Forgot your password?
typodupeerror
Security Microsoft Operating Systems Software Windows

Bill Gates Proclaims End of Passwords 488

Posted by CmdrTaco
from the trustno1-is-a-bad-password dept.
KrazyK writes "Bill Gates has just proclaimed the end of passwords. There's only one drawback - you have to use .Net (well, what else would you expect?). However, the smart card that is at the centre of it - made by Axalto - is still a great bit of technology. How long before we can get an open-source version of this?"
This discussion has been archived. No new comments can be posted.

Bill Gates Proclaims End of Passwords

Comments Filter:
  • hard and soft (Score:4, Interesting)

    by mirko (198274) on Tuesday November 16, 2004 @09:36AM (#10829086) Journal
    So, years ago, Bill Gates proclaimed the software was better, now he gets back to some hardware key...
    But what about biometrics ?
    • Re:hard and soft (Score:5, Insightful)

      by judmarc (649183) on Tuesday November 16, 2004 @09:43AM (#10829162)

      Think about this before assuming biometrics is the answer:

      • If someone steals an impression or picture of your fingerprint
      • If someone hacks the database linking your fingerprint or eyescan to your access authorizations for bank accounts, work, etc.

      - then how do you get your identity back?

      • Re:hard and soft (Score:3, Insightful)

        by Oddly_Drac (625066)
        "Think about this before assuming biometrics is the answer:"

        Even simpler. Biometrics is a layer on top of authentication that simply authenticates the key supplied by the biometrics. Even keycard access can be backed by pin number to authenticate that the holder of the card is who the card proclaims them to be.

        The actual authentication is going to be a communication of ID to a server on a challenge/response basis; sidestepping the biometric step and cracking directly is likely to be a lot easier beca
      • If someone steals an impression or picture of your fingerprint

        OK, long story short, I'm a Network Administrator (sysop, Computer Geek, Asshole, and/or whatever else name(s) we get called in the office...). Currently I'm working in he Photo/Electronics department of the local K-Mart (again, long story... thanx W...). I process 80 or so rolls of film every day. I'm sure my finger print has ended up on some of those...

        Just a word to the wise...
      • Re:hard and soft (Score:4, Insightful)

        by sporty (27564) on Tuesday November 16, 2004 @11:41AM (#10830559) Homepage
        Or like me, someone who has a cut on their thumb that left a scar on their thumb. If this was during usage of a biometric system, I've just lost my password!
    • by darth_linux (778182) on Tuesday November 16, 2004 @09:44AM (#10829177) Homepage
      Bill's right, though. He knows if you use M$ products you don't need passwords. You'll still get 0wn3d.
    • Re:hard and soft (Score:3, Interesting)

      This has been discussed many times. Biometrics are not a reliable way of handling security. Once compromised (and they can be compromised!) you're left with a "password" you cannot change.

      When used in conjunction with other security mechanisms, such as hardware smartcards, passwords, etc. then you've got a much better chance. For the basic user, biometric identification is probably OK. But you wouldn't want to rely on that for anything "secure."
  • Hmmmm.... (Score:5, Interesting)

    by keeleysam (792221) on Tuesday November 16, 2004 @09:37AM (#10829092) Homepage Journal
    This has been in Mac OS for awhile... as Keychains... mine is on my USB thumb drive...
    • Re:Hmmmm.... (Score:5, Informative)

      by isaaccp (587894) on Tuesday November 16, 2004 @10:05AM (#10829389)
      Also available in Linux, check the USB PAM module: http://lists.debian.org/debian-mentors/2004/02/msg 00143.html
    • Re:Hmmmm.... (Score:3, Interesting)

      by peterprior (319967)
      Aye. pam-usb and a gpg key on a usb stick is always a nice way to authenticate in Linux
    • Re:Hmmmm.... (Score:3, Informative)

      by Naikrovek (667)
      yeah, i thought that's why they were called usb KEYs... I think they were originally designed just for this purpose. my first USB key was 64kb (kilobytes) and held only an encryption key.

      Smart cards provide the exact same functionality as my very first usb key.
    • Re:Hmmmm.... (Score:3, Informative)

      by pesc (147035)
      This has been in Mac OS for awhile... as Keychains... mine is on my USB thumb drive...

      Absolutely not. A smart card is nothing like an USB drive where you store a password or cryptographic key.

      A smart card contains a closed microprocessor and a small memory. The point is that you cannot get at the contents of the memory at all (unless you have a silicon lab). The microprocessor has a private key that it never shows outside the silicon and a public key that the PC knows about. The smart card can prove its
  • by SoTuA (683507) on Tuesday November 16, 2004 @09:37AM (#10829099)
    ... to get me to confess my password, all they have to do is get my wallet?

    Nice!

  • News? (Score:5, Interesting)

    by tuomasr (721846) on Tuesday November 16, 2004 @09:39AM (#10829115)
    This doesn't sound like anything really new to me, I remember logging on to my W2K workstation with a smart card in 2001 if I remember correctly, what's new here (the techworld article didn't want to respond to me so I can't RTFA)?
  • by martin (1336) <maxsec&gmail,com> on Tuesday November 16, 2004 @09:39AM (#10829118) Journal
    So how do you 'unlock' the smart card to prove its you (and still you) at the keyboard...???

    an PIN number...
    a fingerprint...

    Authentication is based around something you have (userid/smartcard/finger...) and something you know (password/PIN/....)

    No change since the Secuure Single Sign On days of the mid 1990's. All they are doing is bringing it upto date using .NET to quickly build applications.
    • I've long argued for a similar solution for Credit Cards. I want a credit card that is a smart card, has a numeric keypad and a small LCD display. you insert the card into the reader, the reader asks for $X.XX dollars for XYZ, Inc. from the central credit card computing system, which responds to the reader with a unique transaction ID. The Price/Company promptly appears on your screen, you press "YES" or "NO" and key your pin. The unique transaction ID, your secret key (unlcoked from smartcard using pin
    • by carlmenezes (204187) on Tuesday November 16, 2004 @10:42AM (#10829826) Homepage
      yeah, he's made a lot of proclamations.
  • Depends on how many patents Microsoft have quietly filed on the technology behind it
    • None. Or if they did, Sun Microsystems has been using a similar system for years. Smart card readers are standard equipment on all currently available Sun workstations, and have been for the last 3-4 generations of workstations as well. Sun "deployed" this system at least 4 years ago when it introduced "Sun Rays" back in 2000-2001 timeframe. If MS tried to patent this, Sun is clearly prior art, and if it isn't, it should be construed as simply a logical progression of Sun's system, which means it should no
  • by Fallen Kell (165468) on Tuesday November 16, 2004 @09:40AM (#10829135)
    Well, considering Sun has been using smart cards for user identification for YEARS, when Solaris 10's source is released under an open source license, open source will have the same capability (well, no need for .NET though).
  • How come there isn't an open source solution already?
    • KDE's Kwallet is pretty close. It stores all your passwords (web page, msn/icq, irc and so on) in a single file. Then on websites when they want a password, you just type in any giberish, and let kwallet store it.

      Then put the kwallet file on a usb stick, and you're all set!

      It's best, of course, to have a password for the kwallet file, but you just type that in once when you log in, and it stays open until you log out again.

    • How come there isn't an open source solution already?

      There is. It is perfectly possible to use an SSH or kerberos key with no password to go with it. Its not a good idea though, and having the key stored on a smartcard does not make it one.

  • Nah, biometrics would be more likely to end passwords.

    Tough to hax0r a retinal scan, or a thumbprint.

    • You just cut off the finger and tear out the eyeball...

      This is just a proclamation towards harder violence in this world...
      • Re:.NET? (Score:4, Insightful)

        by rokzy (687636) on Tuesday November 16, 2004 @09:59AM (#10829329)
        you, like many others, assume that all criminals are psychos and will stop at nothing to commit a crime.

        that is bullshit. a large ammount of crime is opprtunistic. if you leave your window open, they'll climb in. if you close it, they might smash it IF the house is empty and secluded. but it's not an arms race. if you install CCTV and alarms, they don't come back dressed in black with night vision goggles and a set of expensive tools to disable your security, they just go next door to the guy who HAS left his window open.
    • Actually, it's pretty easy to hack a thumbprint. All you need is a meat cleaver and something to stop the bleeding...
    • Biometric fingerprint readers have been hacked [schneier.com] by copying a fingerprint impression from a plastic-like mold and even by just lifting the fingerprint off of a glass and manipulating that image into a physical mold.

      Something you have, something you know.

      'Something you are' is just another form of 'something you have'. The limitation of biometrics is that 'something you are' cannot easily be decommissioned and reissued if it has been compromised.

      The key to good security is to have the strength and numbe

  • Orville Redenbacher, speaking through an interpreter for the dead, announces an end to those pesky husks that end up between your teeth after a movie at the theater.

    Announcing: Seedless corn.
  • Being a member of MySony, they sent me an email and had me take a short survey, then decided to give me a free "wavecard" which is a Smart card with Felica technology. This is the contactless tech mentioned in the article. It requires software provided by Sony, and since I had the .NET runtimes installed already, I can't tell if .NET is really needed , I can say MS wasn't the first.
  • by yogikoudou (806237) on Tuesday November 16, 2004 @09:42AM (#10829158)
    Seriously, who cares about passwords when you can exploit all the flaws MS systems have ?
    They'd better fix their software first.
  • by PrvtBurrito (557287) on Tuesday November 16, 2004 @09:42AM (#10829159)
    Linux is missing an opportunity. Instead of writing software that insists that passwords be uncrackable, they should be innovating new technologies that make machines insensitive to dictionary attacks, or new technologies like the one described here that does away with the need for having passwords everywhere. Hmm, maybe Bill has some innovation in him afterall....
    • by _|()|\| (159991) on Tuesday November 16, 2004 @10:20AM (#10829558)
      they should be innovating new technologies that make machines insensitive to dictionary attacks

      Dictionary attacks were difficult in the olden days, because password hashes were expensive to compute (on the order of a second each). Hardware has caught up, so that hundreds of candidates can be tested per second.

      Password strengthening is a scheme that adds a significant amount of random salt to the password. To use the password, you have to brute force the salt. This slows down legitimate authentication, but it also slows down a dictionary attack.

      Stretching is a special case of this scheme that uses repeated hashing, instead of random salt. Instead of storing the hash of a password, store the hash after a couple thousand iterations. If the algorithm is good, there is no shortcut to the end hash value.

      If it hasn't been done already, I imagine it would be a simple matter to implement as a PAM module.

  • by Albanach (527650) on Tuesday November 16, 2004 @09:43AM (#10829166) Homepage
    Reading the Axalto press release they talk about their cards as an additional form of security, not a password replacement. I've used smart cards for a few things and each of them has been protected by a password too. You enter the smart card and are then asked for a PIN to ensure you have the right to be using that smart card. As another poster said, if there's no password all they have to do is get to your wallet if they want to Get Root. Hopefully if we do see an open source implimentation it won't be passwordless!
  • by UFNinja (726662) on Tuesday November 16, 2004 @09:43AM (#10829172)
    Isn't the best way to secure data *both* something you have (e.g. key) and something you know (e.g. password)? Something I know is also less likely to get stolen, so long as noone has a keylogger installed on my computer. Last time I checked, it's also a whole lot easier to change my password than it is to change the locks on my doors.
  • by auzy (680819) on Tuesday November 16, 2004 @09:45AM (#10829196)
    Its similar to the national identity card.. What if your card gets stolen. Any idiot can probably use it to connect to all of your accounts, without effort. Even worse, its a very poor idea to base your systems on a completely centralised system like passport authentication. It only takes 1 person at microsoft to trip on a cable then for all of your logins to fail.

    Finally, it offers no protection still. Bill gates is assuming you cant capture the password in memory. It is in fact even easier with .net because unlike a keylogger, the answer wont be obfuscated, you can just monitor the smartcard port, capture all the details sent, and you dont even need the smartcard.. You just emulate the smartcard hardware and fake the connection to the card, easy.

    This system offers much less security then now, and the last few drops of respect I had for .NET are now mostly gone. This is nothing more then a publicity act that only stops people who tell others their passwords, and even then, they will just be able to borrow the smartcard.

    Smartcards and MS passport also make a great way of tracking people. No one can tell me that Microsoft wont abuse this to improve their search engine

    It will take only 1 more DNS mess-up for everything to fall apart, and is nothing more then a marketting Act. I beg of the mono people to offer a proper decentralised authentication system instead, like one based on jabber where any login method is possible anyway if the server supports the authentication type. PLEASE.. Do not use .NET authentication, or you are putting yourself in a terrible position (it costs money anyway, so I think its time us as a programming community should get together and get jabber up to the point the same thing is possible in a decentralised way).
    • Its similar to the national identity card..

      Or a credit card, bank card, driver's license, passport, etc.

      Obviously there will be fail-safes in case you lose your card.

      It is no more like a "national identity card" than anything else I listed, because the government won't be running it, and they won't be able to demand to see it from everyone walking down the street.
      • passports and drivers licenses have a photo though, so you cant pretend to be the owner of the item.

        Credit cards have a pin number, contain no customer details, and the ATM eats your card after 5 bad entries.. Many ATM's also take your photo, so its harder to use it. Finally, the ATM's generally only let you extract a small amount each transaction, so it isn't that easy.

        Internet doesn't have a photo or restrictions, so you can log into a .NET enabled shares site, and with the .net key, suddenly, they
  • by cwebb1977 (650175) on Tuesday November 16, 2004 @09:45AM (#10829197) Homepage
    Dyslexia finally made sense to me...
  • Is there no limit to Bill's powers of proclaimations of endings? (Okay, he still has a year to go on the spam, but it'll be ending any moment .. now. Now. Now! Any moment...)
  • LOL (Score:2, Funny)

    by JediTrainer (314273)
    In other words, Bill Gates gives up on security. "You win. You hackers always seem to find a way to break into our OS, well fine. From now on, we're taking the ball back. NO SECURITY FOR YOU!". Or, perhaps "In the interest of customer service and ease of use, we will now automatically grant administrator access to anyone who can turn the machine on. Down with restrictions!"

    In all seriousness, is anyone stupid enough to trust any security initiative put forth by Microsoft after the last few years have been
  • I can't wait for the inevitable exploits and bugs that will cause cracker to be able to amass the personal information of everyone who is dumb enough to believe this man.

    Can I get indemnisation from Microsoft for the problems this scheme will bring? No?

    A little black book containing all your passwords that you keep on your person is the ONLY way to be safe.
  • by LabRat007 (765435) on Tuesday November 16, 2004 @09:47AM (#10829213) Homepage
    I actually like my password encrusted life. If I lose it all I have to do request another be emailed. If I forget my email password I just call my provider and anwser a slew of questions to prove my identity. Things are quick. Now, if my wife gets hold of a password "key" of any kind she will just lose it like she loses her ATM card 2-3 times per year. No thanks.
  • After the 40th day where the D.A.M.N. Windows-based soul tracking system was offline due to spyware, God, CIO/CEO/Ruler of All You Know, has proclaimed the end of Bill Gates.
  • by dbIII (701233) on Tuesday November 16, 2004 @09:51AM (#10829240)
    You may recall that RMS was strongly against passwords. We don't have to agree with everything he say or does - just the good stuff.
  • The answer, although everybody is recommending it is not biometrics. Lets say company A has your thumbprint/iris print on file for access to their system. Now, company B uses the same method. What's to stop company A from using that print to get information from company A. What if they use some iris scanning thing to get a key to encrypt your data. What if your eye gets messed up. Is your data lost, because it's going to take 5000 years to decrypt by some other hacking it? Compared the the alternativ
  • by WillerZ (814133) on Tuesday November 16, 2004 @09:53AM (#10829269) Homepage
    See this page:

    http://www.ibutton.com/ibuttons/java.html [ibutton.com]

    I've had one of these Java-powered iButtons since 2001. If you have the PKI in place it's a very easy technology to use. If you don't, it just gives you bragging rights in the my-computer-is-smaller wars.

    Both good.

    Phil
  • by the_skywise (189793) on Tuesday November 16, 2004 @09:53AM (#10829272)
    And it was called the "Java Ring"?
    • The Java ring was a Dallas Semiconductor DS1955A iButton in a signet ring holder. The 1955A could only hold one key. The 1955B is a bit more useful, as it can hold about 30 keys. I have the dog-tag holder for it, but I wish I'd gone for the USB fob.

      Don't waste your time by getting the parallel-port adapter, as most modern machines seem to have trouble providing enough power to the iButton for the compute-intensive parts of the process. On the last 3 machines I've had it's been impossible to generate ke
  • by Black Noise (683584) on Tuesday November 16, 2004 @09:53AM (#10829276)

    End of passwords? Umm, so, what is the other factor then?
    Axalto's new .NET-based smart card is both a great solution to bring strong,
    two-factor authentication to the enterprise as well as yet another way for .NET developers to take advantage of their skills and code.
  • Newer US Military ID cards (~last 2 years)have a 'chip' in them that allow instant login to DOD computer systems. It also stores the user's medical records.
  • by djmurdoch (306849) on Tuesday November 16, 2004 @09:56AM (#10829296)
    I can't RTFA (it's been slashdotted), but this makes lots of sense, and there *are* open source solutions to this, like public/private key pairs in OpenSSH. I do need to know a passphrase to unlock my key, but then I can log in to a number of different machines with it. In fact, I have my machines set up to not accept password logins except at the console, remote users *must* use key pairs.

    Currently I keep a key on my desktop machine and another one on my laptop, but if I was worried that those would be stolen I could switch to a USB key.

  • by gilesjuk (604902) <giles.jones@nospAm.zen.co.uk> on Tuesday November 16, 2004 @10:00AM (#10829338)
    Hardware security solutions require software to work, software can be cracked, therefore hardware solutions don't work.

    Look at dongles and other systems, they tend to be cracked. As long as you can snoop what's going on in the PC you can generally find a way of reading and injecting the required code.

    Also what happens if your server in another country goes down and you can't get an engineer to sort it out as there's no local smartcard? why you use remote login with a smartcard. Therefore your access code will be sent down the Internet/VPN.

    Bill needs to do some proper R&D instead of spouting obvious potential developments.

    It's simple, here we go:

    I predict the end of magnetic media.

    The mouse will be replaced.

    We will get tables where the whole surface is a touchscreen.

    Keyboards with changing key caps, the keys alter to suit the application.

    etc..
  • And over in Java... (Score:5, Informative)

    by MosesJones (55544) on Tuesday November 16, 2004 @10:09AM (#10829427) Homepage

    A classic case of Billy boy announcing something everyone else has. I saw a demo by Sony about 2.5 years ago now which demonstrated smart card + biometrics as an authentication mechanism.

    Something like 98% of the world's new smart cards run Java as their programming language, and there are defined standards for security around it. This stuff is already being used in the wild, for instance by the DoD. Oh and if you have one of those "Blue" or clear Amex credit cards... its running Java too.

    Or of course you could wait for Longhorn.

    In terms of open source, you can do this in Java (which is published and the source is accessible), today.

    I love Microsoft, "yesterday's technology, tommorow".
    • Microsoft is good at taking something that exists, doing their own version of it, then spending huge money marketing it to people who've never heard of it.

      This is actually a valid business model to some degree.

      For those of us who don't like it, we've failed the world by not telling them about these things before Microsoft did.

      Kerberos pre-existed Win2k3 by a long shot and directory services pre-existed it too. But who bothered telling the users that?
  • by Doc Ruby (173196) on Tuesday November 16, 2004 @10:10AM (#10829448) Homepage Journal
    As usual, Gates has decided that the lowest common denominator of sophistication will dumb down computing for everyone. I don't want to have to carry around a smartcard, or anything else. Who wants to find their smartcard somehwere in their apartment early in the morning to check their email before their cup of coffee? Who wants their girlfriend to "borrow" it to check that email before that cup of coffee, before they wake up? How much identity theft will be perpetuated in the name of Gates' "convenience"?

    The best access solution is a combination of HW token, biometrics and password. Two out of three should gain access to all but root, sending a message to the administrator (possibly attaching a picture, voiceprint and GPS). Too bad for Gates that this security architecture makes a mobile "phone" the best gatekeeper to cyberspace, where his Windows monopoly is most under threat. Too bad for us that his monopoly is in a position to derail even that engine of progress, making mobile phones as much a mess as Windows. Someone stop him before he destroys yet another dream of freedom!
  • by AndroidCat (229562) on Tuesday November 16, 2004 @10:14AM (#10829476) Homepage
    What happens when you use your card on a PC that's pwn3d by dozens of pieces of spyware? Does the card use VPN or some kind of encryption wrapper that protects the link between the card and the other end even from a haxored PC?
    • by pesc (147035) on Tuesday November 16, 2004 @12:17PM (#10831016)
      What happens when you use your card on a PC that's pwn3d by dozens of pieces of spyware? Does the card use VPN or some kind of encryption wrapper that protects the link between the card and the other end even from a haxored PC?

      A smart card contains a microprocessor that can sign stuff that the PC send to it. It contains a secret private key for signing that never leaves the silicon, so no PC can get at it.

      The viruses can't steal the identity in the smart card. The smart card will happily prove its identity to the viruses. The important thing to understand is that while the smart card can prove its identity, it can't prove that its owner is actually at the keyboard or that the IE session withdrawing funds is run by a human in charge of the transactions... There are smart cards with built-in keyboard/display for that. Or you use a Palladium PC...
  • by Nijika (525558) on Tuesday November 16, 2004 @10:19AM (#10829540) Homepage Journal
    ...but predicting the future isn't one of them. He does have a talent for molding the present to suit him, but he's more miss than hit when it comes to being an oracle of progress.

    He's of course thinking about public/private keys and such, but they're overkill for almost all web-based applications that don't require money. Do you really want to use a public/private keyshare to log on to like, well for example Slashdot, just so you can post how wrong Bill Gates is?

    I know I wouldn't. Fhew!
  • by 241comp (535228) on Tuesday November 16, 2004 @10:38AM (#10829786) Homepage
    Nope, this won't end passwords. For security, you have the following 3 options: something you have (smart card, signature), something you know (password, passphrase, PIN) and something you are (fingerprint, retina scan). For non-vital information (your hotmail account), choose one. For important information (medical, financial) choose two. For vital information (mission-critical applications, firing mechanisms, creating a will) use all 3.
  • by rainer_d (115765) on Tuesday November 16, 2004 @10:42AM (#10829820) Homepage
    I once talked to representatvies of a vendor/integrator of cryptographic smartcards.
    I also talked about Linux/OpenSource with them and it's not that they hate Linux and love MSFT - it's just that for any serious use (read: digital signatures, use of the smart-card instead of your written signature), any "applets", any application, and any hardware has to be "certified" for a specific platform.
    With this certification-process, the vendor testfies that the software and hardware work as advertised and no "unpleasant surprises" happen.
    Unfortunately, this is time-consuming and thus very expensive - and must be re-done for every platform. Naturally, smartcard-vendors only certify for the platforms where they have sufficient demand (XP, W2K).

    About the only chance that something like this is going to come to the OSS-world is that someone is putting forward a lot of money and essentially pay the vendor for the certification.
    In Europe, usually the taxpayer does something like this, but in slashdot's home-country, I hear that the government spending money for "the common good" has recently escaped the mind of the general public who instead believes in privatization, tax-cuts and "trickle down".
    You can probably imagine when such a thing will "trickle down" onto OpenSource-software ;-)

    cheers,
    Rainer
  • by jridley (9305) on Tuesday November 16, 2004 @11:03AM (#10830078)
    ... or "Bill Gates Declares"

    translation:

    Bill Gates has some new thing he wants to sell, which might be able to replace some tried-and-true technology.
  • by LakeSolon (699033) on Tuesday November 16, 2004 @11:14AM (#10830229) Homepage
    Linux already has this sort of technology, it is even interoperable with Windows, Solaris, UNICOS and AIX. It is called Kerberos.
  • by droleary (47999) on Tuesday November 16, 2004 @11:27AM (#10830388) Homepage
    A group of students are working on a neural net project. It comes time to decide what weight to put on the initial connections. One student says, "Set them all to 0 to start." Another student says, "No, that will introduce bias. We should set them all randomly." The smart professor replies, "You'll still have bias, only you won't know what it is."

    So to Mr. Gates I'd like to reply: You'll still have a password, only you won't know what it is. Makes sense from a "security through obscurity" standpoint, though! :-)
  • by xxx_Birdman_xxx (676056) on Tuesday November 16, 2004 @11:36AM (#10830493)
    Im doing a uni course on security at the moment..
    What they are teaching is that there are three main type of authentication:
    Something you have - A smartcard, something physical.
    Something you are - a fingerprint, biometrics.
    Something you know - a password in ya head.

    The whole idea is that you combine these for stronger protection.

    To say that passwords are towards the end of their life is like saying they (M$) will be ignoring one possible type of authenitication. Sure you can just use smart cards, but its always better to have a combo of types and passwords are still handy to add that extra layer.
  • by JeffTL (667728) on Tuesday November 16, 2004 @12:06PM (#10830858)
    Smart cards are a good thing for multifactor identification -- if you have not only the username and password but also a smartcard, authenticity is pretty good. Toss in a biometric and you can be almost certain of who's logging in.

    But a common pickpocket can take your smart card, and if you don't realize right away (or can't report it quickly enough) you won't get it deactivated in time to prevent compromise. Coupled with a password, though, the amount of time needed to break a decent password will give you the time you need to change out the card anyhow.
  • by theolein (316044) on Tuesday November 16, 2004 @12:11PM (#10830936) Journal
    No matter how bad a piece of his company's technology is - I'm refering to the desaster that was the original passport which was hacked with remarkable speed and spurned by the industry almost unanimoulsy - the man just does not give up. Every time he launches yet another piece of drivel guaranteed to fail, he simply puts it back in the marketing department which is tasked with bringing it back at some later date under another name with one or two improvements, which they will keep on doing in an endless loop until, even if its ten years later, it finally gains traction.
  • by silicon not in the v (669585) on Tuesday November 16, 2004 @12:22PM (#10831086) Journal
    When I was in college, a guy I knew was working on a software authentication scheme for this senior project. Here is how it works. As a new account, you select your user name. You go through a login trainer session, where you have to type that login name about 10 times, while it reads and stores the time intervals between the characters you enter. If you haven't established a certain degree of consistency, it will ask you to enter it a few more times. So that parameter of the natural rhythm with which you type your login name is stored in the system as your "password".

    So that sounds like it wouldn't work, right? People know your username so they can duplicate your login, right? Actually, it was really tight. He already had a working version that we all(in the senior design project class) got to try. We never could fool the thing. You could tell someone what your login name was and they would try and try and never could successfully login as you. The main reason this works is that you are typing your own name. If it were a generic word that most people don't have to type very often, there would probably be a lot more similarity in the way different people type it and the system wouldn't work well, but being your own name that you are used to typing, there is some muscle-memory developed that makes it flow out effortlessly and consistently, which no one else can match.
  • by nuintari (47926) on Tuesday November 16, 2004 @01:10PM (#10831694) Homepage
    Anything so entrenched can never be said to be heading the way of the Dodo. Things last, for better for for worse, things stick around:

    floppy disks
    command line interface (if this dies, I quit computers)
    serial ports(also, on my own list)
    ps/2 keyboards and mice
    analog modems

    Technically, all of these can be replaced, but they haven't been, for one reason or another, they still exist. You cannot dictate change in this industry, you just sort of have to create oppurtunity for change, and flow with it.

    From the other side, people use floppies, people use their favorite keyboard into keyboard death, then buy the same one as a replacement. People hate passwords. No one who writes the admin password for their xp box on a postit note under the keyboard will ever miss passwords. If people find it easier, they might switch. But don't bet too much on it. Not that you venture capitalists will listen.

    I'm pretty sure passwords will end up on that list someday and I will personally stand in the way of their demise. Why? Because I do not trust PKI's, especially dotNet.
  • by tillerman35 (763054) on Tuesday November 16, 2004 @03:15PM (#10833594)
    There should be a biometric unit that uses the pattern of veins on the underside of your tongue to uniquely identify individuals.

    The underside of everyone's tongue is different. I verified this using basic research techniques over a series of weekends while I was in college. After obtaining a more permanent research assistant, I was unable to proceed with further "comparison-" however, I do encourage others to carry on my work in the spirit of cooperative science.

    The beauty of this approach is that you could integrate the tongue reader with the computer's mouse. The user would insert his/her into an opening in the underside of the mouse, a laser light would illuminate the pattern of veins, and the resulting image would be captured and compared against the security database. The process is as simple as licking the filling out of a custard donut. In fact, in some companies I have worked for the users are so simple that care would be needed to ensure that they could tell the difference between a custard donut and a tongue reader or problems might occur. Utter panic ensues as user authentication fails at Dunkin' Donuts Wi-Fi access points... Well, you get the idea.

    For those users on a low-carb diet, the process can be described as similar to that used for another research project I conducted while in college. One advantage of the tongue-reader biometric system is that computer mice, like research assistants, are much more responsive when properly lubricated. Some other method might be necessary when dealing with portable computers. Perhaps it would be possible to integrate a tongue reader with the touch-pad pointing device. Obviously, this would favor users with the ability to lick their own laptops. But isn't that already the case for much of life?

    And in case anyone is wondering, yes this IS a tongue-in-cheek post.

Uncompensated overtime? Just Say No.

Working...