February 23, 2005 4:00 AM PST

Finding a replacement for passwords

Related Stories

Password imperfect

December 9, 2004

Gates: Passwords passe

November 16, 2004

Gates predicts death of the password

February 25, 2004

Passwords: The weakest link

May 22, 2002

(continued from previous page)

end of 2007, half of today's stronger methods of authentication will no longer be strong enough to foil phishing or online attacks, the report's authors said.

While technology providers have focused on hardware devices as a secondary means of identity authentication, research has come up with less costly replacements for the password.

One alternative is a picture-based password. Instead of remembering a word or digits, a user would click on a specific part of a large digital photo. Another idea is that a series of random numbers or letters appear and you enter the letters for your password based on a shape that you remember. While perhaps more difficult for random thieves to guess, some have warned that such graphical passwords might be more easy for a co-worker or other passersby to spot.

Another suggestion has been to use unique personal traits, such as fingerprints, as a means of authentication. Although there are a handful of notebook, handheld and desktop computers that come with fingerprint readers, such biometric technology is not widespread enough to make it a standard method of verifying identity. Voice prints are another option, but until speech recognition improves in reliability, customer frustration could be high.

Still life in passwords
Despite all the criticism of passwords, not everyone thinks they are past their prime.

Richard Parry, who is responsible for assessing threats for consumer banking giant JP Morgan Chase, argued that too much attention is being given to Internet security fears in general and passwords in particular.

"It would be untrue to say (the password) is not still working for us in many applications," Parry said. "Whether it is sustainable is another question."

Parry pointed out in a panel discussion at the RSA show that in any 24-hour period, more money will be lost from burglary than from Internet fraud. "The sky isn't falling," he said.

That said, he noted that two-factor authentication is already in relatively high use in financial institutions for very wealthy and corporate customers, as well as for certain large transactions. JP Morgan Chase's own workers use RSA's tokens, for example. He did note that such measures probably don't make sense for the masses, where two-thirds of bank accounts contain less than $1,000.

In the background of the debate over passwords is the suggestion that if online banks don't tighten security, U.S. regulators may force them to do so. In places like Singapore and Sweden, laws already require stronger means of authentication. And a December FDIC report says that the industry's reliance on passwords "offers an insufficient level of security" and suggests hardware tokens may be the way to go.

Parry is particularly concerned that well-intentioned regulation could have economic drawbacks for service providers.

"Some regulation is good, and regulators have every right and even an obligation to be concerned," he said. But "regulation as a blunt instrument could dramatically increase costs."

Previous page
Page 1 | 2 | 3

7 comments

Join the conversation!
Add your comment
Replacement for Passwords
So you think that getting rid of passwords, and using "tokens" will soleve the secrity problem?
Guess again. You must know that certain cars use something similar for ignigiion - and guess what:
the new electronic keys (or tokens) can be stolen, or duplicated. there is a fine balance between security via passwords, and (the next step in invading our privacy) tagging everyone with a chip. Is that to be your next suggestion, when the token do not work? Proper programing, that will not accept "easy to guess" passwords, is still the most "livable" way to go - along with ogther good policing/security measures. The limits of other means of programming and electonic based means have not even been scratched. Those in the related (secutity)fields (internet, ect.) have yet to make the effort to control spam and viruses that could be done. Where I work, we get in excess of 50,000 spam emails a day, and while thiose in charge of Internet security excuses themselves by saying that they cannot trace the originator, it does not even enter their mind, to go after those who pay the spamers to send out the adds. that is only an example of a related kind of problem. It seem that it is easier to creat another, money making gadget(?)??????
....that's my take on this
...Steve
Posted by stevezd (9 comments )
Reply Link Flag
Gosh, I Know---
How about something like a "...National BIOMETRIC ID-Card" with "intregal RFID" (or some equivalent electronic verification)? It could be required for every citizen to have one, ...just like the 'REAL-ID plan' already approved by the Senate (which, by the way, is being desperately pushed-forward by the 'Whitehouse')?

A citizen could insert their "ID" every time they 'booted' their "...Trusted PC" (in fact, within the "Trusted Computer" architecture it could quickly be made virtually impossible to use a PC without it).

And best of all, by requiring "positive ID" to use the Internet, "WE" could, finally, eliminate "fraud", "copyright-violation", "anonymous speech", etc., ...or even, that most dreaded malady, "privacy" itself.
Posted by Gayle Edwards (262 comments )
Link Flag
The Market Needs More Accurate Info
There seem to be a lot of opinions in the market for user authentication, which is no surprise. What is surprising is the lack of research data to back up the opinions voiced by leading authors and research firms. Token technology is not widely understood to begin with, and influential opinions without facts behind them create greater misunderstanding.

A token is nothing like the key fobs used in a car ignition system. Think of a token as a secure secret. Instead of sharing the secret to gain access (like you do now with a password, social security number, etc.) the token uses an embedded secret (the algorithm) to generate a one-time code based on time of day or an internal counter. The only way to confirm that this one-time code is correct is to have an encrypted copy of the secret on the back-end of the system being accessed. The secret on the back-end also generates a one-time code which is compared to the code the user enters. If the codes match, the correct token is being used and access is granted. At no time is the actual secret in the open. Many of today's algorithms use 3DES - you can look it up if you are interested in cryptography but bottom line is that it has not been cracked and would not be economically feasible to try.
Posted by (1 comment )
Link Flag
PC Security
I am all for all MAKES & MODELS of pc's, including homebuilt, and custom built pc's having a thumbprint reader as a secure login device. This can be used for home & corporate pc's. This may also be used for secure web site access only when the PC is shared by the entire family there still can be the one standard password to boot the system, but parents can control Internet surfing content, chat room content, and specific files and folders via the thumb print scanner. This would prevent children from accessing porn or adult chats, keep them out of private or financial files & sites without a parents need to keep a log of all the various password used for different web sites which can be found all too easily by children or misplaced by the adult while trying to prevent the children from finding the password file/log. This is the simplest form of securing one data, and personnel computer from being accessed with out proper authorization. With todays back-up equipment & technologies this thumb reader could cause a complete data loss if tampered with. If only a similar technology could be used to prevent hacking of data through DSL, Cable, and Dial-up connection's it would be great! If a hacker or a Trojan were to access critical or protected files it would automatically cause the drive to reformat it self or crash in such a way that a recovery program or back-up program would be the only way to get the PC rebooted would vastly increase the protection of data. I give as an example people I have seen with modified scanners listening in on early analog cellular phones, cordless phones that ran in the 800mhz range, and you can be sure that there are people scanning the new 2.4ghz cordless phones. I waited until digital phones came out because they were virtually impossible to listen in on which is part of the reason the government was un-happy with most digital suppliers early on, they have now gotten this access with the GPS positioning set-up for 911 calls to allow emergency services to find the caller supposedly to as close as 10 meters or better. if you turn of this feature on most phones you loose features, so in order too keep all your services working it needs to be on.
Posted by wino460 (1 comment )
Reply Link Flag
keep a log
<a class="jive-link-external" href="http://www.analogstereo.com/renault_laguna_owners_manual.htm" target="_newWindow">http://www.analogstereo.com/renault_laguna_owners_manual.htm</a>
Posted by Ubber geek (325 comments )
Link Flag
Password imperfect
Passwords are no longer the hard codes to break.What maximum a normal guy can set as password?
1.His name/Nickname+123
2.His wifes name/Nickname+ilu
3.His pet's name
4.His son's or daughter's name
5.His birthdate
6.His wife;s birthdate
7.His anniversary date
8.His car number
9.His initials and emplyee number
10.His aniiversary
11..the list is long but definitley predictable

Hence even if you change your password everyday..one day or the other ..it will be hacked
Posted by (3 comments )
Reply Link Flag
 

Join the conversation

Add your comment

The posting of advertisements, profanity, or personal attacks is prohibited. Click here to review our Terms of Use.

What's Hot

Discussions

Shared

RSS Feeds

Add headlines from CNET News to your homepage or feedreader.