Goodbye, passwords--you aren't a good defense

Tired of creating and changing Web site passwords? Many experts propose dropping passwords entirely for a security system based on cryptography.
The New York Times

The story "Goodbye, passwords--you aren't a good defense" published August 10, 2008 at 6:21 PM is no longer available on CNET News.

Content from The New York Times expires after 7 days.

[aerosky1229]

I do not trust in the safety level of "Single Sign-on" system either. But the problem is how to balance the safety issue against the easiness of using the internet website.

[The_Decider]

I see that the author doesn't understand that cryptography won't save you.

A flaw in in the implementation is easy to do and can be exploited.

And you are forgetting that crypto is based either on a certificate or a passphrase. The former relies on the end user which is laughable, and the latter is simply a password.

There is no easy answer, and no "invisible" crypto and information cards aren't any better. Neither is biometrics. At some point the data in any of these ideas is digitized and that which can be made digital can be cracked, spoofed, or flat out broken.

The best defense is user education, and holding companies like MS responsible for their swiss cheese. Force corporations to be liable for what they release and demand that CS people that work on critical system be licensed, too many programmers have no business writing code. Licensing end-users while seemingly draconian, would help matters. Too many people think computers are magic and are not even remotely qualified to answer the security problems they are faced.

Hiding and ignoring security, which is exactly what the author is suggesting will only make things worse.

[Imalittleteapot]

Ah, and we're about to fool ourselves again. Security always comes second or even third. Ease of use is always the most important factor to the average computer user. Now, one click sign on sure sounds easy at first. Then what? Your computer uses digital keys or tokens to do a handshake with whatever you're logging into. Great!

Actually this is the first place we've been fooled. We think we're done with passwords forever!!! There's just one problem. Something still has to remember the key and now it's too long for you to do it. So, what remembers your card data? Well, it must be the computer. Well we know computers never give up your personal information right?

Anyway, you have all your cards on the hard drive. LIGHTING STORM!!! Your cards are gone! Oh, now we see that we have to backup. There's something we never had to do with passwords. Now you have cards backed up to disks all over the house and all over the work place and on your external and saved on flash drives and backed up to your cloud storage and your NAS. That is if you backed up at all. Well, that doesn't sound secure at all does it? You wouldn't put your passwords in a text file and save that everywhere would you? Backups, pin numbers, and broken computers that you can't access. Guess it isn't just one click anymore either. Meanwhile I still have my passwords in my old noggin.

Alright, lets say those aren't real problems. Lets try something else. You got all your cards on your computer and everything is working fine. Guess what? Now it's time to go to work or a friend's house or the library. Good thing you have your cards saved to all these other computers so you can sign in at different places.

Uhhh?.Umm?..Well?.Wait a minute!!! Of course your cards aren't on all these different computers! That wouldn't be secure at all! Well, how do you sign on from different machines like an internet kiosk? And we've been fooled again.

Now, the last way they fool us. They try to trick us into thinking this is really about security. It isn't. It's most likely about money. It doesn't take too long reading about it to come across these things called "managed cards." You can issue your own cards if you want, but you can also have an authority like Sun or Microsoft publish you a card. A nice "trusted third party" that says you are really you. Well how much will they charge to verify your identity? What better way to turn a buck than to sell virtual goods.

How long before social networking sites want you to have a managed card to prove your 18 and not 14. How long will it be before CNET says you have to have a managed card to prove you're not comment spammer? How long before the government steps in and starts tracking managed cards to take away more internet privacy?

Also, did you really fool yourself into thinking developers would stop using passwords. I'm warning you. You'll just end up using both and both will be a hassle.

[x4m]

i do not trust in safety at all ( :

[ferricoxide]

So, what are we proposing here - CAC cards for the masses?

[Imalittleteapot]

Some companies are talking about actual physical smart card type devices. Other companies are talking about virtual cards that just live in an encrypted data file on the computer. Other companies are talking about things like OpenID. Lots of people trying many different things. None of which are as flexible as passwords right yet. Hopefully one day someone figures it out.

[chash360]

Cryptography won't help, cryptograpghy is a simple matter of mathematics, and for those who really know, the math is easily done by, you guessed it, computers. There is no safe mathematically based cryptography system out there. What is needed is an impossible to forge system. It starts with the commiunications network at the core, and the current Internet is not capable of it. Message routing is done by arbitrary numbers (IP addresses) that are mapped to what used to be GUID's (MAC Addresses) which can now be spoofed since some genius (-idiots) decided it would be great to allow home based routers to be programmed with arbitrary MAC Addresses, because of end-users being too incompotent to manage a network router properly.

Here is the answer: First is how network addressing and routing is accomplished, this should be done by GPS Time Date and Location, to the highest resolution possible. The best security is physical security, you can not fake the GPS signals from multiple satelites simultaneously, because they are fudged in their accuracy, you can not predict precisely what sequence you will get from the next location fix. But once transmitted both sending and receiving systems (1 device to device network hop) have the exact same data for which to encode and decode information. If the time deltas are not correct between devices then the locations are not correct, and the data can not be decyphered. Data is routed by physical location rather than by arbitrary numbers that can be faked, so a potential hacker that is not along the physical route has no chance of even intercepting your data. In a dynamic network system such as this where the routing is done in realtime, by location and traffic load, much like a driver on the highway, the route is not predictable, and the network is designed to only transfer data to the end physical locations, at no other points can the data leave the network. Unpredictable makes it very hard to even capture a whole conversation, let alone the constantly changing -cypher- keys. For those of you worried about privacy concerns, and big-brother the Date-Time-Location data does not ever need to exit the network device and enter a computer, it is soley for routing and cyphering of your data, not a part of it.

Add into that, GUID device numbers (like MAC Addresses), and arbitrary user name and password info, to further secure the conversation, the more the better. Hash the data by a much more abstracted logical methods that are not totally mathematical (prime numbers are prime numbers, there are only so many and once publically discovered they are broken security). These hashes can also be dynamic using lots of random/unpredictable/dynamic information known only to the devices relaying the data, things like realtime traffic load, connection statistics, etc. that can be known only between 2 devices in direct communication with each other, and not by remote hackers.

Devices that are hacked to impersonate a physical location that they are not physically at, could easily be denied access to the network, because every -honest- device around them (in direct connection) would know that is not where they are at. If implemented at the IC level it would require a hackers to have an incredible amount of resources, that is typically well beyond that of the lone hacker.

Once you can ensure that your data conversation is only going physically to and from the physical location you intended, can true network security exist.

This whole system would be best implemented as a free wireless mesh network, but the powers that be (the greedy industry) thrives off insecurity, off constantly changing and updating products and software. The FCC had the opportunity to create such a system, but instead decided to line their pockets, and sell the best spectrum for this to the highest bidder.

Don't expect any real security anytime soon, all your going to get is someone trying to sell something.

I have dumped loads of info about this system into the public domain, so that it would not have to be licensed, in the hopes that someone would take it up, but of course profits are priority to these industries and corperations, and the thought of not being able to hoard and collect royalties has stopped it dead in its track every time. You would think the benefits would easily be seen to outweigh the cost, but wall street has no vision, only greed.

[Imalittleteapot]

This isn't about a hacker listening in on your data. We already have encrypted email, SSL, VPNs, and other stuff for that. The question is how to log into those accounts in the first place.

If my login is based on physical location how am I supposed to use my wireless laptop? Ah Ha! You've been fooled again! Your identity is not your physical location. Sometimes I need to login to my email at a friend's house or from a hotel room 1000 miles away.
So, am I supposed to wear a GPS device on me? Say I'm on a business trip. What if I forget to bring it or it stops working or the batteries die or airport security confiscates it because they think it's a bomb? What do I do then?

How am I supposed to prove I'm me with a confiscated GPS unit that's somewhere else? What if I need to call someone at work and have them access my email account to fax over something to the hotel because my laptop died? My GPS unit will be 1000 miles in the wrong direction. What if my GPS device is broken? How do I log into my accounts to let the server know I have a new GPS device? Couldn't the hacker do the same to trick the server into thinking I got a new GPS device?
You also fail to realize how the GPS unit would work because people travel. It would have to match an ID number to your identity. Therefore, the hacker doesn't have to lie about his location. He just has to download a software program that uses his wireless card to send the right location, but the wrong ID. He could log in from a random parking lot. How would the server know it wasn't me on a business trip? What if the hacker is next door to my house and I go on a business trip? Now I'm 1000 miles away. Which GPS unit do you think the server is going to believe?

Also, these honest devices can fail many different ways. One, my honest device can't notify a server over his connection. His may be encrypted or wired. I can't send data down that. Second, I won't waste my bandwidth letting every server on the net know if twenty people around me have lying GPS software. Third, many companies don't have the resources to accept all those honest connections trying to tattle tell on everybody. Fourth, to notify his GPS unit won't help because he doesn't have one. The hacker has a program that uses his wireless card to simulate a lying GPS unit. It'll simply ignore my requests. Fifth, your IP number already gives away your location. It doesn't help. They just use a proxy or hijack a remote computer that's located where the hacker wants to pretend to be. It just sends the data back to them when it's done. Seventh, the hacker doesn't actually have to lie about his location. It may just be me on a business trip.

See, you've lost the flexibility of passwords. The worst thing of all though is your design wouldn't solve anything. It would actually create problems. Also, you still suggest that we use an arbitrary password. So, your solution for getting rid of passwords is to use a password.

That's because without passwords a hacker could just download a program to broadcast the proper location, but someone else's ID and just pretend to be travelling. The fact that without passwords your monstrosity of a system is worthless should make you realize how hard passwords will be to replace.

[A_Wave]

...prime numbers are prime numbers, there are only so many and once publically (sic) discovered they are broken security...

It's not about prime numbers. It's about numbers (there are lots and lots of really big ones) and their associated prime factors, which cannot be mathematically calculated no matter how big your computer. Correctly implemented asymmetrical encryption is very strong stuff. Hence the popularity (and the popularity of "rubber-hose decryption") among governments and others who understand the math.

[Alf #8]

What's the best type of security? It consists of three parts.

Number 1 - A live human being manually watching (supervising) or using a computer.
Number 2 - Active cryptography that PKI applications.
Number 3 - Ramdom Inspection of data (from a security standpoint) for corruption.

Will this 'solve' the problem? No, it just makes it harder, and more time comsuming to make the break-n, plus it increases the risk of the hack getting caught.

Oh yeah, it is more stressful on the user.

Why do I recommend using the 3 parts? Because it makes YOU a harder target. If the hack is looking for an easy way in, the 3 parts increase the chance that the hack will seek easier prey.

Every hack has a finite lenght of exposure time before defenses react, track & ID the hacker. Increase the hack's time - reduce your risk. Increase the hacker risk, reduce the amount of hacks.

[UdayKumarLazurus]

Hi All,
I am novice, There is a concept Database feild encryption of which i am just heard from a friend in normal discussion can somebody add more about this way of security, waiting for your response,

thanks in advance,
uday kumar lazurus.

[humanelement]

We have to look at it from two angles - Personal and Corporate. In the corporate world, we all know what passwords really are and the inherent problems they bring. So for corporate one of the best solutions is biometrics (fingerprint, etc). If you really, really need to lock it down then you better go to a 2nd factor such as smartcard, token, etc. I?ve been working with biometrics for a number of years and it is a stable and convenient technology. Before everyone goes off and says that biometrics can be hacked as well, I will say that anything can be hacked. The issue becomes how easy is it to do? Biometric systems done correctly are extremely EXTREMELY hard to break. The time, effort money, to do it is for the most part makes it prohibitive. Keep in mind that we are talking about a closed network here, not the general public.

For personal security, you must weigh the risk of using the service vs. the convenience. Internet banking is something that a lot of people do because it is convenient. The financial institutions do a pretty good job based on the nature of the technology to keep us protected. But, they can only do so much and still keep it convenient. Otherwise 14 pass phrases, passwords, response questions will kill the service. So we have to ask the questions of the service providers about how they protect what we give them and then 1) hope the do what they say they do 2) Decide if what they do is good enough for us to use the service. Anything else is just everyone pointing the finger at the service provider saying that the system failed. As individuals we still have to take a certain amount of responsibility for due diligence regarding how/what we provide to service providers, otherwise the cliff we are about to walk off as we follow the pack is just a few steps away.

[Imalittleteapot]

biometrics are the worst idea ever for replacing the password because home users would still need to use passwords. Yes, biometrics are very difficult to hack. However, they are hackable. When they get hacked I can't get a new fingerprint or a new retna or a new face. Once my face is hacked, it's hacked. Every time someone hacks into the system and tricks it into thinking my face was used to log in I'm screwed. I can never change my face for the rest of my life. So let's say biometrics are being used to purchase goods online. While it may cost a lot to hack the system, once it's hacked it's hacked. A credit card will soon get deactivated, but they may be able to use my face for the rest of my life and I will never be able to argue that I didn't buy what the hacker is buying. They'll make the costs back in the end.

I can get a new smart card and the old one can be deactivated. There it's done so the hacker can no longer hack in and trick the system into thinking that perhaps I bought something with the old smart card? It's deactivated and doesn't work anymore. I can't deactivate my eyeballs.

Also, what if I have to call my wife and have her log into my email in an emergency to get some information. How does she do that? She doesn't have my face. See biometrics aren't as flexible as passwords either.

[humanelement]

Keep in mind I was saying biometrics is a good solution for corporate not personal use. Face is not really a good solution, but fingerprint is because 1) it is hardware based 2) you have 10 fingers. If the system has the correct security measures included, the work of encrypting, etc is perfomred at the hardware level before it ever gets to the application. I am not saying that all systems are created that way, but those that are (that don't rely on just an image) is quite secure. Once again, some biometric systems are for convenience, others that are truly security driven are a viable option.

[Imalittleteapot]

We should keep biometrics out of corporate too. Personally they're against my beliefs, but I'd still like to have a job. To explain why you must understand one very important concept. Not all the problems with biometrics are in the hardware. That may sound strange, but the number one problem with biometrics are that most people are idiots. Let me explain.

Let's say some hacker steals my smartcard. Of course I can get it deactivated. However, it isn't like the hacker is going to stop using it right away. Even if he gets denied he will still try. So, the security is working, but there's still a problem. All those denied attempts are being logged. That's the world we live in. A few days later some detective shows up and wants to know why I've been trying to hack the system with my old smartcard. Well that's easy, I haven't. My smartcard was stolen, and I even realized it before the hacker had a chance to use it.

Now, I have ten fingers. Assume I use my thumb to authenticate at work. A hacker copies the hash from my print and somehow tricks the system with it. OK, so I switch to using my index finger for authentication. However, the hacker is still trying to use my thumbprint to hack the system. Yes, they get denied. However, all those denied attempts are still being logged with my thumbprint. Hmmm.

A few days later the dumb detective shows up and wants me to explain this suspicious behavior that's logged under my thumbprint. Well, my thumbprint certainly wasn't stolen was it? Yes, I'm using my index finger to authenticate now, but all the dumb detectives and jury know is that someone used that thumbprint when trying to hack the network. Guess what? I'm the only person in the world with that thumbprint. They don't understand a hacker tricked the system. The worst of all is every hacker would have reasonable doubt. The hacker could just say hey, whoever was trying to hack that network had a different fingerprint than I did. The jury won't understand.

That's the problem. People don't understand. Here's another example. Some companies have embedded RFID chips into their employees arms. Now assume a thief is casing you and uses a portable RFID reader while walking by you on your way to work to make a copy of your RFID signal. That night someone breaks into your business because they've been casing you and steals all the laptops. The logs show that the door was unlocked by an RFID chip with your ID number on it. Is a jury ever going to believe that you, with an RFID chip with the same ID EMBEDDED IN YOUR ARM, wasn't the thief? No, that'll never fly. What's the real thief say? Hey man, I ain't got no chip with that ID embedded in my arm! This is possible considering some workplace thieves are ex-employees. They'll know what they need to get around the security.

Now, my question is, what is you're agenda? Why are people like you trying to sell us biometrics? Why do you want my fingerprints? Why are you trying to tag me like a wild animal? I don't want you to use my biometrics for authentication, and we have more secure more flexible technologies to begin with. So this isn't about safety and security. Doing so can put me in more legal jeopardy than I'm may already be in. What is your purpose in taking every last bit of deniability away from the general public and giving the hacker a super excuse?