply
Hard for users to remember, trivial to intercept, easy to lose, not hard to guess.
[+] [-] jebblue|12 years ago|reply
If it's a local resource only then all an attacker needs is time and computing resources, but, that's true for key based authentication too.
[+] [-] jlkinsel|12 years ago|reply
Well, I for one, am sold!