Bill Gates Proclaims End of Passwords 488
KrazyK writes "Bill Gates has just proclaimed the end of passwords. There's only one drawback - you have to use .Net (well, what else would you expect?). However, the smart card that is at the centre of it - made by Axalto - is still a great bit of technology. How long before we can get an open-source version of this?"
hard and soft (Score:4, Interesting)
But what about biometrics ?
Hmmmm.... (Score:5, Interesting)
News? (Score:5, Interesting)
Sony gave me a Smart Card (Score:2, Interesting)
Re:hard and soft (Score:3, Interesting)
When used in conjunction with other security mechanisms, such as hardware smartcards, passwords, etc. then you've got a much better chance. For the basic user, biometric identification is probably OK. But you wouldn't want to rely on that for anything "secure."
Great another card to lose. (Score:5, Interesting)
Re:News? (Score:5, Interesting)
Cards, dongles have major drawbacks (Score:3, Interesting)
Look at dongles and other systems, they tend to be cracked. As long as you can snoop what's going on in the PC you can generally find a way of reading and injecting the required code.
Also what happens if your server in another country goes down and you can't get an engineer to sort it out as there's no local smartcard? why you use remote login with a smartcard. Therefore your access code will be sent down the Internet/VPN.
Bill needs to do some proper R&D instead of spouting obvious potential developments.
It's simple, here we go:
I predict the end of magnetic media.
The mouse will be replaced.
We will get tables where the whole surface is a touchscreen.
Keyboards with changing key caps, the keys alter to suit the application.
etc..
Re:Hmmmm.... (Score:3, Interesting)
Man in the middle attacks? (Score:4, Interesting)
Bill is good at a lot of things... (Score:3, Interesting)
He's of course thinking about public/private keys and such, but they're overkill for almost all web-based applications that don't require money. Do you really want to use a public/private keyshare to log on to like, well for example Slashdot, just so you can post how wrong Bill Gates is?
I know I wouldn't. Fhew!
password strengthening / stretching (Score:4, Interesting)
Dictionary attacks were difficult in the olden days, because password hashes were expensive to compute (on the order of a second each). Hardware has caught up, so that hundreds of candidates can be tested per second.
Password strengthening is a scheme that adds a significant amount of random salt to the password. To use the password, you have to brute force the salt. This slows down legitimate authentication, but it also slows down a dictionary attack.
Stretching is a special case of this scheme that uses repeated hashing, instead of random salt. Instead of storing the hash of a password, store the hash after a couple thousand iterations. If the algorithm is good, there is no shortcut to the end hash value.
If it hasn't been done already, I imagine it would be a simple matter to implement as a PAM module.
Re:hard and soft (Score:3, Interesting)
OK, long story short, I'm a Network Administrator (sysop, Computer Geek, Asshole, and/or whatever else name(s) we get called in the office...). Currently I'm working in he Photo/Electronics department of the local K-Mart (again, long story... thanx W...). I process 80 or so rolls of film every day. I'm sure my finger print has ended up on some of those...
Just a word to the wise...
smart card assumption (Score:2, Interesting)
Re:end of passwords - not (Score:3, Interesting)
We already have this for net banking. My debit card has a chip on it (which is also used for stored value smart card stuff) and to authenticate to the banks website, I use a reader supplied by the bank.
The process works like this:
Using basic public key signing, the bank now knows that it's me. In accordance with good crypto practice, all the security is in the key so I can use anyone's widget for the operation. Since it's a separate widget, I don't even have to trust my computer not to steal the pin - the computer only gets to see the one time challenges and responses
hardening windows (Score:2, Interesting)
This software allows me to embed user accounts to certain usb mass storage and if the usbkey is removed from the port, the machine automatically logs out current user and refuses to login another unless the correct drive assigned to the account is connected to the machine.
In addition to the token+password login, I'm using the EFS which is built-in to xp, which encrypts all my files with aes-256 on the fly.
Only downside is that currently the software doesn't support domain logins properly, so I have to manually mount all network drives but that's rather small annoyance for the cheap security it provides.
I'll keep my password, thanks. (Score:4, Interesting)
But a common pickpocket can take your smart card, and if you don't realize right away (or can't report it quickly enough) you won't get it deactivated in time to prevent compromise. Coupled with a password, though, the amount of time needed to break a decent password will give you the time you need to change out the card anyhow.
Comment removed (Score:2, Interesting)
A different kind of password authentication (Score:5, Interesting)
So that sounds like it wouldn't work, right? People know your username so they can duplicate your login, right? Actually, it was really tight. He already had a working version that we all(in the senior design project class) got to try. We never could fool the thing. You could tell someone what your login name was and they would try and try and never could successfully login as you. The main reason this works is that you are typing your own name. If it were a generic word that most people don't have to type very often, there would probably be a lot more similarity in the way different people type it and the system wouldn't work well, but being your own name that you are used to typing, there is some muscle-memory developed that makes it flow out effortlessly and consistently, which no one else can match.
Never Proclaim End of Life (Score:3, Interesting)
floppy disks
command line interface (if this dies, I quit computers)
serial ports(also, on my own list)
ps/2 keyboards and mice
analog modems
Technically, all of these can be replaced, but they haven't been, for one reason or another, they still exist. You cannot dictate change in this industry, you just sort of have to create oppurtunity for change, and flow with it.
From the other side, people use floppies, people use their favorite keyboard into keyboard death, then buy the same one as a replacement. People hate passwords. No one who writes the admin password for their xp box on a postit note under the keyboard will ever miss passwords. If people find it easier, they might switch. But don't bet too much on it. Not that you venture capitalists will listen.
I'm pretty sure passwords will end up on that list someday and I will personally stand in the way of their demise. Why? Because I do not trust PKI's, especially dotNet.
Re:Um... no? (Score:2, Interesting)
Genital-prints! Everyone hoo-ha and wingwang are unique, like snowflakes. The wrinkles, bumps, and lumps we all love so much can protect us from identity thieves!
Re:A different kind of password authentication (Score:1, Interesting)
Re:A different kind of password authentication (Score:1, Interesting)
Perhaps somebody could implement a secure shell for Linux using this technique.
aQazaQa
Re:Reminds of of an old AI story (Score:3, Interesting)
You love this phrase, "security through obscurity". I've never met a security expert who would consider dual private key challenge response encryption schemas security through obscurity
That's funny, because I've never met an actual security expert who didn't understand that all security is based on obscurity (i.e., it's the very nature of keeping things secret). I guess we must know very different manner of experts, but I must say your talk doesn't instill me with confidence in yours being able to get the job done right. If it seems I use the "security through obscurity" phrase more than necessary, it's because it is a favorite on Slashdot and I'm not above pandering to the crowd. The key difference, though, is that the obscurity that people around here harp on is kind that leaves unintended access holes, not the kind that are understood imperfections.
Deployed smartcard authentication systems are generally only vulnerable to key spoofing (which is a failure of the algorythm behind the authentication, NOT of the key storage mechanism) and vulnerable to physical decoding if the card is stolen, a point which even the PR guys in most smartcard vendors will stipulate. Are they perfect? No. But there exists no perfect security system in the IT world.
Right, which is why you shouldn't be so aggressively trying to defend smart cards when in reality they offer little beyond what a manual one-time password offers, yet come with oh-so-many-more holes. It's like you're trying to argue that a fair algorithm is better than a shitty one-time pad, so people should stop using pads. That might be convincing to people without real secrets to protect, but I know bettter, and I'll take a fair one-time pad over any shitty smart card, and I have to assume it's shitty because the operation is usually completely black boxed.
So let me rephrase what I said before - Given proper implementation, I KNOW its a level of security far above and beyond simple passwords.
That is by no means a given, and that is why I consider your viewpoint to be so dangerous.
But it is a battle-tested approach that's been very successful in deployment, and continues to be a favored system of authentication at the NSA and the Pentagon, two institutions who've spent quite a bit more brain cycles thinking about this problem then I'm sure you or I have.
More importantly, they're the types of organizations that don't take anything as a given. If they use a smart card, you can damn well bet it is built to their specification. The rest of us are stuck with off-the-shelf stuff we really, really can't trust if we want to be honest about a system's security.