Bill Gates Proclaims End of Passwords 488
KrazyK writes "Bill Gates has just proclaimed the end of passwords. There's only one drawback - you have to use .Net (well, what else would you expect?). However, the smart card that is at the centre of it - made by Axalto - is still a great bit of technology. How long before we can get an open-source version of this?"
hard and soft (Score:4, Interesting)
But what about biometrics ?
Re:hard and soft (Score:5, Insightful)
Think about this before assuming biometrics is the answer:
- then how do you get your identity back?
Re:hard and soft (Score:3, Insightful)
Even simpler. Biometrics is a layer on top of authentication that simply authenticates the key supplied by the biometrics. Even keycard access can be backed by pin number to authenticate that the holder of the card is who the card proclaims them to be.
The actual authentication is going to be a communication of ID to a server on a challenge/response basis; sidestepping the biometric step and cracking directly is likely to be a lot easier beca
Re:hard and soft (Score:3, Interesting)
OK, long story short, I'm a Network Administrator (sysop, Computer Geek, Asshole, and/or whatever else name(s) we get called in the office...). Currently I'm working in he Photo/Electronics department of the local K-Mart (again, long story... thanx W...). I process 80 or so rolls of film every day. I'm sure my finger print has ended up on some of those...
Just a word to the wise...
Re:hard and soft (Score:4, Insightful)
Re:hard and soft (Score:2)
The same applies for a smartcard, doesn't it ?
Heh, absolutely. :-)
Until they learn to read your mind (or find that paper where you've written them all down), at least passwords force someone to take minor electronic trouble to crack your security.
Re:hard and soft (Score:5, Funny)
NEVER stick your password post-it on the monitor! It goes under the keyboard...
Um... no? (Score:5, Insightful)
You can always get a new smartcard, you can't get new fingerprints (or retinas, or whatever).
Re:Um... no? (Score:5, Informative)
Retinas at least doesn't leave traces everywhere, but then you still run the risk of data theft.
Re:Um... no? (Score:3, Funny)
Hmm, so we are going to end up with 13 year olds War-Fingerprinting?
Re:Um... no? (Score:3, Insightful)
Iris pictures are even easier to obtain than fingerprints; no material contact is necessary.
Re:Um... no? (Score:3, Funny)
Re:hard and soft (Score:5, Insightful)
The same applies for a smartcard, doesn't it ?
No, it doesn't. If your smart card gets compromised, destroy it and get a new card with a new key. If someone manages to steal your fingerprint, you cannot change the media or key you authenticate with: The person did not only steal a material token that is linked to your identity, an unchangable characteristic that should be uniquely assigned to you now is not referring only to your person, someone literally stole your identity; To the ATM machine, he's not only the one in posession of your ATM card anymore: He is you.
Re:hard and soft (Score:5, Insightful)
If compromised, get a new device with a new salt. It is basicly like a new identity (you'd have to revalidate with every authentication you had). If the perp just got your salted code, it is worthless. If he got your fingerprint, he still needs to get your new device to get a valid biometric/salt *pair*.
Now top it off with a PIN, and you have the holy grail. Something you are, something you have, something you know. Use any subset which is enough. In most cases, what you are/have (fingerprint/salt) should be enough. It'd certainly raise the bar another notch or two.
Kjella
Re:hard and soft (Score:5, Funny)
Re:hard and soft (Score:5, Funny)
So in Saudi Arabia, if you are caught stealing you will lose your password too! Or do they let you keep your hands after they cut them off?
Re:hard and soft (Score:3, Interesting)
When used in conjunction with other security mechanisms, such as hardware smartcards, passwords, etc. then you've got a much better chance. For the basic user, biometric identification is probably OK. But you wouldn't want to rely on that for anything "secure."
Re:Cheaper Low Tech Alternative (Score:3, Informative)
Take a piece of paper and a paper envelope. Write your password onto the piece of paper and put it into the envelope. This provides the exact same security as a smartcard.
No it doesn't. There is no way of breaking the envelope and retrieving the passphrase. Smartcards (at least the ones I encountered) work by cryptographic challenges (think SSH key auth). The private key is stored on the card, and only/i> on the card. It is also locked by a PIN. Even with the PIN, you cannot retrieve the key: The cryp
Hmmmm.... (Score:5, Interesting)
Re:Hmmmm.... (Score:5, Informative)
Re:Hmmmm.... (Score:3, Interesting)
Re:Hmmmm.... (Score:3, Informative)
Smart cards provide the exact same functionality as my very first usb key.
Re:Hmmmm.... (Score:3, Informative)
Absolutely not. A smart card is nothing like an USB drive where you store a password or cryptographic key.
A smart card contains a closed microprocessor and a small memory. The point is that you cannot get at the contents of the memory at all (unless you have a silicon lab). The microprocessor has a private key that it never shows outside the silicon and a public key that the PC knows about. The smart card can prove its
So now instead of torturing me... (Score:5, Insightful)
Nice!
Re:So now instead of torturing me... (Score:5, Funny)
Enjoy before you upgrade to biometricks. Then all they have to do is to cut your finger or your eyeballs.
Re:So now instead of torturing me... (Score:2, Funny)
That's brilliant. It doesn't work when cut off
Re:So now instead of torturing me... (Score:5, Funny)
That's brilliant. It doesn't work when cut off :)
I could just see the cartoon on this one. The caption would read: "Bill discovers that since the new secretary started, he is no longer able to log in to his account."
Re:So now instead of torturing me... (Score:5, Funny)
But how will women log in?
Make the variable signed.
A bit of a myth, yes. (Score:4, Informative)
Yes. Some biometric sensors can be tricked with dead tissue or a photocopied fingerprint, but the good ones detect life signs. (This is the case for both good fingerprint sensors, reading electric impulses instead of light, and retinal scans that measure blood flow.)
Some sensors are even active, checking how the body reacts to stimuli, for example how the iris reacting to light, comparing it with a recorded sample.
Re:So now instead of torturing me... (Score:3, Informative)
Re:So now instead of torturing me... (Score:3, Funny)
News? (Score:5, Interesting)
Re:News? (Score:5, Interesting)
end of passwords - not (Score:5, Informative)
an PIN number...
a fingerprint...
Authentication is based around something you have (userid/smartcard/finger...) and something you know (password/PIN/....)
No change since the Secuure Single Sign On days of the mid 1990's. All they are doing is bringing it upto date using
Re:end of passwords - not (Score:3, Insightful)
Re:end of passwords - not (Score:3, Interesting)
We already have this for net banking. My debit card has a chip on it (which is also used for stored value smart card stuff) and to authenticate to the banks website, I use a reader supplied by the bank.
The process works like this:
End of passwords....640K...windows 0wnz u... (Score:4, Funny)
How long before we can get an open-source version? (Score:2, Insightful)
Re:How long before we can get an open-source versi (Score:3, Informative)
How long till open source.... Read... (Score:3, Funny)
A better question would be (Score:2, Insightful)
Re:A better question would be (Score:2)
Then put the kwallet file on a usb stick, and you're all set!
It's best, of course, to have a password for the kwallet file, but you just type that in once when you log in, and it stays open until you log out again.
Re:A better question would be (Score:3, Insightful)
There is. It is perfectly possible to use an SSH or kerberos key with no password to go with it. Its not a good idea though, and having the key stored on a smartcard does not make it one.
.NET? (Score:2)
Tough to hax0r a retinal scan, or a thumbprint.
Re:.NET? (Score:2)
This is just a proclamation towards harder violence in this world...
Re:.NET? (Score:4, Insightful)
that is bullshit. a large ammount of crime is opprtunistic. if you leave your window open, they'll climb in. if you close it, they might smash it IF the house is empty and secluded. but it's not an arms race. if you install CCTV and alarms, they don't come back dressed in black with night vision goggles and a set of expensive tools to disable your security, they just go next door to the guy who HAS left his window open.
Re:.NET? (Score:4, Insightful)
Re:.NET? (Score:2)
Biometrics are not sufficient by themselves (Score:3)
Something you have, something you know.
'Something you are' is just another form of 'something you have'. The limitation of biometrics is that 'something you are' cannot easily be decommissioned and reissued if it has been compromised.
The key to good security is to have the strength and numbe
In Related News... (Score:2)
Announcing: Seedless corn.
Sony gave me a Smart Card (Score:2, Interesting)
Passwords? What for ? (Score:3, Insightful)
They'd better fix their software first.
Linux is missing an opportunity (Score:3, Insightful)
password strengthening / stretching (Score:4, Interesting)
Dictionary attacks were difficult in the olden days, because password hashes were expensive to compute (on the order of a second each). Hardware has caught up, so that hundreds of candidates can be tested per second.
Password strengthening is a scheme that adds a significant amount of random salt to the password. To use the password, you have to brute force the salt. This slows down legitimate authentication, but it also slows down a dictionary attack.
Stretching is a special case of this scheme that uses repeated hashing, instead of random salt. Instead of storing the hash of a password, store the hash after a couple thousand iterations. If the algorithm is good, there is no shortcut to the end hash value.
If it hasn't been done already, I imagine it would be a simple matter to implement as a PAM module.
Not a password replacement (Score:5, Informative)
Correct me if I'm wrong, but. . . (Score:3, Insightful)
I think this is the wrong approach (Score:3, Insightful)
Finally, it offers no protection still. Bill gates is assuming you cant capture the password in memory. It is in fact even easier with
This system offers much less security then now, and the last few drops of respect I had for
Smartcards and MS passport also make a great way of tracking people. No one can tell me that Microsoft wont abuse this to improve their search engine
It will take only 1 more DNS mess-up for everything to fall apart, and is nothing more then a marketting Act. I beg of the mono people to offer a proper decentralised authentication system instead, like one based on jabber where any login method is possible anyway if the server supports the authentication type. PLEASE.. Do not use
Re:I think this is the wrong approach (Score:2)
Or a credit card, bank card, driver's license, passport, etc.
Obviously there will be fail-safes in case you lose your card.
It is no more like a "national identity card" than anything else I listed, because the government won't be running it, and they won't be able to demand to see it from everyone walking down the street.
Re:I think this is the wrong approach (Score:3, Insightful)
Credit cards have a pin number, contain no customer details, and the ATM eats your card after 5 bad entries.. Many ATM's also take your photo, so its harder to use it. Finally, the ATM's generally only let you extract a small amount each transaction, so it isn't that easy.
Internet doesn't have a photo or restrictions, so you can log into a
Passwords proclaim the end of Bill Gates (Score:5, Funny)
Re:Passwords proclaim the end of Bill Gates (Score:3, Funny)
Well, it seems to me that Windows NT and derivatives have security through apathy. After all, who wants to type in "administrator"?
Re:Passwords proclaim the end of Bill Gates (Score:3, Funny)
First spam, now this! (Score:2, Funny)
LOL (Score:2, Funny)
In all seriousness, is anyone stupid enough to trust any security initiative put forth by Microsoft after the last few years have been
640 should be enough... (Score:2)
Can I get indemnisation from Microsoft for the problems this scheme will bring? No?
A little black book containing all your passwords that you keep on your person is the ONLY way to be safe.
Great another card to lose. (Score:5, Interesting)
Just In From Heaven (Score:2)
HA! RMS was there first! (Score:3, Insightful)
The answer (Score:2)
How is this better than the Java iButton? (Score:3, Informative)
http://www.ibutton.com/ibuttons/java.html [ibutton.com]
I've had one of these Java-powered iButtons since 2001. If you have the PKI in place it's a very easy technology to use. If you don't, it just gives you bragging rights in the my-computer-is-smaller wars.
Both good.
Phil
Re:Java iButton PAM kit URL (Score:3, Informative)
Didn't Sun do this 5 years ago? (Score:3, Informative)
Re:Didn't Sun do this 5 years ago? (Score:3, Informative)
Don't waste your time by getting the parallel-port adapter, as most modern machines seem to have trouble providing enough power to the iButton for the compute-intensive parts of the process. On the last 3 machines I've had it's been impossible to generate ke
Comment removed (Score:3, Insightful)
US Military has been using this for years. (Score:2, Informative)
I rarely use passwords now... (Score:3, Insightful)
Currently I keep a key on my desktop machine and another one on my laptop, but if I was worried that those would be stolen I could switch to a USB key.
Cards, dongles have major drawbacks (Score:3, Interesting)
Look at dongles and other systems, they tend to be cracked. As long as you can snoop what's going on in the PC you can generally find a way of reading and injecting the required code.
Also what happens if your server in another country goes down and you can't get an engineer to sort it out as there's no local smartcard? why you use remote login with a smartcard. Therefore your access code will be sent down the Internet/VPN.
Bill needs to do some proper R&D instead of spouting obvious potential developments.
It's simple, here we go:
I predict the end of magnetic media.
The mouse will be replaced.
We will get tables where the whole surface is a touchscreen.
Keyboards with changing key caps, the keys alter to suit the application.
etc..
And over in Java... (Score:5, Informative)
A classic case of Billy boy announcing something everyone else has. I saw a demo by Sony about 2.5 years ago now which demonstrated smart card + biometrics as an authentication mechanism.
Something like 98% of the world's new smart cards run Java as their programming language, and there are defined standards for security around it. This stuff is already being used in the wild, for instance by the DoD. Oh and if you have one of those "Blue" or clear Amex credit cards... its running Java too.
Or of course you could wait for Longhorn.
In terms of open source, you can do this in Java (which is published and the source is accessible), today.
I love Microsoft, "yesterday's technology, tommorow".
Re:And over in Java... (Score:3, Insightful)
This is actually a valid business model to some degree.
For those of us who don't like it, we've failed the world by not telling them about these things before Microsoft did.
Kerberos pre-existed Win2k3 by a long shot and directory services pre-existed it too. But who bothered telling the users that?
tyranny of the monopoly majority (Score:3, Insightful)
The best access solution is a combination of HW token, biometrics and password. Two out of three should gain access to all but root, sending a message to the administrator (possibly attaching a picture, voiceprint and GPS). Too bad for Gates that this security architecture makes a mobile "phone" the best gatekeeper to cyberspace, where his Windows monopoly is most under threat. Too bad for us that his monopoly is in a position to derail even that engine of progress, making mobile phones as much a mess as Windows. Someone stop him before he destroys yet another dream of freedom!
Re:tyranny of the monopoly majority (Score:3, Funny)
Man in the middle attacks? (Score:4, Interesting)
Re:Man in the middle attacks? (Score:4, Insightful)
A smart card contains a microprocessor that can sign stuff that the PC send to it. It contains a secret private key for signing that never leaves the silicon, so no PC can get at it.
The viruses can't steal the identity in the smart card. The smart card will happily prove its identity to the viruses. The important thing to understand is that while the smart card can prove its identity, it can't prove that its owner is actually at the keyboard or that the IE session withdrawing funds is run by a human in charge of the transactions... There are smart cards with built-in keyboard/display for that. Or you use a Palladium PC...
Bill is good at a lot of things... (Score:3, Interesting)
He's of course thinking about public/private keys and such, but they're overkill for almost all web-based applications that don't require money. Do you really want to use a public/private keyshare to log on to like, well for example Slashdot, just so you can post how wrong Bill Gates is?
I know I wouldn't. Fhew!
passwords will never go away (Score:5, Insightful)
How long before.... ? (Score:3, Insightful)
I also talked about Linux/OpenSource with them and it's not that they hate Linux and love MSFT - it's just that for any serious use (read: digital signatures, use of the smart-card instead of your written signature), any "applets", any application, and any hardware has to be "certified" for a specific platform.
With this certification-process, the vendor testfies that the software and hardware work as advertised and no "unpleasant surprises" happen.
Unfortunately, this is time-consuming and thus very expensive - and must be re-done for every platform. Naturally, smartcard-vendors only certify for the platforms where they have sufficient demand (XP, W2K).
About the only chance that something like this is going to come to the OSS-world is that someone is putting forward a lot of money and essentially pay the vendor for the certification.
In Europe, usually the taxpayer does something like this, but in slashdot's home-country, I hear that the government spending money for "the common good" has recently escaped the mind of the general public who instead believes in privatization, tax-cuts and "trickle down".
You can probably imagine when such a thing will "trickle down" onto OpenSource-software
cheers,
Rainer
Translation of phrase "Bill Gates Predicts" (Score:3, Insightful)
translation:
Bill Gates has some new thing he wants to sell, which might be able to replace some tried-and-true technology.
It is called Kerberos (Score:3, Informative)
Re:It is called Kerberos (Score:3, Insightful)
Right. Though Kerberos existed even before Linux ;-)
Reminds of of an old AI story (Score:5, Insightful)
So to Mr. Gates I'd like to reply: You'll still have a password, only you won't know what it is. Makes sense from a "security through obscurity" standpoint, though!
Re:Reminds of of an old AI story (Score:3, Interesting)
You love this phrase, "security through obscurity". I've never met a security expert who would consider dual private key challenge response encryption schemas security through obscurity
That's funny, because I've never met an actual security expert who didn't understand that all security is based on obscurity (i.e., it's the very nature of keeping things secret). I guess we must know very different manner of experts, but I must say your talk doesn't instill me with confidence in yours being able to ge
3 different types... (Score:4, Insightful)
What they are teaching is that there are three main type of authentication:
Something you have - A smartcard, something physical.
Something you are - a fingerprint, biometrics.
Something you know - a password in ya head.
The whole idea is that you combine these for stronger protection.
To say that passwords are towards the end of their life is like saying they (M$) will be ignoring one possible type of authenitication. Sure you can just use smart cards, but its always better to have a combo of types and passwords are still handy to add that extra layer.
I'll keep my password, thanks. (Score:4, Interesting)
But a common pickpocket can take your smart card, and if you don't realize right away (or can't report it quickly enough) you won't get it deactivated in time to prevent compromise. Coupled with a password, though, the amount of time needed to break a decent password will give you the time you need to change out the card anyhow.
You have to hand it to BillG (Score:3, Insightful)
A different kind of password authentication (Score:5, Interesting)
So that sounds like it wouldn't work, right? People know your username so they can duplicate your login, right? Actually, it was really tight. He already had a working version that we all(in the senior design project class) got to try. We never could fool the thing. You could tell someone what your login name was and they would try and try and never could successfully login as you. The main reason this works is that you are typing your own name. If it were a generic word that most people don't have to type very often, there would probably be a lot more similarity in the way different people type it and the system wouldn't work well, but being your own name that you are used to typing, there is some muscle-memory developed that makes it flow out effortlessly and consistently, which no one else can match.
Never Proclaim End of Life (Score:3, Interesting)
floppy disks
command line interface (if this dies, I quit computers)
serial ports(also, on my own list)
ps/2 keyboards and mice
analog modems
Technically, all of these can be replaced, but they haven't been, for one reason or another, they still exist. You cannot dictate change in this industry, you just sort of have to create oppurtunity for change, and flow with it.
From the other side, people use floppies, people use their favorite keyboard into keyboard death, then buy the same one as a replacement. People hate passwords. No one who writes the admin password for their xp box on a postit note under the keyboard will ever miss passwords. If people find it easier, they might switch. But don't bet too much on it. Not that you venture capitalists will listen.
I'm pretty sure passwords will end up on that list someday and I will personally stand in the way of their demise. Why? Because I do not trust PKI's, especially dotNet.
An open-source alternative... (Score:4, Funny)
The underside of everyone's tongue is different. I verified this using basic research techniques over a series of weekends while I was in college. After obtaining a more permanent research assistant, I was unable to proceed with further "comparison-" however, I do encourage others to carry on my work in the spirit of cooperative science.
The beauty of this approach is that you could integrate the tongue reader with the computer's mouse. The user would insert his/her into an opening in the underside of the mouse, a laser light would illuminate the pattern of veins, and the resulting image would be captured and compared against the security database. The process is as simple as licking the filling out of a custard donut. In fact, in some companies I have worked for the users are so simple that care would be needed to ensure that they could tell the difference between a custard donut and a tongue reader or problems might occur. Utter panic ensues as user authentication fails at Dunkin' Donuts Wi-Fi access points... Well, you get the idea.
For those users on a low-carb diet, the process can be described as similar to that used for another research project I conducted while in college. One advantage of the tongue-reader biometric system is that computer mice, like research assistants, are much more responsive when properly lubricated. Some other method might be necessary when dealing with portable computers. Perhaps it would be possible to integrate a tongue reader with the touch-pad pointing device. Obviously, this would favor users with the ability to lick their own laptops. But isn't that already the case for much of life?
And in case anyone is wondering, yes this IS a tongue-in-cheek post.
Re:a bunch of marketing speak (Score:3, Insightful)
Re:From the high visionary (Score:3, Funny)
Re:Anybody else notice this came from a French co. (Score:3, Informative)
and some of the other articles found by googling for "france encryption restrictions relaxed" or similar