Forgot your password?
typodupeerror
Privacy Security IT

NYT Password Security Discussion Overlooks Universal Logins 127

Posted by timothy
from the your-voice-is-your-password dept.
A recent NYT piece explores the never-ending quest for password-based security, to which reader climenole responds with a snippet from ReadWriteWeb that argues it's time to think more seriously about life beyond passwords, at least beyond keeping a long list of individual login/password pairs: "These protective measures don't go very far, according to the New York Times, because hackers can get ahold of passwords with software that remotely tracks keystrokes, or by tricking users into typing them in. The story touches on a range of issues around the problem, but neglects to mention the obvious: the march toward a centralized login for multiple sites."
This discussion has been archived. No new comments can be posted.

NYT Password Security Discussion Overlooks Universal Logins

Comments Filter:
  • by Pojut (1027544) on Tuesday September 07, 2010 @12:06PM (#33498658) Homepage

    In matters of security, the most important tool anyone can have is common sense. Phishing scams, "dangerous" websites, revealing important information willy nilly...all things that cause major problems in the digital world, and all things that could be almost completely avoided if common sense was more prevalent.

    Granted, some people "don't know any better"...but that's why you educate those types of people if you know any.

    • Re: (Score:3, Insightful)

      by Nursie (632944)

      Well, it doesn't help that companies are ill informed a lot of the time. I got a call today claiming to be from my ISP, asking for feedback on the service. At the end of the call they said they just wanted to verify my identity and asked for my DOB and the answer to my secret question that gets used as a password backup/reset mechanism, so they could confirm they were talking to the right person.

      I told them absolutely not, they phoned me, I only prove my identity with private information when I've phoned a

      • Re: (Score:3, Interesting)

        by Pieroxy (222434)

        I live in France and when you're late for your electric bill they have a robot call you that propose you to enter your credit card information to pay your bill 'on the phone'.

        Again, I am pretty sure it's them calling, and I am pretty sure also that this is something new as I never got it before. But this is scary. And I can't help but be scared at how many people will provide their credit card information on such an incoming call...

        • by PPH (736903) on Tuesday September 07, 2010 @01:01PM (#33499140)

          My credit card company (Visa) calls me occasionally about suspicious activity on my card. When they leave a message, the number they leave is NOT the same as the customer service number on the back of my card.

          It's been explained to me that this number gets me to the same place as the customer service number with a few less steps. But I've told them that I'll never call anything other than the number on the card. And that its a really bad idea to train customers to return calls to just any number and expect them to identify themselves with SSNs, relatives names, and provide their card number.

          If anyone is supposed to be smart enough to figure social engineering attacks out, it should be Visa and their ilk.

          • If anyone is supposed to be smart enough to figure social engineering attacks out, it should be Visa and their ilk.

            They've figured out the ultimate social engineering attack: the credit card.

    • by mcgrew (92797) *

      In matters of security, the most important tool anyone can have is common sense.

      And paying attention. However, not everyone has common sense, and some people have an attention defecit.

    • I'm listening... (Score:2, Insightful)

      by GoChickenFat (743372)
      So educate me... How do I use common sense to determine if the site I just logged into actually secures the login information on the backend? Is it stored in clear text, transmitted in clear text, available to everyone in the company? I have no idea what happens to the credentials I just entered. How do I use common sense to determine if Facebook, MySpace, Slashdot, NYT, etc are taking the securing of my personal and login information seriously? Do you read every EULA completely? Would you even know if
      • by Pojut (1027544)

        I was referring to things like phishing emails, nigerian bank scams, etc.

        One example would be if you get an email from Paypal/your bank/etc saying something about your account, don't click on the link...type the URL in yourself.

        That sort of thing.

        • by Myopic (18616)

          So, you were proposing a partial solution of half measures and best guesses? Wow, you sure laid the smackdown on all those unknowledgeable l00zers.

          • by Pojut (1027544)

            I fail to see how educating people on the basics of avoiding scams is a bad thing..nor do I see how it's an attempt at a "smackdown".

            • by Myopic (18616)

              Good try at moving the goalpost, or redefining the question, but I'm compelled to call you on it.

              In matters of security, the most important tool anyone can have is common sense.

              This is what you said, it is the statement in question, and it is wrong. Common sense is, obviously, a great thing to have and to exhibit in pretty much all situations; but it is not at all the most important tool in matters of internet security, as user GoChickenFat pointed out. Common sense can only get you so far, and after that, more important tools take over to help protect people who are both informed or u

  • Idiots (Score:5, Funny)

    by The_mad_linguist (1019680) on Tuesday September 07, 2010 @12:06PM (#33498664)

    Why don't you hunter2s shut the hunter2 up!

  • by $RANDOMLUSER (804576) on Tuesday September 07, 2010 @12:06PM (#33498666)
    Always a great idea. Windows registry anyone?
    • Re: (Score:1, Interesting)

      by Anonymous Coward

      Speaking of Microsoft,

      Link from TFA regarding password strength [microsoft.com]. It's where they got that table in the article. At the Microsoft site, they have a link...

      They have a Password Checker: [microsoft.com] is your password strong test?

      That's just a mock phishing example waiting to happen.

      • by Harodotus (680139) *
        Some "best" password tested results from the Microsoft site:
          - aaaaaaaaaaaaaaaaaaaaaaaaaaaaa
          - 123456789012345678901234567890123456789012345
          - qwertyuiop[]\asdfghjkl;'z
          - `1234567890-=qwertyuiop[

        I'm thinking they don't do dictionary attacks here...
        • by Bigjeff5 (1143585)

          A dictionary attack would fail completely in all of those cases, and a brute force attack would be required. Since the length of the password is unknown, more than likely even the "aaaaaaaaaaaaaaaaaaaaaaaaaaaaa" password is no easier to crack than any other possible password. If the length is known, then of course passwords like those you listed are the first ones you try, but with an unknown length there is nothing wrong with that password or any other in your list.

          So, what is your point?

          • by Harodotus (680139) *
            Well, it was mainly meant as a tongue-in-cheek dig at the folks in Redmund.

            However, while it's not like I've gone to trouble of checking it, it's my understanding that modern password guessing dictionaries are incredibly extensive and have lengthy sections of common key combinations such as single letter repetitions of all acceptable lengths, numeric sequences, and keyboard patterns like qwerty, extended qwerty (qwertyuiop[]\asdfghjkl;'z), as well as many more folks have been dreaming up for decades now.

            Of
    • by kenrblan (1388237)
      Remember when building a critical system ask WNGD? (What would Northrop Grumman Do?)
    • by tverbeek (457094) on Tuesday September 07, 2010 @12:32PM (#33498846) Homepage

      Maybe the NYT article doesn't mention centralized login because such an obviously bad idea?

      • Yeah my initial response was going to be "LOL"
      • by jimicus (737525)

        Maybe the NYT article doesn't mention centralized login because such an obviously bad idea?

        It's not quite as simple as that.

        On the face of it, yes, it introduces a single point which, if compromised, has pretty bad consequences. But at the same time, if there's only one password to remember the likelihood of it being written down, exactly the same as the username or otherwise trivially guessable probably drops dramatically.

        Now, if something like OpenID were to support certificate-based authentication...

        • Re: (Score:3, Interesting)

          by tverbeek (457094)

          While it might reduce by a marginal amount the likelihood of the account being compromised, the potential consequences would be profoundly greater. That's a poor trade-off.

          Several years ago, the pretty-damn-good and carefully-guarded common password that I used for buying things from sites such as Amazon, eBay, iTunes, etc. - reasonably well-run, reputable companies - was compromised somehow. (I have other different passwords that I use for message boards, others for banking, others for work-related accou

    • Always a great idea. Windows registry anyone?

      It doesn't actually have to be a single point of failure though... What ever happened to OpenID [openid.net]?

    • Not exactly. I use clipperz.com to store my passwords, and one of the features it provides is a direct login. The way this works is that it submits the password form directly, without you having to visit the website and copy paste the password from clipperz. It's impermeable to keyloggers and clipboard sniffers because you don't copy or type the password anywhere. Now, if your system is already hosed, your could theoretically be hacked. But, at that point you're SOL anyway.

      Yeah, I know the drawbacks of usin

  • Torn (Score:5, Insightful)

    by esocid (946821) on Tuesday September 07, 2010 @12:08PM (#33498674) Journal
    I'll admit, I feel torn when I see that OpenID login. Increase my chance of giving someone access to everything? Or make it simple?
    In the end I compromise and simply use a variation of one password for those.

    There is the problem with centralized logins: the masses don't consider the first part, and only think of the convenience.
    • by Pieroxy (222434)

      OTOH, for stupid online forums and unimportant stuff such as random blogs, it makes sense. Unfortunately, those are the ones NOT proposing openId...

    • What's easier: getting your openID taken down? Or changing all the passwords to sites that you gave the same or similar password to, everywhere on the internet?

      I don't even have a list of all the sites I've given my crap password to. But if they were all authenticated with openID, I would only have one problem to fix.
    • Re:Torn (Score:5, Informative)

      by houghi (78078) on Tuesday September 07, 2010 @01:12PM (#33499244)

      There used to be a time that you could easily host your own OpenID with e.g. http://siege.org/phpmyid.php [siege.org]
      You point to http://yoursite.example.com/ [example.com] instead of the one from Google or any other OID provider.
      That way you limit the chance of giving somebody else access as you manage your own login and password.

      Some others might be found here : http://openid.net/developers/libraries [openid.net]

    • by Eil (82413)

      This is why you choose a reliable OpenID provider for your account. A reliable provider should have a good security record and (ideally) explain the details of their authentication system including how the passwords are stored.

      Since OpenID is open, you can also be your own provider.

    • by boxwood (1742976)

      KeePass is a pretty good solution. it saves all your passwords into an encrypted file. All you have to remember is the password to get into KeePass and you have access to all your passwords. Most of the tim you can just click on the username field on the webpage, click on the sitename in KeePass, hit ctrl-v and it'll enter your username and password and submit it.

      So you can have all your passwords for every site be a unique password of random characters, but have to only remember one password. Works for Win

      • Re: (Score:3, Informative)

        by Chelloveck (14643)

        I like SuperGenPass [supergenpass.com]. It never actually saves a copy of your passwords, it algorithmically generates them from the site's domain name and your master password. (Actually, from any two strings. By convention it's the domain and master password, but you could use any identifier/keyword pair.)

        It's made to run as a bookmarklet which auto-populates password fields on web forms. There's also a mobile version [supergenpass.com] for when you're using someone else's computer. Either way the password is dynamically generated by JavaS

    • by Sancho (17056) *

      The best thing to do is to look at how you currently operate and see if OpenID would improve security or not. If you're already using passwords in a particular way, you probably aren't going to change much.

      A lot of people reuse their passwords, despite the fact that best practices suggest a unique password for each site. In this case, it just makes sense to go with OpenID.

      If you already use lots of unique passwords, and you have no problem remembering them, then keep on doing that. OpenID gives you littl

  • by KarlIsNotMyName (1529477) on Tuesday September 07, 2010 @12:09PM (#33498688)

    So they just need one password to access all your profiles?

    Unless it was not actually your password for all those sites, but the password to a database (only available locally) that contained the password to those sites, I don't see how that's a solution. Actually, I thought the main problem with passwords was that people already used the same password for all their sites.

    • It's not one password shared among all the sites for the web it general work as thus, You go to the site you want to log in as it, it talks to the third party log in site and redirects the user there to log in they do whatever they need to log in and get redirected back to the original site with a cookie that site validates the cookie. If the user is already logged in they never even see the third party site, the primary site never sees the credentials and that third party site can use more than just pass

      • Re: (Score:3, Insightful)

        by dstar (34869)

        And this solves the keylogger problem how?

        It doesn't. You still have to authenticate at some point; at most, it reduces the opportunities for a keylogger to catch the password (if you only have to type it in every couple of weeks).

        In exchange, it provides phishers with a dream environment. The only way to be certain you're actually connected to your authentication provider is to use SSL and make sure that you see the lock -- and if your security depends on Joe Random User doing that, you've already lost.

        Sha

        • by ceoyoyo (59147)

          Showing that the submitter doesn't even understand the very basics of security.

        • The only way to be certain you're actually connected to your authentication provider is to use SSL and make sure that you see the lock -- and if your security depends on Joe Random User doing that, you've already lost.

          Shalon Wood

          You have no idea what you're talking about; this is a huge nonsequitar from the discussion on keylogging, although technically mostly accurate (there are ways to break this, but they rely on specialized conditions).

        • With 2 factor authentication keyloging is practically useless, you using a one time password that only works once. The two most common types of this are the keyfobs that use a large random number, the time and some math to generate a new string of numbers every minute, and a list of numbers you use once. Banks like the list as it's pretty easy to print a list of passwords on a piece of paper and mail it to you. Key fobs quality varies but for the ones that do not plug into the computer you would need a l

          • by Bengie (1121981)

            If OpenID takes off like a rocket, I'll pay for User/Pass/FOB to secure my account. Would be awesome

            Google+OpenID+FOB=Awesome

        • by gdshaw (1015745)

          It doesn't. You still have to authenticate at some point; at most, it reduces the opportunities for a keylogger to catch the password (if you only have to type it in every couple of weeks).

          You're assuming (incorrectly) that authentication to your OpenID provider is necessarily by means of a password. This is not a requirement: you could use SSL certificates, Kerberos, smartcards, or any other security technology that takes your fancy. You could also (for example) require that the login be authorised from

      • Just asking if that type of security exists for open id?
    • by Bigjeff5 (1143585) on Tuesday September 07, 2010 @12:25PM (#33498798)

      Exactly my thoughts.

      Keyloggers still work, phishing scams still work, and social engineering still works. If centralized logins become the norm, the bad folks will simply target the centralized logins.

      Your risk with centralized logins, however, skyrockets. Now, instead of losing control of one login to one website, you lose everything. Moreover, they don't even have to guess what sites you have access to, they can simply dig through the centralized login site and find it once they have your account info.

      The NYT article is interesting, but the SlashDot summary is near useless. There is no need to specifically include universal logins in the discussion, because universal logins suffer from exactly the same issues that individual logins do. The only possible reason for including them is the fact that the potential loss is much much higher with a universal login.

      • Keyloggers still work, phishing scams still work, and social engineering still works.

        Except that this DOES address those issues, it doesn't make them impossible, but you are missing some advantages here.

        Let's say you maintain passwords with 10 different services (not unlikely anymore). Does the typical person know the practices of each of those services? Do they keep track of when those practices change? No, of course they don't.

        But let's say you reduce that to one service. All of a sudden you CAN expec

        • Re: (Score:3, Informative)

          by Sancho (17056) *

          Correct. What this does is improve the safety for people who can manage the presence of mind to avoid phishing for a particular site, while increasing the overall damage done for everyone who gets compromised.

          However I'm not going to log in to my OpenID provider on an untrusted computer. I might be willing to log in to, e.g. Facebook on an untrusted computer. So now my options are a little more limited.

        • by Bigjeff5 (1143585)

          Except that this DOES address those issues, it doesn't make them impossible, but you are missing some advantages here.

          It only addresses the issues for people who are paying attention to them. Those are the same people who are already unlikely to be taken in by the various forms of social engineering.

          Let's say you maintain passwords with 10 different services (not unlikely anymore). Does the typical person know the practices of each of those services? Do they keep track of when those practices change? No, of course they don't.

          But let's say you reduce that to one service. All of a sudden you CAN expect people, if demonstrated to them and repeated, that KEYLOGINSERVICE will only contact them by this method (FedEx?, etc) will NEVER ask for ANY information if they are calling you (or may NOT call you). Our website will look like THIS exactly, and here are several ways to verify that.

          Most people do not pay attention to the privacy policies of any website, regardless of how many websites they actually need to log in to. That's why phishing scams and the like work so well. Furthermore, the rules to avoid social engineering are not website specific, they are universal, and they apply whether you use a centr

    • So they just need one password to access all your profiles?

      No.

      The idea is to implement some kind of centralized authentication - not necessarily a password. You could do one of those RSA keychain fobs... Or some kind of smartcard or biometric or something... Since it's centralized, you only need one doohickey/password/scan/whatever. And once you're authenticated against that one central site, you don't need to continually re-authenticate everywhere you go.

      In theory, you can do something more secure. The end user only needs one doohickey. The individual websit

      • Biometrics are still considered too intrusive by many people, but not a bad idea. Two-factor authentication using a token is fine until someone loses or breaks their token. If getting a replacement is too difficult or takes too long, you won't get people to adopt the technology. If getting a replacement is too easy, then you're back to the original issue: if they could get your token, someone would just need your PIN to access everything.
  • resistance.... (Score:1, Interesting)

    this story neglects to mention the obvious: the resistance from developers unwilling to hand the security of their systems and the trust of their users over to a 3rd party.
  • by yourcelf (709552) on Tuesday September 07, 2010 @12:14PM (#33498744)

    The trouble with OpenID is it's still one identity that you're carting around, allowing yourself to be tracked across multiple sites.

    A better solution is just to use a password manager (KeepassX, Last Pass, etc.) which lets you manage your own multiple identities in a secure way. This gives you the convenience of a single sign-on with the security of a distinct identity for every site where you want it.

    • by atisss (1661313)

      wrong. password managers would be susceptible to the same problems - sniffers, etc, and they are less comfortable if you're using multiple computers.

      You can customize your own OpenID server for keeping sessions on trusted IP addresses, but requiring some rotating logic only known to you when visiting from guest computers.

    • by bsDaemon (87307)

      All the Mac, Linux and BSD-based workstations I use regularly have KeePassX installed, and I keep a mirror copy of the database on my IronKey, as well as synching up the critical personal information with the built-in Windows programm on the IronKey for if I need to use a Windows machine without KeePassX on it. I don't honestly know what the root passwords to my personal VPS servers, my account passwords, or any of my banking passwords are. I know the pass phrase for the ironkey, and the passphrase for th

      • Re: (Score:2, Interesting)

        by shaiay (21101)
        you do know that KeePassX is a post of the windows KeePass and the database is compatible between versions? There is even a portable version you can put on you IronKey, so you don't have to export keepass data tou your IronKey
        • by bsDaemon (87307)

          No, I hadn't seen the portable version of KeePass, I guess since I just install it from ports or the package repository and don't actually get it from the website. This is much handier though.

    • by ADRA (37398)

      Correct my if I'm wrong, but couldn't the only one that could realistically track your actions through OpenID be your authentication provider themselves? Don't trust them? Make your own. If you mean that people can track you based on your credentials exposed through OpenID, then I'd say there's absolutely nothing new there. The one flaw I find with OpenID is its reliance on HTML in order to present the authentication. If they came up with some non-html login form standard to allow for application logins, I'

      • by Hadlock (143607)

        OpenID be your authentication provider themselves? Don't trust them? Make your own.

        OpenID is really expensive to run though; it requires a verisign security cert, which runs $250+/year.

        • by Sancho (17056) *

          Could you give some more details on this? As far as I can tell, there's no registration requirement for OpenID, and you can be a provider with all open source software. Who requires a verisign security cert?

    • by bhcompy (1877290)
      I agree with this sentiment.

      Realistically, just keep a few different classes of passwords depending on the website. For Slashdot, Fark, your general BBS, etc, a less secure password is not that big of an issue, and I'll use one or two different passwords depending on the security restrictions of the website.

      Then, you have websites like Woot that will allow you to use your Facebook, Yahoo, OpenID, whatever passwords, but Woot stores your payment information. That's not the kind of place that you want
    • by WiPEOUT (20036)

      There's no reason why you couldn't have an OpenID for each and every single site and a single shared password for all of them, e.g. site.yourname.openidprovider.net, since either way you're trusting the identity management capability.

  • Wait.... (Score:3, Funny)

    by yoblin (692322) on Tuesday September 07, 2010 @12:35PM (#33498870)
    Great, so I'll be able to use Facebook Connect to login to my bank accounts soon????? Count me in!!!!!!
  • NY Times knows what they are doing while supporting this call for centralized password management and identity system. They serve the powers that be on their quest to even greater power. I agree with their point - increasing the so called safety - but on the other hand I am a bit worried about having a few people in charge of the identities of eventually entire population. Almighty government and rich corporations will certainly be willing to help us with our identities.
    • Re: (Score:3, Insightful)

      by ADRA (37398)

      Passports, Driver's Licenses, Social Security numbers... yeah the governments just can't be trusted with your identity. Lets trust in Google/Yahoo/Facebook/Microsoft/IBM/etc for our identity needs. Even better, lets have hundreds of incompatible schemes and make user sign up and use them all. That surely has to be more secure than having a single point of failure. I mean look, There's only one ROOT signatory (Verisign) and you just KNOW they fuck up everything they touch, right?

  • I like OpenID, but if you couple it with a three factor authentication, whether it be a smartcard, or biometric, or whatever.. that's when it becomes useful.

    Too bad the current implementation doesn't support it. Sadly, World of Warcraft and Starcraft II do.

    Go figure.

    • I like OpenID, but if you couple it with a three factor authentication, whether it be a smartcard, or biometric, or whatever.. that's when it becomes useful.

      Too bad the current implementation doesn't support it. Sadly, World of Warcraft and Starcraft II do.

      Go figure.

      Three factor authentication? So, something you know (password), something you have (smartcard), and something you are (biometrics)?

      Or did you mean two factor?

      • Sorry, it's early in the week :)

        • Sorry, it's early in the week :)

          Yes, virtual Mondays suck almost as much as real Mondays (my office was closed yesterday for Labor Day, so today is Virtual Monday for me, too).

  • KeePassX (Score:3, Informative)

    by bradley13 (1118935) on Tuesday September 07, 2010 @12:52PM (#33499008) Homepage

    I am very happy with KeePassX. It stores your passwords and related information in an encrypted file. You can copy a password out of it to paste into a web-form. This means

    • You don't have to remember your passwords - they can be randomly generated according to a wide set of rules.
    • You don't have to type your passwords - they transfer via the clipboard (which is automatically emptied after a few seconds)
    • Your passwords are (reasonably) secure, being stored in an encrypted file.

    The obvious problem is that you need a password to open the KeePassX file. However, this at least does not go via browser, and I can manage to remember one complex, very secure password.

    KeePassX is open-source, available for Windows/Mac/Linux, and compatible across all of these. Nice solution - give it a try! [keepassx.org]

    p.s. I have no relation to the project - just a happy user!

    • by Nerdfest (867930)

      The obvious problem is that you need a password to open the KeePassX file.

      Actually, you can use a file based key in addition to a password, for some 2 factored goodness.

  • by tick-tock-atona (1145909) on Tuesday September 07, 2010 @01:14PM (#33499268)

    What has always amazed me about authenication for access-control via a computer is the widespread use of "passwords". We treat computer access-control like it's a brand new problem, however it's really just the same old access-control problem that we solved at least 4000 years ago [wikipedia.org].

    Why don't we have passwords to get into our houses? Why don't we have passwords to get into our cars or P.O. boxes or even safe-deposit boxes? Because passwords are a pain in the ass that are inherently insecure because we, as humans, are terrible at remembering arbitrary strings of numbers/letters/symbols. What we are good at remembering - objects/ideas and the words associated with them - make for terrible passwords because they are so darn easy to guess.

    The idea of a lock and key is one which we have been using for millenia for security, so why haven't we applied this simple metaphor for electronic access-control. We even have the technology readily available: Public Key Authentication. But for some reason the only place I've ever seen it used is in OpenSSH. In fact, it's considered superior to password authentication in OpenSSH and recommended over a password.

    So why not have RSA keys to our email, online banking etc. just like we have keys to our houses, cars etc?

    • by rickb928 (945187)

      Ok, so explain how an PKI key system would work.

      I have visions of either having your key out there somewhere, and some way to securely access it, or having your key on something like a token.

      If the key is out there, do I access it by providing a passcode to authenticate myself? Sounds like a password to me.

      If it's on a token, well, where do I insert that, or do I use the token to get a passcode. Again, a password, though we use tokens here so it is at least something 'I HAVE', one of the three factors we

      • by Bigjeff5 (1143585)

        Website/program/service = lock

        USB/Memory stick/certificate = key

        Lock and key are matched up the first time you set up the service, just like we do with frickin doors and shit.

        Seriously, why is this hard to understand?

        It's a lock, and it's a key that fits the lock. There is one lock and one key (or multiple keys, if the need is there).

        • by rickb928 (945187)

          Ok:
          Web service or whatever runs on my computer (I know it's out there ).

          USB/memory/cert are something have.

          User ID I know.

          And I was explaining how I use a token at work. I get it.

          But a cert on a stick isnt enough.

    • Re: (Score:3, Informative)

      by ledow (319597)

      The UK Government Gateway used to issue keys to every individual user. You can use the GG to do everything from file tax forms to start a business. I've never had to do anything as secure and never been as worried about someone finding out those login details on any other website, including my own personal bank account. It was an absolute pain in the arse. 50% of their phone calls were for lost / reissued keys. It didn't stop automated tools scraping keys from compromised computers and causing all sort

    • by jimicus (737525)

      I suspect it's more inertia than anything else - the technology didn't exist when it first became necessary to authenticate users, so people did the best they could think of - passwords.

      Over the years, the concept has been tweaked to to make it more secure - eg. only storing hashes of passwords, demanding passwords of a particular complexity - but ATEOTD we're still polishing the same turd.

      Technically speaking, it's entirely true that keypair authentication is much more secure, but there are still a lot of

      • Re: (Score:3, Interesting)

        by Sancho (17056) *

        Keyfobs make malware work much harder. You don't insert them--you press the button and a number pops up. Enter that number and your password into the website, and you're in. The number changes in X seconds (where X is usually 60 or less.)

        It makes it hard for malware to do its job. Now the malware must do its work right then, while you're in your authenticated session. It has to work automatically to e.g. perform a balance transfer. Other mitigation such as CAPTCHAs make it even harder for the malware

    • I have a password to get into my house, well, a key code. My deadbolt lock has a number pad. I punch in my code and the deadbolt unlocks. I hate carrying keys around, if I could get my truck to start up that way i would (I already have a hidden wireless keypad on my truck that will unlock and/or open the windows.
  • Here's an idea. Why can't we build a mechanism to use your mobile phone as the other factor. You pay your provider to provide the service for you, and you get a new key each time you use the last one. So if I log on some website and use the key, I automatically get a new one on my phone. I could even receive them in tens to cater for situations where I might be out of network.
    • by Tukz (664339)

      Take a look at Blizzard's Battle.net Authenticator.
      It generates a new key every 2 minutes I believe, and you have to enter that along your account name and a password.

      If someone steals your password, it's useless without the authenticator.

      I have it on my Android phone.
      No one can log into my Battle.net account, without my phone.

      Which is also password protected, heh.

      I'd welcome a single sign on solution, that adapted this.

      My country (Denmark) is currently forcing a single signon system down throat of official

  • OK, so I could use one website with 1 password, trusting them with all my information (and look how great Facebook does), or I could use multiple websites with one password. In either case, I am trusting people not to screw with my information. So I am trusting more people with multiple sites, but they don't KNOW that I am trusting them. Sure it's security by obscurity, but it still makes more sense than trusting the same company with all my info. And it still lets me use one password for finances and
    • by Myopic (18616)

      yes you could do that first thing, or that second thing, or any of a large number of other things which are all better than the first two options. good luck.

  • Central login by definition links your multiple accounts to a single identity. In most cases it is not a problem. But do you really want somebody to know you login with the same ID to you bank, health insurance and pr0n site? I don' think so. I'd prefer to have several identities on-line. One for secure stuff (bank, financial, medical info etc), one for shopping, one for unimportant stuff like forums, diggs, facespaces etc and one or many for things that I may not be so proud off like pr0n sites. The qualit

  • It's already a work-in-progress: gpgAuth [gpgauth.org]

    One password everywhere, no passwords stored on remote servers, validation of the server too--like SSH.

Facts are stubborn, but statistics are more pliable.

Working...