NYT Password Security Discussion Overlooks Universal Logins 127
A recent NYT piece explores the never-ending quest for password-based security, to which reader climenole responds with a snippet from ReadWriteWeb that argues it's time to think more seriously about life beyond passwords, at least beyond keeping a long list of individual login/password pairs:
"These protective measures don't go very far, according to the New York Times, because hackers can get ahold of passwords with software that remotely tracks keystrokes, or by tricking users into typing them in. The story touches on a range of issues around the problem, but neglects to mention the obvious: the march toward a centralized login for multiple sites."
In matters of security (Score:5, Insightful)
In matters of security, the most important tool anyone can have is common sense. Phishing scams, "dangerous" websites, revealing important information willy nilly...all things that cause major problems in the digital world, and all things that could be almost completely avoided if common sense was more prevalent.
Granted, some people "don't know any better"...but that's why you educate those types of people if you know any.
Single point of failure (Score:3, Insightful)
Torn (Score:5, Insightful)
In the end I compromise and simply use a variation of one password for those.
There is the problem with centralized logins: the masses don't consider the first part, and only think of the convenience.
Re:How does centralized login solve keylogging? (Score:4, Insightful)
Exactly my thoughts.
Keyloggers still work, phishing scams still work, and social engineering still works. If centralized logins become the norm, the bad folks will simply target the centralized logins.
Your risk with centralized logins, however, skyrockets. Now, instead of losing control of one login to one website, you lose everything. Moreover, they don't even have to guess what sites you have access to, they can simply dig through the centralized login site and find it once they have your account info.
The NYT article is interesting, but the SlashDot summary is near useless. There is no need to specifically include universal logins in the discussion, because universal logins suffer from exactly the same issues that individual logins do. The only possible reason for including them is the fact that the potential loss is much much higher with a universal login.
Re:In matters of security (Score:3, Insightful)
Well, it doesn't help that companies are ill informed a lot of the time. I got a call today claiming to be from my ISP, asking for feedback on the service. At the end of the call they said they just wanted to verify my identity and asked for my DOB and the answer to my secret question that gets used as a password backup/reset mechanism, so they could confirm they were talking to the right person.
I told them absolutely not, they phoned me, I only prove my identity with private information when I've phoned a number/service I recognise, not a random caller.
I'm pretty sure it was them as I got a 'thanks for your feedback' email afterwards, but WTF?
I'm tempted to think it was some sort of test/survey thing to find out how dumb people are, but that's probably being too generous.
Re:How does centralized login solve keylogging? (Score:3, Insightful)
And this solves the keylogger problem how?
It doesn't. You still have to authenticate at some point; at most, it reduces the opportunities for a keylogger to catch the password (if you only have to type it in every couple of weeks).
In exchange, it provides phishers with a dream environment. The only way to be certain you're actually connected to your authentication provider is to use SSL and make sure that you see the lock -- and if your security depends on Joe Random User doing that, you've already lost.
Shalon Wood
Re:Single point of failure (Score:4, Insightful)
Maybe the NYT article doesn't mention centralized login because such an obviously bad idea?
TPTB'd like to keep our identities (Score:2, Insightful)
Three factor authentication... (Score:2, Insightful)
I like OpenID, but if you couple it with a three factor authentication, whether it be a smartcard, or biometric, or whatever.. that's when it becomes useful.
Too bad the current implementation doesn't support it. Sadly, World of Warcraft and Starcraft II do.
Go figure.
Re:TPTB'd like to keep our identities (Score:3, Insightful)
Passports, Driver's Licenses, Social Security numbers... yeah the governments just can't be trusted with your identity. Lets trust in Google/Yahoo/Facebook/Microsoft/IBM/etc for our identity needs. Even better, lets have hundreds of incompatible schemes and make user sign up and use them all. That surely has to be more secure than having a single point of failure. I mean look, There's only one ROOT signatory (Verisign) and you just KNOW they fuck up everything they touch, right?
Re:In matters of security (Score:5, Insightful)
My credit card company (Visa) calls me occasionally about suspicious activity on my card. When they leave a message, the number they leave is NOT the same as the customer service number on the back of my card.
It's been explained to me that this number gets me to the same place as the customer service number with a few less steps. But I've told them that I'll never call anything other than the number on the card. And that its a really bad idea to train customers to return calls to just any number and expect them to identify themselves with SSNs, relatives names, and provide their card number.
If anyone is supposed to be smart enough to figure social engineering attacks out, it should be Visa and their ilk.
The password metaphor (Score:4, Insightful)
What has always amazed me about authenication for access-control via a computer is the widespread use of "passwords". We treat computer access-control like it's a brand new problem, however it's really just the same old access-control problem that we solved at least 4000 years ago [wikipedia.org].
Why don't we have passwords to get into our houses? Why don't we have passwords to get into our cars or P.O. boxes or even safe-deposit boxes? Because passwords are a pain in the ass that are inherently insecure because we, as humans, are terrible at remembering arbitrary strings of numbers/letters/symbols. What we are good at remembering - objects/ideas and the words associated with them - make for terrible passwords because they are so darn easy to guess.
The idea of a lock and key is one which we have been using for millenia for security, so why haven't we applied this simple metaphor for electronic access-control. We even have the technology readily available: Public Key Authentication. But for some reason the only place I've ever seen it used is in OpenSSH. In fact, it's considered superior to password authentication in OpenSSH and recommended over a password.
So why not have RSA keys to our email, online banking etc. just like we have keys to our houses, cars etc?
I'm listening... (Score:2, Insightful)
Common sense tells me that no site is to be trusted implicitly; they are all dangerous.