Comments on: Finding a replacement for passwords

Verification gadgets range from tokens to cell-phone-based systems, but cost keeps them from catching on.
Photo: In an antiphishing huddle

[stevezd]

Replacement for Passwords

So you think that getting rid of passwords, and using "tokens" will soleve the secrity problem?
Guess again. You must know that certain cars use something similar for ignigiion - and guess what:
the new electronic keys (or tokens) can be stolen, or duplicated. there is a fine balance between security via passwords, and (the next step in invading our privacy) tagging everyone with a chip. Is that to be your next suggestion, when the token do not work? Proper programing, that will not accept "easy to guess" passwords, is still the most "livable" way to go - along with ogther good policing/security measures. The limits of other means of programming and electonic based means have not even been scratched. Those in the related (secutity)fields (internet, ect.) have yet to make the effort to control spam and viruses that could be done. Where I work, we get in excess of 50,000 spam emails a day, and while thiose in charge of Internet security excuses themselves by saying that they cannot trace the originator, it does not even enter their mind, to go after those who pay the spamers to send out the adds. that is only an example of a related kind of problem. It seem that it is easier to creat another, money making gadget(?)??????
....that's my take on this
...Steve

[Gayle Edwards]

Gosh, I Know---

How about something like a "...National BIOMETRIC ID-Card" with "intregal RFID" (or some equivalent electronic verification)? It could be required for every citizen to have one, ...just like the 'REAL-ID plan' already approved by the Senate (which, by the way, is being desperately pushed-forward by the 'Whitehouse')?

A citizen could insert their "ID" every time they 'booted' their "...Trusted PC" (in fact, within the "Trusted Computer" architecture it could quickly be made virtually impossible to use a PC without it).

And best of all, by requiring "positive ID" to use the Internet, "WE" could, finally, eliminate "fraud", "copyright-violation", "anonymous speech", etc., ...or even, that most dreaded malady, "privacy" itself.

The Market Needs More Accurate Info

There seem to be a lot of opinions in the market for user authentication, which is no surprise. What is surprising is the lack of research data to back up the opinions voiced by leading authors and research firms. Token technology is not widely understood to begin with, and influential opinions without facts behind them create greater misunderstanding.

A token is nothing like the key fobs used in a car ignition system. Think of a token as a secure secret. Instead of sharing the secret to gain access (like you do now with a password, social security number, etc.) the token uses an embedded secret (the algorithm) to generate a one-time code based on time of day or an internal counter. The only way to confirm that this one-time code is correct is to have an encrypted copy of the secret on the back-end of the system being accessed. The secret on the back-end also generates a one-time code which is compared to the code the user enters. If the codes match, the correct token is being used and access is granted. At no time is the actual secret in the open. Many of today's algorithms use 3DES - you can look it up if you are interested in cryptography but bottom line is that it has not been cracked and would not be economically feasible to try.

PC Security

I am all for all MAKES & MODELS of pc's, including homebuilt, and custom built pc's having a thumbprint reader as a secure login device. This can be used for home & corporate pc's. This may also be used for secure web site access only when the PC is shared by the entire family there still can be the one standard password to boot the system, but parents can control Internet surfing content, chat room content, and specific files and folders via the thumb print scanner. This would prevent children from accessing porn or adult chats, keep them out of private or financial files & sites without a parents need to keep a log of all the various password used for different web sites which can be found all too easily by children or misplaced by the adult while trying to prevent the children from finding the password file/log. This is the simplest form of securing one data, and personnel computer from being accessed with out proper authorization. With todays back-up equipment & technologies this thumb reader could cause a complete data loss if tampered with. If only a similar technology could be used to prevent hacking of data through DSL, Cable, and Dial-up connection's it would be great! If a hacker or a Trojan were to access critical or protected files it would automatically cause the drive to reformat it self or crash in such a way that a recovery program or back-up program would be the only way to get the PC rebooted would vastly increase the protection of data. I give as an example people I have seen with modified scanners listening in on early analog cellular phones, cordless phones that ran in the 800mhz range, and you can be sure that there are people scanning the new 2.4ghz cordless phones. I waited until digital phones came out because they were virtually impossible to listen in on which is part of the reason the government was un-happy with most digital suppliers early on, they have now gotten this access with the GPS positioning set-up for 911 calls to allow emergency services to find the caller supposedly to as close as 10 meters or better. if you turn of this feature on most phones you loose features, so in order too keep all your services working it needs to be on.

[Ubber geek]

keep a log

http://www.analogstereo.com/renault_laguna_owners_manual.htm

Password imperfect

Passwords are no longer the hard codes to break.What maximum a normal guy can set as password?
1.His name/Nickname+123
2.His wifes name/Nickname+ilu
3.His pet's name
4.His son's or daughter's name
5.His birthdate
6.His wife;s birthdate
7.His anniversary date
8.His car number
9.His initials and emplyee number
10.His aniiversary
11..the list is long but definitley predictable

Hence even if you change your password everyday..one day or the other ..it will be hacked