Passwords Not Going Away Any Time Soon 232
New submitter isoloisti writes "Hot on the heels of IBM's 'no more passwords' prediction, Wired has an article about provocative research saying that passwords are here to stay. Researchers from Microsoft and Carleton U. take a harsh view of research on authentication (PDF), saying, 'no progress has been made in the last twenty years.' They dismiss biometrics, PKI, OpenID, and single-signon: 'Not only have proposed alternatives failed, but we have learnt little from the failures.' Because the computer industry so thoroughly wrote off passwords about a decade ago, not enough serious research has gone into improving passwords and understanding how they get compromised in the real world. 'It is time to admit that passwords will be with us for some time, and moreover, that in many instances they are the best-fit among currently known solutions.'"
job security (Score:5, Funny)
Sounds like job security for those of us who reset passwords for a living.
Drat.
Re:job security (Score:5, Insightful)
Sounds like job security for those of us who reset passwords for a living.
Drat.
Better to reset a password than find that your fingerprint scanners can be compromised by silly putty or your retinal scanners can be compromised by a picture painted on the back of a marble and instead of resetting a password, you're replacing hardware.
Re:job security (Score:5, Insightful)
Biometrics are a form of identification , not authentication.
It should always be used in conjunction with authentication, not to replace authentication.
It's still very usefull , because it saves time : you don't have to fill in your login id : the systems knows who you claim to be, and just requires your password to confirm it.
So it can replace the userid , but never the password.
Re: (Score:3)
This seems like a false dichotomy
all of these are just ways of establishing a trusted relationship.
ex: consider a system that requires passwords to be unique but after given a password uses it to decrepit a set of bio-metric templates and then authenticates the identity of the person using those bio metrics.
in the end it is all about HOW strong and how expensive your security needs to be.
If we could build a computer that was more accurate then your best friend at identifying you using multiple bio metrics
Re: (Score:3)
I never said you need biometrics for identification, it's a choice.
A badge requiring a pin is a very good example of identification and authentication used correctly.
An advantage of biometrics could be that you don't have to worry about losing your badge. You always have your eyes and fingers with you ?
Offcourse, there should always be a fallback where you can type your username, incase something goes wrong ( biometrics can fail to detect you , and a badge can malfunction ).
Re: (Score:3)
Sorry to mention these sad facts, but there were cases of cut fingers to steal an expensive car with biometrics security, to get pension money instead of a dead man, etc.
Biometrics are known to turn a trivial crime into serious one.
Re:job security (Score:5, Insightful)
Just think "Eyeballs on forks..." next time you believe biometrics solves anything.
People leave a whole trail of biometrics behind them as they go through life - dropped hairs full of DNA, fingerprints on drinking glasses, etc. You can steal their biometrics just by following them around.
Worse: If you steal their wallet they might notice it's missing but they won't notice you picking up a drinking glass after they leave a restaurant. You can steal their biometric identity without them ever knowing it.
Re: (Score:3)
Re: (Score:2)
I've always wondered how I'd fare with biometrics... my fingers are usually pretty damn chewed up from playing guitar. At a minimum it would introduce a lot of inconsistency.
In general I think biometrics have a place in authentication as part of a multi-factor system. Using them on their own seems like a really bad idea as once someone steals an image of your fingerprints.. you can't exactly revoke them, as was said.. but they would add an extra block an attacker has to deal with.
Re: (Score:3)
If we could build a computer that was more accurate then your best friend at identifying you using multiple bio metrics ( voice, face, body, smell , DNA) would that be good enough?
Nope.
Any "something you have" system can be compromised. A secure system needs something else, eg. something you know.
To put it in your context, you might fool your best friend visually but as soon as you open your mouth and start talking he'll know you're a fake because you won't have the basic social knowledge that he shares with his real friend.
Re: (Score:2)
Ideally the best system would confirm the something you know without you revealing it. Kinda like human PKI.
Obviously such a system would be tremendously unwieldy .. probably requiring the user to do some kind of calculation in their heads.. but might be useful for ultra high security type applications.
Re: (Score:2)
Re: (Score:2)
Biometrics are a form of identification , not authentication. It should always be used in conjunction with authentication, not to replace authentication.
It's still very usefull , because it saves time : you don't have to fill in your login id : the systems knows who you claim to be, and just requires your password to confirm it.
So it can replace the userid , but never the password.
Biometrics can be used for authentication as well, but only in scenarios where it's possible to ensure that the person authenticating themselves is not using any sort of prosthesis, and where the security of the data acquisition path, the verification engine and the template store can all be assured. In those scenarios, biometrics provide very strong authentication. But that basically requires that all of the infrastructure, including the scanner, be in a physically-secured facility, and that the scanning
Unclassified Military (Score:4, Informative)
CAC still uses passwords (Score:3)
Re: (Score:2)
Re: (Score:3)
Re: (Score:2)
Estonia managed it (for government purposes).
Re: (Score:2)
Re: (Score:2)
But of course... (Score:4, Interesting)
Re:But of course... (Score:5, Interesting)
Try breaking your wrist and having your hand/forearm in a cast...
Exodus' solution was for me to use my left hand, upside down in the scanner and retake the initial scan since they only use right handed hand scanners.
Re:But of course... (Score:5, Interesting)
I don't know why it works. Maybe the identification of a real face is taking lighting into account or something and a self illuminated photo on an lcd throws it off. In any case it could still be defeated with his severed head. Now, a password might be given up under torture, but nobody is going to get it by killing you.
Re: (Score:3)
In any case it could still be defeated with his severed head.
That is macabre. I would think just tying him up and holding the phone up to his face would work just as well, or putting a gun to the back of his head, or if you must kill him I don't think removing the head is actually necessary. But hey, different strokes for different folks ;)
Re: (Score:2)
Re: (Score:2)
In any case it could still be defeated with his severed head. Now, a password might be given up under torture, but nobody is going to get it by killing you.
Once the password (or head) is given, there is no need to keep you alive. It is the future hope that you will reveal the password that keeps you alive... and keeps them torturing you.
Re:But of course... (Score:5, Insightful)
And what happens if your biometric signature is discovered? Obviously not from the biological side, but the digital side. After all, it's just a number. Of course it would require a more technical exploit at the software level to utilize, but the big downside is you can't change that signature like you can a password (you've only got so many finger prints, or retinas, or whatever).
Passwords make my brain hurt (Score:3, Insightful)
Re: (Score:3)
http://passwordsafe.sourceforge.net/ [sourceforge.net]
Re: (Score:2)
Only a fool uses a single password for multiple sites. Write the damn things down as Bruce Schneier tells you.
As for your brain hurting, that's exercise. No pain, no gain.
Partial security (Score:3, Insightful)
...but still better than none.
A proper security system is one that has tests for who you are, what you know, if you are under duress, and potentially if you should even be there that day.
Such a security system is hard to make, in the simplest form it has a biometric component, two passwords (one for regular use, one to act like the proper password but alert security), and is hooked up with the scheduling system (not to lockout, but also alert security). This is reasonable for high stakes facilities, but sufficiently cumbersome that it gets in the way of getting things done for things like PC login and on-line transactions.
Stop limiting password length (Score:5, Insightful)
Why does web site x have an 8 character length limit, alphanumeric only?
Why does web site y have more allowable character types, but minimum of 5 chars, max of 18?
Relevant XKCD: http://xkcd.com/936/ [xkcd.com]
Remember, you can't solve for the parts of a pw, only the whole thing in one go.
Get it right the first time? (Score:5, Insightful)
Re: (Score:3, Funny)
connectwhore'sbantertable
Yup, works fine.
Re: (Score:2)
Good luck typing any password as long as "correct horse battery staple" correctly on the first time on a handheld device's on-screen keyboard.
I have a much easier time typing long alphabetic passwords than I do alpha+numeric+symbol passwords.
And how did you know my password was "correcthorsebatterystaple"!? I followed the XKCD comic *exactly* to generate a secure password, it should have taken you 550 years to guess it.
Re: (Score:2)
The example given in XKCD http://xkcd.com/936/ [xkcd.com] appears to be calculating entropy [wikipedia.org] based on the vocabulary space of the English language, not the character space of a random string of N symbols*. Therefore, the strength they calculate would not be diminished by applying a spell checker to your password input. A few small misspellings would be tolerated.
In other words, your password would be that strong even if your input was misspelled but then auto-corrected. I could live with that.
*Using the Wikipedia for
Re: (Score:2)
Technically, you could have your phone autocomplete / spellcheck your password if such a scheme were used.
Re:Stop limiting password length (Score:5, Informative)
Steve Gibson from the Security Now podcast did a lot of work in this arena and found that the password "D0g....................." is harder to break than the password "PrXyc.N(n4k77#L!eVdAfp9". He makes this very clear in his password haystack reference guide and tester [grc.com]: "Once an exhaustive password search begins, the most important factor is password length!"
Re: (Score:2)
Of course if that's the root password for the company's server and you type that close to someone else it won't be that difficult for them to find out.
If your attacks only come from someone who knows nothing about the password, that theory works fine. If they saw you typing a three letter word and then put a bunch of dots after "PrXyc.N(n4k77#L!eVdAfp9" seems "slightly" better.
Re:Stop limiting password length (Score:5, Insightful)
From the link:
The example with "D0g....................." should not be taken literally because if everyone began padding their passwords with simple dots, attackers would soon start adding dots to their guesses to bypass the need for full searching through unknown padding. Instead, YOU should invent your own personal padding policy. You could put some padding in front, and/or interspersed through the phrase, and/or add some more to the end. You could put some characters at the beginning, padding in the middle, and more characters at the end. And also mix-up the padding characters by using simple memorable character pictures like "" or "[*]" or "^-^" . . . but do invent your own!
If you make the result long and memorable, you'll have super-strong passwords that are also easy to use!
The goal is to prevent brute-foce hacking of your password, and the way to do that is by lengthening it. If you pick some long padding and add that to all your passwords, brute-force hacking it becomes prohibitively hard.
Re: (Score:2)
From the link:
The example with "D0g....................." should not be taken literally because if everyone began padding their passwords with simple dots, attackers would soon start adding dots to their guesses to bypass the need for full searching through unknown padding. Instead, YOU should invent your own personal padding policy. You could put some padding in front, and/or interspersed through the phrase, and/or add some more to the end. You could put some characters at the beginning, padding in the middle, and more characters at the end. And also mix-up the padding characters by using simple memorable character pictures like "" or "[*]" or "^-^" . . . but do invent your own!
If you make the result long and memorable, you'll have super-strong passwords that are also easy to use!
The goal is to prevent brute-foce hacking of your password, and the way to do that is by lengthening it. If you pick some long padding and add that to all your passwords, brute-force hacking it becomes prohibitively hard.
Unless the attacker guesses that you're padding your passwords. In that case, even if the attacker doesn't know what your padding character is, or exactly how many times you're repeating it, the brute-force complexity only increases by a small amount.
Re:Stop limiting password length (Score:5, Interesting)
Why does web site x have an 8 character length limit, alphanumeric only?
Why does web site y have more allowable character types, but minimum of 5 chars, max of 18?
And why won't they tell me what their password restrictions are until I've failed 3 times and need to reset my password? I use the same (or similar) password at all non-important sites (discussion forums, etc, not anything that involves a credit card, bank account, or personal email). If they'd just post their password requirements when I'm entering the password (or at least after the first time I mistype the password), I'd be able to remember what password I used.
I can't believe hiding the password requirements makes life any harder for a hacker (who could just create a dummy account to see the password requirements).
Re: (Score:2)
And why won't they tell me what their password restrictions are until I've failed 3 times and need to reset my password?
Bad design, pure and simple.
Re: (Score:2)
My favorite requirement was exactly 8 characters, one of which must be capital, one of which must be a symbol, one of which must be a number, none of those three may be in the first or last position, and it had to be changed every month.
Re: (Score:3)
Everything is migrating towards mobile devices, or at a minimum, some degree of accessibility from mobile devices. Longer, more complex passwords are even less conducive for use / convenience on mobile devices than computers with full keyboards. So I believe people are going to trend in the exact opposite direction - shorter passwords because they are easier to enter on mobile devices.
Hmmm... (Score:2)
Seems like a conflict of interest to me: "Oh, passwords are here to stay!" seems to be FUD designed to discourage people from innovating so that MIcrosoft can find the patent first (because it'll eventually supplant their password system and the IP birds will come home to roost).
Re: (Score:2, Interesting)
No, passwords (or passphrases, just a long password really) will always be there because information that is only stored in your memory is the most secure.
Biometrics are quite easy to force out of you, when the reader is even secure (see face & iris scanners being fooled by pics, fingerprint scanners being fooled by scanned or molded fingerprints). No such thing as a duress password with biometrics.
Keyfobs can enhance the security of a password, but by itself is *less* secure than a password, because th
Securty. (Score:5, Informative)
I have worked for years with security and authentication.
there are three ways to establish trust. Something you have , something are , something you know.
that will never change. and most any one of them can be compromised. thus it is better to build systems that use
more then one.
care keys ( something you have)
thumb print ( something you are)
password/ pass phrase/ etc. ( something you know) .
all three together are more secure and more trust can be built by using multiple aspects but the easiest will be probably always be something you know.
Think about it authentication before computers.
Go to the bank ( hopefully the banker recognized you ( multiple bio metric) )
do you have your checkbook / check card/ pass book?
do you have a pin / password etc.
it really won't ever get much better you can use more and more bio metrics but that won't stop fraud only make it more costly.
Re:Securty. (Score:5, Funny)
>> Something you have , something are , something you know.
My brother-in-law's password oughta be assholeassholeasshole.
Re: (Score:2)
Mine BIL's is assholeassholenothing
Re: (Score:2)
Still, some users will always find a way to muck things up.
"Nothing can be made foolproof, because fools are so ingenious."
care keys ( something you have)
You'll lose it.
thumb print ( something you are)
Like, dead. "We have his key, but his thumb is decomposed, so we can't open it anymore."
password/ pass phrase/ etc. ( something you know)
You'll forget it.
You want to have a truly secure system? Get rid of any humans in the system.
Re: (Score:2)
Secure and sure. Secure and sure. Not just secure. A system even the authorized user can never enter because it's too bloody hard to accomplish is busted, but it's still secure. DAMN secure.
Re: (Score:3)
This is incorrect, there are only two. "Something you are" (fingerprints, retinas, etc.) is really just another kind of "something you have". The only differences between biometrics and something like a physical key or access card is that biometrics are horribly insecure (how many objects have you left your fingerprints on today?) and nearly impossible to replace if they get compromised.
Re: (Score:2)
If your arm is eaten by a shark or your eye is poked out by a nail gun, you'll never be able to get a replacement fingerprint or retina pattern, but if you lose your access card and are able to talk the security officer into giving you another, you won't be fired for inability to do your job because you can't get into the site.
Device security (Score:2)
Re: (Score:2)
Which do you fear more? Making your passwords so easy to steal that someone robs you of everything? Or making your passwords so hard to retrieve that you effectively lose access to them and lose access to all of your own stuff? Choose one or the other. Think carefully. Hint ... it's a trick question. Hobson's choice.
Particularly relevant... (Score:2)
If MS can't refute this one quickly, I suspect it's going to get quite serious. Potentially "Playstation Network hack" serious.
Timely Missive About a Credential Hack (Score:4, Informative)
A new strain of the Sykipot Trojan is been used to compromise the Department of Defense-sanctioned smart cards used to authorise network and building access at many US government agencies, according to security researchers. ...
Chinese hackers have adapted the Sykipot Trojan to lift card credentials from compromised systems in order to access classified military networks, according to researchers at security tools firm AlienVault.
Learning (Score:2)
Two Factor Authentication (Score:2)
In my opinion, passwords are pretty much here to stay for the foreseeable future. The thing that I see changing is making the password a single item in an authentication scheme. Most of the major websites have two factor authentication methods available (think Google, Facebook, Paypal, etc.) and most of the banks that I use have methods of dealing with unknown devices connecting, via a series of questions, an email link, or a code sent to me out-of-band. We are certainly moving in a direction where the pass
Anybody remember client-side digital certificates? (Score:3)
And yet, here we are almost 15 years later still using usernames and passwords. Oh, well. Was a fun project. :)
True story -- when the project launched we had a big event, with everybody gathered around the box to turn their keys. Then they all took their key and scattered off to wherever, what with the whole "must keep the keys off site and multiple locations" thing. What nobody realized is that the network center (we did our own hosting) had already posted plans for a scheduled power outage that weekend, and nobody'd connected these particular thoughts. So they cycled power in the room to do whatever it is that they did, and the box didn't come back online. Somebody contacted me. I told them to round everybody up to come back and turn their keys again. :)
brute force in the Slepian-Wolf social network (Score:4, Informative)
Brute force security needs to be evaluated under the assumption that a Russian botnet has compromised a large number of social networking sites, and gained three to five different clear-text passwords (of possibly no great importance) associated with the targeted user. They now also know--or strongly suspect--the identities of your financial institutions.
Using commonalities of the exposed password set, the botnet bastards will attempt to model your personal password generation heuristic. Since they are not stupider than bricks, they might also assume that your bank password is similar, but fortified to the next level. Gaining some experience in cracking bank passwords, they'll soon have a model for that, too.
My Thomas and Cover from 1991, which happens to be at hand, has chapters on "Jointly typical sequences", "Encoding of correlated sources", and "Source coding with side information". This last section makes reference to Slepian-Wolf encoding, which is kind of interesting. I hadn't spotted that before.
On Slepian-Wolf compression, in memory of Jack Wolf [blogspot.com]
This might not be precisely the right theory to apply to the breaking of password clusters, but the guy doing the math on that has probably read these papers.
Way too little concern is placed on the independence of the passwords chosen, and this vulnerability increases rapidly with the proliferation of passwords used. I'm sure I have more than 100 passwords out in the wild, many held by hopelessly incompetent and untrusted internet discussion forums.
Even a single compromised site can form a model of your password heuristic if you're duped into changing it often.
It wouldn't surprise me that if everyone adopted the four word xkcd approach, that for many individuals, entropy per word is closer to seven or eight bits than eleven, where concrete nouns of five to eight letters predominate, and a further bias to concrete nouns that are visually active in the mind's eye, and 40% of all such passwords contain at least one animal word.
That's where brute force would begin: assume at least one common animal word (four to five bits; since cat/dog don't make the cut, you'll be seeing a lot of parrot/leopard/zebra/unicorn).
unicornprincesscastledragon
I've cracked one already.
IT is also enforcing worse password security (Score:2)
What really frustrates me is that our IT knows this, they wave it off as everyone uses bad passwords anyways. I try to use good passwords, but coming up with a new one every 6 weeks is diffi
Phew! "Passwords here to stay" (Score:2)
Don't sell your stock in the Post-It note company after all.
Passwords are like underwears! (Score:2)
FailDesk: http://faildesk.net/2012/01/12/passwords-are-like/ [faildesk.net]
Re:Whatever happened to passphrases? (Score:5, Insightful)
Yeah; I've got to say, the situation with passwords could be improved just by allowing more space for them. xkcd/diceware-style [xkcd.com] phrases just plain don't fit in most password fields, but they'd be easier to remember and more secure.
Re: (Score:2)
Re:Whatever happened to passphrases? (Score:5, Informative)
The stupid part is that the limit on the password field is just a piece of UI.
If they're doing it right, they're storing a hash of the password. The hashes are all the same size. You should be able to carry around a USB device that emulates a keyboard and types out the declaration of independence (without using enter) and use that as a password.
Systems that limit the password to, say, 13 characters bug the crap out of me, because I often chose passwords that are longer.
Systems that limit the password size because they are storing them as plaintext, should of course have their source printed out and ritually burned.
Re:Whatever happened to passphrases? (Score:4, Interesting)
I just realized that my bank must be doing this (or at least using reversible encryption) because it uses the whole positional character schtick. Damn.
Re:Whatever happened to passphrases? (Score:4, Informative)
Re: (Score:3)
that doesn't quite address his concern on how the bank knows the value at a specific position in his password that should be stored in a one way hash where you need the whole password to verify the hash.
Re: (Score:3)
Systems that limit the password to, say, 13 characters bug the crap out of me, because I often chose passwords that are longer.
IME the great majority of password limitations arise because of a very particular set of circumstances:
1. A system is set up. For whatever reason, it doesn't let you have passwords with more than 13 characters.
2. The head of IT reads an article concerning this system. This article notes that because of the way passwords are stored, the most secure password contains 8-13 characters. Before long, a policy is dictated stating that passwords must contain 8-13 characters for security reasons.
3. A new system is b
Re: (Score:2)
Systems that limit the password to, say, 13 characters bug the crap out of me, because I often chose passwords that are longer.
Real security would come from making brute force impossible.
eg. Make you wait half an hour if you get it wrong three times.
Systems like that are way more secure than systems that allow really long passwords.
Re: (Score:3)
Re:Whatever happened to passphrases? (Score:5, Insightful)
The problem in the real world with XKCD/diceware-style phrases, is that English words become keys. You don't have 44 bits of entropy. Rather, the vocabulary of the average American is the entropy.
In the XKCD example, for instance, the true number of permutations you have to check to brute force a password is: Size of Average Person's Vocabulary (about 25,000 words) - from which "correct" "horse" "battery" "stable" is selected - raised to the 4th power, or 3.906 * 10^17 combinations. That's not a huge amount for a password cracking algorithm.
Add in that many words are going to be used far more frequently than others, and it really isn't much different than the "misspell and stick in an odd character" method. And it's actually worse than sticking an odd character or two somewhere in the middle of your password.
Re:Whatever happened to passphrases? (Score:5, Informative)
You don't have 44 bits of entropy. Rather, the vocabulary of the average American is the entropy.
In the XKCD example, for instance, the true number of permutations you have to check to brute force a password is: Size of Average Person's Vocabulary (about 25,000 words) - from which "correct" "horse" "battery" "stable" is selected - raised to the 4th power, or 3.906 * 10^17 combinations. That's not a huge amount for a password cracking algorithm.
2^44 is 1.7592186 * 10^13, which is SMALLER than 3.906 * 10^17. So if you assume a 25000 word vocab you have MORE than 44 bits of entropy with the passphrases approach. It may not be impossible to crack, but it's harder than the stupid "hard to remember by normal people" passwords. Which is the xkcd example's point, which I guess assumes a conservative 3000 common word vocabulary.
Re: (Score:2)
Who says the words have to be English? Who says the words have to be in the popular/modern lexicon?
Onegaishimasu / Schadenfreude / Mnemonic / Abiogenesis
Oh noes, look how vulnerable to dictionary attacks I am!
That doesn't even count mnemonic devices, intentional misspeling, etc.
Re: (Score:3)
Re: (Score:2)
It's a trade-off of length for memorability.
One advantage of diceware-style passphrases is that you don't have to remember twenty or thirty random characters; you just have to remember four or five common words. Even if you don't actually memorize the passphrase, you need only glance at the display from a password safe to be reminded of "correct horse battery staple", and can easily type it, whereas you have to keep looking back at "bee0bdb64e1fd508a5983dccc66" to type it correctly.
Re:Whatever happened to passphrases? (Score:5, Informative)
My bank has a similar ridiculous restriction. 14 characters max, limited subset of symbols allowed. Because of this, my bank password is my least secure password, while it should be one of the strongest. I find it amusing that my WoW account is much more secure than my bank (greater password freedom + authenticator)--at least from an authentication standpoint.
Mac users can use a program called 1Password to manage their passwords. It stores them in an encrypted file that you use a master password to unlock. And you can use browser extensions to have it automatically login to any site you've told it about, and it will generate passwords for you as well. It's the best solution I've found for having unique, strong passwords for every site or system you have a login for. Just make sure you choose a smart master password.
(There's an iOS version, too, that syncs with the standalone app, so you have access to your passwords on the go.)
Anyone know of something similar for other platforms? I'd like to get the rest of my family using stronger passwords than pet names or whatever they're using.
Re: (Score:2)
Last Pass for those of us in Android land. :-)
Re: (Score:2)
My bank has a similar ridiculous restriction. 14 characters max, limited subset of symbols allowed. Because of this, my bank password is my least secure password, while it should be one of the strongest. I find it amusing that my WoW account is much more secure than my bank (greater password freedom + authenticator)--at least from an authentication standpoint.
I find it amusing that WoW doesn't block your account if you get the password wrong three times.
Allowing unlimited retries makes WoW weaker than your bank even though they allow longer passwords.
Re: (Score:2)
Even better: Have a checkbox to turn on password hiding if you want it.
Re: (Score:3)
They are passwords. It is just that they are longer, and have less entropy per character. And our minds work better with them.
But, besides that, they are just passwords.
Re: (Score:2)
<a href="http://xkcd.com/936/">http://xkcd.com/936/</a>
I remembered the password, I had to Google the link.
Re:Duh? (Score:5, Insightful)
That was my thought, biometrics is an interesting trick, but if they manage to compromise the system you have limited options for changing it. Most people only have 10 fingers and 2 eyes and if somebody manages to compromise on of those you very quickly run low on options. And that doesn't even include what happens if you lose an eye or a finger or if one is just badly damaged to the point of being unreadable.
I remember seeing a bit of a BBC program years back where the guy was using biometrics for a safe but couldn't get in. It turned out that because he was wearing contacts that the sensor didn't identify his eye and the safe wouldn't open until he took the contacts out.
Re: (Score:2)
10 fingers is still 10 more than the number of passwords most people can remember. If course, you'd need all ten fingers registered or else the users that be would constantly forget which finger they used.
10 passwords to much? (Score:2, Insightful)
Re: (Score:2)
Which is why things like KeePass and Lastpass exist. Plus if you add a site specific OTP to the authentication system that goes a long way towards securing things.
Also, it's not just a matter of 10 passwords, it means that you can only have 10 ever. I suppose you could move to toes, but even that only buys you an additional 10, and on average person has slightly less than 20 digits total.
Re:Duh? (Score:4, Insightful)
The big problem I see is revocation.
Once biometric phishing shows up or a database gets popped, your prints are out there... and as was said, you can't exactly go out and get new ones.
I've always been a fan of multifactor for stuff we want secure (banking mainly) .. yes you can copy someones fingerprint, steal someones keyfob, and snatch someones password .. but doing all three is tricky without them noticing.
For stuff we care less about, passwords will probably be king for a long time, because anything more secure is also more of a pain ..
Re:Duh? (Score:4, Interesting)
Ummm...simple answer, Microsoft/IBM/rest of world:
Start adding a "please generate a good password for me because I'm too ignorant to do it myself and I'll choose '123456' " button to your user interfaces.
Re: (Score:2)
Time to change it. qwerty should be a good new password.
Re:Duh? (Score:4, Funny)
Dark Helmet: It worked, sir. We have the combination.
President Skroob: Great. Now we can take every last breath of fresh air from Planet Druidia. What's the combination?
Colonel Sandurz: 1-2-3-4-5
President Skroob: 1-2-3-4-5?
Colonel Sandurz: Yes!
President Skroob: That's amazing. I've got the same combination on my luggage.
Re: (Score:2)
Re: (Score:2)
Re: (Score:3)
OR:
http://xkcd.com/936/ [xkcd.com]
Re: (Score:2)
Publishing a comic isn't going to make people choose better passwords.
People have had well over a decade years to learn about choosing passwords but they're as ignorant as ever.
The only way forward is to take the choice out of their hands. Use the XKCD method if you want, just don't let the users do it themselves.
Re: (Score:2)
A lot of people just don't think of passwords in an effective manner though; most people I know still subscribe to the 'Complex [to a human] and therefore difficult to remember is best' line of thought. Me, I just ended up switching to a line from a song that's 25-characters long and incorporates proper capitalization and punctuation. Easy to remember and pretty difficult to brute force!
Re:Duh? (Score:4, Interesting)
Publishing a comic isn't going to make people choose better passwords.
People have had well over a decade years to learn about choosing passwords but they're as ignorant as ever.
The only way forward is to take the choice out of their hands. Use the XKCD method if you want, just don't let the users do it themselves.
In many cases, you *can't* use the xkcd method because:
a. the password field is too short
b. the password checker rejects common words
c. you can't see what you're typing when you enter the password
The problem generally isn't the users' ignorance, it's the assholes writing the password system.
Re: (Score:2)
Must be a big demand for granny camgirls...