Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Moving Beyond Passwords For Security

Soulskill posted more than 6 years ago | from the asdf1234 dept.

Security 235

Naturalist writes with an excerpt from a New York Times story about the need for a more secure method for identification than the password-based system almost everyone currently uses. The article also discusses the weaknesses of the OpenID initiative to simplify the process. "The solution urged by the experts is to abandon passwords -- and to move to a fundamentally different model, one in which humans play little or no part in logging on. Instead, machines have a cryptographically encoded conversation to establish both parties' authenticity, using digital keys that we, as users, have no need to see. ...OpenID offers, at best, a little convenience, and ignores the security vulnerability inherent in the process of typing a password into someone else's Web site. Nevertheless, every few months another brand-name company announces that it has become the newest OpenID signatory."

Sorry! There are no comments related to the filter you selected.

fp (-1, Offtopic)

Anonymous Coward | more than 6 years ago | (#24547759)

asdfirst post

Yes, we know. (5, Insightful)

Anonymous Coward | more than 6 years ago | (#24547771)

The solution is public key cryptography. The problem with that solution is that it only works as "something you have", not "something you know", which is the authentication mode of passwords. You can't leave "what you know" at home, but will you always have your smart card with you? Another problem is that secure public key cryptography requires a complete terminal under the control of the user, not just a card. The private key can never leave the user's control and the user must always know what it is used for. That requires a display and keyboard. Not something people want to have on them whenever they need to authenticate.

Re:Yes, we know. (1)

zappepcs (820751) | more than 6 years ago | (#24547799)

Why not send authentication query via SMS or standard phone lines? No keyboard required.

Re:Yes, we know. (4, Insightful)

Kjella (173770) | more than 6 years ago | (#24547873)

Yes, if you're always where there's phone coverage and you got battery. However, it doesn't solve the problem of a compromised terminal. That was what a bank virus did not that long ago, waited for the user to authenticate then sent money elsewhere "behind the scenes". Sure it might not get your email password but if it silently downloads your inbox compromising every password mail you ever got, well gee that's nice.

Re:Yes, we know. (2, Interesting)

GuldKalle (1065310) | more than 6 years ago | (#24548587)

It's an ineffective way of using your phone as "something you have".
I propose installing a program + private key on your cellphone, and use that to encrypt a random token. Then you get a hash of the ciphertext on the cellphone display, which you enter in order to login.
It could even be nicely integrated into openID, bringing me to my next point:
The thing I just mentioned CAN be made by an openID provider (I was surprised that I couldn't find such a provider though), and it would make a lot more sense to make it for openID than for 50 different websites each with their own implementation.

Re:Yes, we know. (1, Insightful)

Anonymous Coward | more than 6 years ago | (#24548735)

That is a not so novel yet still good idea, but a cellphone which is capable of running such software is not quite trustworthy, because it is too complex to be secure: Bluetooth vulnerabilities, trojaned games, etc. Even if the actual secret is isolated in a smart card (such as the SIM), a compromised terminal can enable an attacker to use "what you have" remotely. At the very least the phone hardware would have to be designed such that the smart card could request exclusive access to the keypad, and the user would have to be able to recognize that mode (differently colored background light, for example), all without the possibility of software interfering.

I'm looking forward to smart cards with integrated display, keypad and RF or IR interface.

Re:Yes, we know. (2, Interesting)

GuldKalle (1065310) | more than 6 years ago | (#24549091)

It's not perfect, no. But it presents a significant extra barrier. And to overcome this barrier, the attacker must:
  1. Get a program running on the phone
  2. Wait for the user to enter the password (because the private key should always be encoded)
  3. Get the private key out of the phone (although a phone by definition has communication abilities, most phones will alert the user if a program tries to use them).

And the strategy still has a key advantage over smart cards with displays, namely the logistics problem.

Re:Yes, we know. (5, Funny)

ratnerstar (609443) | more than 6 years ago | (#24547821)

It can work as "something you know," all you have to do is memorize your private key. Kids these days; they want everything to be easy.

something you have? (1, Insightful)

Anonymous Coward | more than 6 years ago | (#24548301)

You can't prove you have the "something you have" as in reality anything can be copied and thus you might just have a copy. Most of the token "things" are really a case of "something (something you have) knows" which isn't much better than "something you know".

Right?

Re:something you have? (5, Funny)

ratnerstar (609443) | more than 6 years ago | (#24548345)

You can't prove you have the "something you have" as in reality anything can be copied and thus you might just have a copy. Most of the token "things" are really a case of "something (something you have) knows" which isn't much better than "something you know".

Right?

Right. Moreover, given a good hacksaw, biometrics can easily move from "something you are" to "something I have."

Re:something you have? (1)

Nullav (1053766) | more than 6 years ago | (#24548889)

Hell, you don't even need that much with finger/voiceprints. The only thing I'd be apt to trust is a retinal scan. (And only with a camera nearby for later verification.)

Re:something you have? (0)

Anonymous Coward | more than 6 years ago | (#24549129)

You've never seen the movie Demolition Man, have you?

It takes far less than a hacksaw to remove someone's eye.

Re:something you have? (1, Informative)

Anonymous Coward | more than 6 years ago | (#24548507)

All "something you have" systems rely on that something being hard to copy. The Mifare card is such a security token. Your car key is another one. The complexity of cloning security tokens varies. Proper smart card design can make cloning very hard. Smart cards are not just memory. They're small computers which enforce a protocol that never exposes the private key. To find the key and clone the card you would have to find a protocol flaw and/or often physically disassemble the chip and read the memory with a powerful microscope (see Mifare). But when done right, a "something you have" system has the advantage that it doesn't need to reveal the secret.

You could theoretically perform a public/private key cryptography protocol with something you know, but since most people can't do maths with very large numbers in their head, "something you know" protocols usually involve revealing the secret. Sometimes the secret is only revealed to a trusted system which then generates another secret that is entered into the untrusted system. One time password tokens are an example of this kind of system. They keep the master secret secure, but the individual transaction is still vulnerable.

Re:Yes, we know. (5, Interesting)

jd (1658) | more than 6 years ago | (#24548383)

The US Government uses this method, except via smart cards. This started with the NMCI initiative. I was not keen on NMCI, as it used Citrix and centralized application serving. This creates a single point of failure (which quite often failed at the beginning) and a single, all-powerful account on a system (there's no other way of having a central system responsible for all privileges otherwise) on an operating system that probably isn't going to be in the Trusted class (ie: it ran Windows - and I am using the Trusted class in the Orange Book sense, not in any "popular" sense of whether people actually trust it).

PKI is a very sensible approach, but should not be used in isolation. This was discussed only a short time ago on Slashdot regarding "secure locks" - there should always be multiple layers of security, a reliance on a single layer is always going to be a disaster waiting to happen.

Passwords as a "bootstrapping" mechanism to enable the rest of the security sounds fine. It's something we already do with regards GnuPG/PGP keys, Kerberos, etc. They're weak, but bootstraps don't need to be that strong if you're using them in a multi-layer system. They're supposed to make it hard for anyone to tell if they've broken the other layers. That is sufficient.

There is, however, almost nothing else you can use. Biometrics are not safe (Slashdot has covered the breaking of many such systems) and not guaranteed to work (Slashdot has covered chimeras and other biological weirdness in the past). Two physical electronic keys won't give you significantly more security than one with twice the quality of encryption and just give you more you can lose. Call-back mechanisms are vulnerable to social engineering (if involving people) or replay attacks (if automated) since such methods have to use extremely primitive security as they are prior to authentication.

Re:Yes, we know. (3, Interesting)

JFitzsimmons (764599) | more than 6 years ago | (#24548737)

And you can do that with openid. I got bored and made myself a GPG based openid provider. It isn't complete by any means since it lacks key revocation and such, but it is working and public.

http://id.l3ib.org/ [l3ib.org]

Anonymous Coward (0)

Anonymous Coward | more than 6 years ago | (#24547803)

I would suggest just piggy backing whatever initiate this is on the existing concept we use called certificates, it's well established and used for similar things already... no sense reinventing things but I haven't RTFA either.

the real solution! (1, Funny)

Anonymous Coward | more than 6 years ago | (#24547805)

isn't it obvious?

always post as an Anonymous Coward!

Re:the real solution! (4, Funny)

Anonymous Coward | more than 6 years ago | (#24548267)

We already tried that. It's called 4chan.
It did not work that well though...

"Beyond Passwords" (3, Insightful)

apoc.famine (621563) | more than 6 years ago | (#24547817)

I do not know that this is an accurate title.

Users on shared systems can easily set up a simple PIN code to protect any card from use by other users...

That almost sounds like a....password...

Really, this is an article about using things instead of passwords....which function like passwords....and using passwords when those wouldn't be secure enough. What a stupid fucking article.

Re:"Beyond Passwords" (2, Interesting)

bjustice (1053864) | more than 6 years ago | (#24547889)

Did you read the next paragraph, or understand the rest of TFA?

The PIN doesn't return us to the Web password mess: it never leaves our machine and can't be seen by phishers.

Re:"Beyond Passwords" (1)

bloobloo (957543) | more than 6 years ago | (#24547973)

It's still a password. It's a password that is used for authentication in a different way, but it does not move us "beyond passwords for security"

Kerberos did that years ago. (5, Interesting)

khasim (1285) | more than 6 years ago | (#24548015)

With Kerberos, your password never leaves your machine.

The machine you're trying to log on to sends you a random string that is encrypted with your password.

Your machine uses the password you typed in to decrypt that string. Which also contains instructions on how to continue the connection.

Your password never goes across the wire.

Re:Kerberos did that years ago. (1)

Tony Hoyle (11698) | more than 6 years ago | (#24548095)

Hell, even NTLM did that years ago.. it's not rocket science.

The problem is websites that want 'pretty' login screens with text boxes for input, instead of using the builtin authentication methods available over HTTP. It's not uncommon at all for this to be done on unencrypted pages (even some banks have made that mistake).

Re:Kerberos did that years ago. (1)

bucky0 (229117) | more than 6 years ago | (#24549209)

I know very little about HTTP AUTH, but wouldn't an easy solution to this be to allow other authentication mechanisms to be submitted with a form?

Re:Kerberos did that years ago. (1)

beakerMeep (716990) | more than 6 years ago | (#24548687)

how does the machine know what your password is to do the encryption on the string before it sends it if you never sent it over the wire? or is this like public/private key exchange? Something like Diffie-Hellman? http://en.wikipedia.org/wiki/Diffie-Hellman [wikipedia.org]

Re:"Beyond Passwords" (1)

bogado (25959) | more than 6 years ago | (#24549049)

PN usually are passwords, but they are simpler and unique (some user have a single sign on, but this is a bad practice).

Re:"Beyond Passwords" (1, Insightful)

Anonymous Coward | more than 6 years ago | (#24548021)

Perhaps, but it's still at a higher level than most companies are thinking. Lately the trend I've been seeing is for financial institutions to not just ask for, but require you to select from a list of security questions that can be used for access to your account with them. One of my brokerages is even threatening to suspend my account if I don't choose a set of security questions.

It's offensive to me that the companies require you to provide not only an additional and unnecessary route for access to your account, but that it's based on plain text answers relying on information that few to none of its customers consider to be private information. The questions also are often not easily changed, so I can't just used an additional (though plain text) password for them unless I want it to be permanent; with that the case I'd want to use different passwords for every such account I have - which means I'd probably end up writing down parts of each to remember them.

Convenience vs security vs stupidity ... (4, Insightful)

blahplusplus (757119) | more than 6 years ago | (#24547829)

Passwords can still play a role, the problem has always been user stupidity and convenience vs security. We always love to save time and anything that requires less effort = good for us, but at the expense of being less secure. Moving security to invisible layers is just asking for abuse by authorities, as if they didn't have enough power already via MAC address + ip binding in being able to track down and identify users by merely tooling around with the equipment right at the ISP end.

My bank uses multiple authentication using personal questions which I would only know the answer to and if you get the question wrong just once, it flags the account. The big problem is the amount of retries, you can't guess or brute force passwords on accounts that will lock after the first few failed attempts.

In my opinion it's probably best if we moved to gesturing, I find an interesting site here -
http://www.dontclick.it/ [dontclick.it]

It could serve as an interesting basis for security, i.e. gesturing and opening the correct doors in a maze.

Re:Convenience vs security vs stupidity ... (5, Interesting)

Saishu_Heiki (969303) | more than 6 years ago | (#24547967)

Security versus convienience has been a large issue here at the hospital where I work in the IS department. Because all of the pharmacy orders are done in our clinical application, the state pharmacology board mandated that another layer of security be added beyond the physician's username/password. The result is a list of 60 person questions (hometown, number of brothers, country of birth, etc) that is drawn from randomly to ensure the person ordering the drugs is the one who is logged in and authorized. The problem was, doctors were answering "1" to all 60 questions so they would not have to remember the answers or be bothered actually reading the questions. If they had to use their ID badges instead, it would be an even bigger nightmare. They want speed and ease of use, but are reckless because data security is "my concern". Sometimes it is hard to stop the person with the gun to their head from killing themselves, regardless of whose responsibility it is.

Re:Convenience vs security vs stupidity ... (1, Interesting)

Anonymous Coward | more than 6 years ago | (#24548673)

Use multiple choice questions and randomize the order of the answers.

Re:Convenience vs security vs stupidity ... (1, Interesting)

Anonymous Coward | more than 6 years ago | (#24548061)

Not to sound like a troll, but www.dontclick.it is one of the stupidest ideas I've seen.

Ok so I've saved time by not clicking on links, but what if there's something I want at the bottom of the screen, but there are all these mouse-over links between my cursor and it. The screen is suddenly a minefield.

Clicking doubles the dimensions of interaction with the computer. I can navigate my options without activating any of them. Mouseover should be passive movement. As as I was writing this I wanted to quickly highlight a section -- can't do that with mouseover. Sure there's the keyboard but that functionality already exists. Removing clicks is removing functionality.

I'm also reminded of Douglas Adams' "Hitchhiker's Guide to the Galaxy". In it, a super-advanced radio allowed you to control it by just gesturing in its vicinity. Of course, that meant you had to sit perfectly still while listening to the radio.

And as I tried to send them an email, I accidentally moused over another option on their website -- email erased!

Re:Convenience vs security vs stupidity ... (1)

blahplusplus (757119) | more than 6 years ago | (#24548251)

"Ok so I've saved time by not clicking on links, but what if there's something I want at the bottom of the screen, but there are all these mouse-over links between my cursor and it. The screen is suddenly a minefield."

But if you read the site it was experimental, i.e. the design issues using gesturing would still have to be worked out. IMHO it's not a BAD idea, it's not a replacement for buttons, but it is another way of thinking about things. I think the big problem was merely a problem of implementation, not the fact that it didn't work.

Re:Convenience vs security vs stupidity ... (2, Interesting)

Anonymous Coward | more than 6 years ago | (#24548351)

The one thing that has always bothered me about retry lockouts is the denial-of-service opportunity. If someone knows your username, then they can harass you by expiring the retry limit. Even worse, they can let a bot do it. They won't brute-force your account, but they can ensure that logging in yourself is a huge headache.

Perhaps a modification to the retry lockout strategy would be to make it per-IP address. It would shift the danger to large botnets, which could still distribute the password attempts over many machines.

Of course, now this makes processing logins expensive, as each attempt requires consulting with a retry-blacklist. One might try making a single, global blacklist and then dealing with the support calls from people with infected machines who were blacklisted for testing other accounts without their knowledge.

Tough game to win, really...

Re:Convenience vs security vs stupidity ... (1)

techno-vampire (666512) | more than 6 years ago | (#24548513)

It could serve as an interesting basis for security, i.e. gesturing and opening the correct doors in a maze.

I like that idea, especially if whoever sets up the gestures has a bit of imagination and a sense of humor. I'd love to be able to open a door just by walking up to it, holding my left hand up at shoulder level and snapping my fingers. Clapping my hands three times at waist level would be another neat idea. Set it up right, and it would feel like you were in a magician's lair, and that there were demons who would get you if you make the wrong move, or the right move at the wrong time. Neat!

Speaking of passwords (2, Funny)

Anonymous Coward | more than 6 years ago | (#24547837)

I like that slashdot hides your password if you accidently type it into a comment.
Look: **********

Re:Speaking of passwords (5, Funny)

YttriumOxide (837412) | more than 6 years ago | (#24547899)

Surely that can't work... if it hides your ******** whenever you type it, then it would make it really obvious what your ******** is if it's a standard dictionary word when you use it in a sentence. I don't think it masks ********s at all.

Re:Speaking of passwords (1)

pentalive (449155) | more than 6 years ago | (#24548691)

and that is why your password should never be a simple dictionary word.

Re:Speaking of passwords (1)

dokebi (624663) | more than 6 years ago | (#24548935)

It only works for your own password. My password is **********. See?

Re:Speaking of passwords (2, Funny)

my $anity 0 (917519) | more than 6 years ago | (#24547903)

12345

did it work?

Re:Speaking of passwords (0)

Anonymous Coward | more than 6 years ago | (#24548025)

So the password is one, two, three, four, five? That's the stupidest password I've ever heard in my life! The kind of thing an idiot would have on his Schwartz!

Re:Speaking of passwords (0)

Anonymous Coward | more than 6 years ago | (#24548111)

It works for my luggage...

Re:Speaking of passwords (1, Funny)

Anonymous Coward | more than 6 years ago | (#24548501)

you can go hunter2 my hunter2-ing hunter2

PEBKAC (4, Insightful)

at10u8 (179705) | more than 6 years ago | (#24547871)

Problem exists between keyboard and chair, and the article does not address that aspect nor give any good workaround.

Re:PEBKAC (0)

Anonymous Coward | more than 6 years ago | (#24548671)

On the contrary, it removes that aspect from the equation solving the problem.

Re:PEBKAC (1)

sseaman (931799) | more than 6 years ago | (#24548703)

What's the point of addressing that? Computer programmers aren't people programmers. We're not going to change habits. We're not going to have Advanced Passwords as a required course in schools. If this is what people do, it's what they do, and no amount of Public Service Announcements is going to change that.

The article begins by acknowledging that passwords are ultimately a failure and goes on from there.

The reason why security as a thing will work is because it's already working: House keys, car keys, credit cards. People are pretty good with these things, and it's a model that makes sense for people.

OpenID (4, Insightful)

Cyberax (705495) | more than 6 years ago | (#24547883)

OpenID is _PERFECTLY_ compatible with passwordless authentication. For example, my OpenID provider uses Kerberos authentication.

I too feel that passwords are too weak. Something like special hardware tokens are much better, but there's no infrastructure for their distribution.

Re:OpenID (1)

h4rr4r (612664) | more than 6 years ago | (#24547917)

That is something held, not something known. Someone can take your something held. Ideally you would have both.

Re:OpenID (2, Insightful)

Cyberax (705495) | more than 6 years ago | (#24547999)

For most applications "something held" (maybe with a simple PIN-protection) is perfectly fine. Like your keys, for example.

Good key revocation system is essential in this scenario, however.

Passwords are much overrated, anyway. Most users inevitably either choose weak passwords or just write them down somewhere.

Re:OpenID (1)

h4rr4r (612664) | more than 6 years ago | (#24548079)

A PIN is a password. So you are saying something held is fine, if you have something known too.

My car has a much easier known-exploit, the infamous rock to window method.

Written down passwords are not inherently bad.
If they are kept in a safe place, say a wallet, and they are not marked as to what they are for it can be an acceptable practice. Especially if very few attempts are allowed.

Re:OpenID (1)

Cyberax (705495) | more than 6 years ago | (#24548223)

A PIN is a weaker form of password. It also relies on hardware (to lock you out if you enter PIN incorrectly several times). It's useful to make simple attacks (like stealing your token) harder.

A written-down password is less secure than a hardware token. Because you can simply copy the written password (and use it later) but you need to have a physical token to use it. Of course, assuming tokens are not easy to clone.

Re:OpenID (1)

c_g_hills (110430) | more than 6 years ago | (#24548367)

My bank has quite a good solution. They provided me with a pin pad, which i use in combination with my (chip&pin) bank card. When I need to make a transaction online, I am presented with a code. I enter this into the pad along with my pin, and it produces another code, based upon the key held in the chip. This can also be used for identification by producing a time-based code similar to RSA keys.

Re:OpenID (2, Informative)

SanityInAnarchy (655584) | more than 6 years ago | (#24548313)

However, "something held" can be considerably more secure than "something known".

Either way, the point is that TFA represents OpenID as a reduction in security, when, in fact, it allows you to implement whatever security measures you want.

This is a common misconception -- that OpenID is simply single-sign-on in new clothes. It's actually an opportunity to give the user responsibility for their own security, and that's a powerful thing.

Re:OpenID (1)

pentalive (449155) | more than 6 years ago | (#24548801)

Somthing held = a card with 1000 5 letter sequences.

Something known = The "algorithm" you change those 5 letter sequecnes:

copy the last two letters, in reverse order to the front. Add the two digit day of the month (or minute) to the end.

The host chalenges with a number: 567
You look up "SBEce"
You key in "ecSBEce10"

Possible Changes:

copy or move:2

To the beginning or End:2

First two
center three
last two
first three
last three:5

Reversing them or not:2

add 2 digit minute
add 2 digit day"2

To the beginning or end:2

add two known letters:26 * 26 = 676

prefix two know letters:26 * 26 = 676

36,558,080 combinations on top of the 1000
possible challenges..

Of course if the change algorithm gets too complicated you may have to write that down.

Re:OpenID (2, Insightful)

Colin Smith (2679) | more than 6 years ago | (#24547941)

Something like special hardware tokens are much better, but there's no infrastructure for their distribution.

They're also not cheap.
 

Re:OpenID (1)

Cyberax (705495) | more than 6 years ago | (#24548093)

There's no real reason for it.

They are expensive because demand for them is low and economy of scale doesn't have a chance to kick in.

Combine it with a lot of conflicting proprietary implementations.

Re:OpenID (0, Troll)

Tony Hoyle (11698) | more than 6 years ago | (#24548137)

The WoW ones cost 6 euros a piece. If that kind of security is available for a game then what are you prepared to spend for something important?

Re:OpenID (1)

Colin Smith (2679) | more than 6 years ago | (#24548411)

The WoW ones cost 6 euros a piece.

The Wow ones are subsidised. securID tokens are typically around $50/50 each when purchased in bulk.

 

Re:OpenID (1)

Tony Hoyle (11698) | more than 6 years ago | (#24548623)

They cost way less than that.. A quick google found them genuine RSA ones being sold retail for a US equiv. of $40 each.

The WoW ones are 3rd party and produced in bulk (and allegedly nowhere near as sophisticated as RSA ones), so I don't think they're subsidised much if at all. Blizzard have previously said they're being sold at cost, not subsidised.

The real price gouging on these things goes on at the server side.. a securid appliance to use all these keys runs to about $8000... but that's peanuts to the average bank for example (which is why it surprises me so few banks use them (only one in this country I'm aware of and that's only on limited trial)).

Re:OpenID (3, Interesting)

CTachyon (412849) | more than 6 years ago | (#24547947)

Also, many OpenID providers like MyOpenID [myopenid.com] let you generate a browser-side SSL certificate and forbid password logins entirely on your account. At that point, you can't be tricked into entering your password because you simply don't have a password.

b.authenticator (1)

negRo_slim (636783) | more than 6 years ago | (#24547961)

Something like special hardware tokens are much better, but there's no infrastructure for their distribution.

I seem to recall a rather high profile [google.com] company introduce a hardware token to assist with account security, it was greeted with much enthusiasm [wowinsider.com] by it's customers. Yet before long, it too, failed [wowinsider.com] . [wowinsider.com]

Re:b.authenticator (1)

Cyberax (705495) | more than 6 years ago | (#24548077)

So? Of course you can screw up anything.

Re:b.authenticator (1)

Rakishi (759894) | more than 6 years ago | (#24548159)

It didn't seem to fail except in the sense that it doesn't provide 100% from all possible methods of attack. If someone is able to get physical control of your token and learn your password then you have bigger problems to worry about.

Re:b.authenticator (1)

Tony Hoyle (11698) | more than 6 years ago | (#24548337)

It fell to a social engineering attack.. blizzard screwed up basically (should have demanded photo ID but didn't).

Even the most secure systems can fail in that manner if the human side fails. One of the first things that's done when security is tested in an organisation is phone up, make up a story and see if the person on the other end will give up a password.

Of course the reason the hacker had enough information to pull that off is the owner was an idiot and gave their details away - probably responded to a phishing email (they had the CD key and passphrase - the only way to get them is for someone to divulge them.. they're never typed in so they can't be got by malware).

Re:OpenID (2, Insightful)

hackstraw (262471) | more than 6 years ago | (#24548165)

Something like special hardware tokens are much better, but there's no infrastructure for their distribution.

USB thumbdrive, passphrase protected private key.

Once sshd can tell if a private key has a passphrase and its authorized keys can be centrally managed, then there is never a reason a user should ever type a password. Just unlock the private key locally, and you can go wherever you are already authorized to go.

I just think its so stupid that we have to type usernames and passwords all the time. The burden is backwards. Its up to the server to say yes/no, it already knows who is allowed on the system, and their capabilities (roles, authorization, whatever), all the user needs to do is say here is my ID, is it OK for me to come in?

I mean this is the way credit cards work. No password whatsoever, and I can present my card, and a purchase is made, no password ever.

Now, with password security, since they are insecure by design, then you have to change them, to ensure they are secure again, thus placing a burden on the user and sysadmins and help desk people.

I mean, I don't use a username/password to enter my $500,000 house, or to drive my $100,000 car, or to enter my workplace where there is many millions of dollars of equipment and data. Why do I have to enter a username/password just to go onto a computer that already knows I'm ok to be on the system?

Re:OpenID (1)

SanityInAnarchy (655584) | more than 6 years ago | (#24548265)

I mean this is the way credit cards work. No password whatsoever, and I can present my card, and a purchase is made, no password ever.

Yes. Isn't it encouraging how credit cards are far less secure than my virtual server?

I mean, I don't use a username/password to enter my $500,000 house, or to drive my $100,000 car,

No, but you hopefully are using a key, at least. And I know some of us use combination locks -- which is, you know, entering a passcode to get into your house or car. Or office.

If you don't use either, would you mind posting where you live?

Re:OpenID (1)

pentalive (449155) | more than 6 years ago | (#24548901)

Anyone who holds your credit card can charge until you report it stolen.

Nothing stops anyone from breaking and entering your house except "law" - brick+window, or crowbar + back door, or bumpkey + front door = entry.

Your workplace has a kind of password - the people you work with recognise you. Try walking into some random place where you don't work - even a big company where there are too many employees for everyone to recognize everyone.

You may be able to cart off a computer with the right ploy. On the other hand you might just get the "Who are you? Call security"

 

Re:OpenID (1)

sam0737 (648914) | more than 6 years ago | (#24548191)

Something like special hardware tokens are much better, but there's no infrastructure for their distribution.

Did I hear you say TPM of Trusted Computing? It does exactly this, except that you can't carry that chip around and use it at Internet Kiosk.

Re:OpenID (1)

Cyberax (705495) | more than 6 years ago | (#24548307)

No, it's more like RSA tokens used in Internet-banking.

TPM ensures that no 'untrusted' code is running, hardware tokens are used to ensure your identity.

My reply, directly to the author: (4, Insightful)

SanityInAnarchy (655584) | more than 6 years ago | (#24548217)

I felt I had to respond to your article about passwords. It's been Slashdotted here:

http://it.slashdot.org/article.pl?sid=08/08/10/186203 [slashdot.org]

But I felt it was important enough to write directly, and concisely, because you seem to have missed a fundamental point of OpenID.

OpenID promotes "Single Sign-On": with it, logging on to one OpenID Web site with one password will grant entrance during that session to all Web sites that accept OpenID credentials.

OpenID supports single-sign-on. There is nothing about it which requires you to use the same identity everywhere -- or even the same provider.

But more importantly:

OpenID offers, at best, a little convenience, and ignores the security vulnerability inherent in the process of typing a password into someone else's Web site.

Nothing about OpenID requires a password.

I'll say that again: NOTHING about OpenID requires a password.

What OpenID does is, in proper implementations, it allows us to sign in with any provider we choose. I could choose my own server as a provider -- thus, it's not necessarily "someone else's web site". And I don't have to use passwords -- I can use a password and a "security question", I can use public-key cryptography, or I can hire a secretary to sit at the server in question and only authorize requests when she receives a phone call from me.

Even if we assume everyone continues to use the same password, with the same account, everywhere, it's still better than a conventional login. With the conventional login, every site I log into could steal my password and use it to login as me elsewhere. With OpenID, only my OpenID provider can do that.

One single-point-of-failure is better than N single-point-of-failure.

You can't use Microsoft-issued OpenID at Yahoo, nor Yahoo's at Microsoft.

If true, that seems about on par for a technology in its infancy. Remember email? Used to be, you could only send mail to other people with the same ISP. Now, I can send mail to anyone, on any ISP, so long as I have their address.

So that says more about Yahoo and Microsoft's understanding of the technology than it says about the technology itself.

Re:My reply, directly to the author: (0)

Anonymous Coward | more than 6 years ago | (#24548415)

"What OpenID does is, in proper implementations, it allows us to sign in with any provider we choose. I could choose my own server as a provider -- thus, it's not necessarily "someone else's web site". And I don't have to use passwords -- I can use a password and a "security question", I can use public-key cryptography, or I can hire a secretary to sit at the server in question and only authorize requests when she receives a phone call from me.

Even if we assume everyone continues to use the same password, with the same account, everywhere, it's still better than a conventional login. With the conventional login, every site I log into could steal my password and use it to login as me elsewhere. With OpenID, only my OpenID provider can do that.

One single-point-of-failure is better than N single-point-of-failure."

So a single point of failure that allows someone access to everything is better than multiple points? You neglect to understand that with passwords, you can use different passwords in different places. One place fails, you don't lose everything else like you would with OpenID. OpenID is horribly flawed because of this simple grain of truth that no one seems to be able to see or understand. I think it's only the people who don't train themselves to work with a lot of "simple" yet strong passwords for everything that see any value in needing a single authentication method and thinking it's somehow better than passwords (I have tons of passwords for everything, all very strong, and yet have no difficulty in remembering them -- no, not here, where I post unpopular opinions as AC because of mods that over-react to any *gasp* different opinion as if it were flamebait and trolling).

Passwords are still the single best method of authentication, because they live in my mind and are only released on demand. It's up to me to ensure they are used correctly and securely. Sad that people don't want that responsibility anymore.

Re:My reply, directly to the author: (1)

webview (49052) | more than 6 years ago | (#24548713)

One single-point-of-failure is better than N single-point-of-failure.

The problem I have with this and with any central 'authority' is that when the central authority is compromised, all my sign-ons could be compromised.

Personally, I like the fact that I can control everything and I do use super-strong passwords (if that's not an oxymoron) for my 'important' accounts. But then again, I'm a geek and probably more disciplined than most.

That's not to say that my stuff couldn't be compromised, but personally, I am more comfortable with controlling it myself.

Re:My reply, directly to the author: (1)

styrotech (136124) | more than 6 years ago | (#24548953)

Thank you.

The level of ignorance about what OpenID is or isn't is fairly staggering even amongst technical people.

I think the OpenID people have an uphill battle trying to educate the masses. I hope they can succeed, but I have my doubts.

Example of no password (1)

pentalive (449155) | more than 6 years ago | (#24548965)

Take a look at vidoop [vidoop.com] They present you with some pictures - you pick out the ones that fall into the catagories that you picked earlier (picture A is a space-station, Picture E is a Dog, Picture F is a car. so you can enter A, E and F in any order The letters and pictures change next time but one will still be of a space-station, one of a Dog, one of a Car.

Re:OpenID (1)

Niten (201835) | more than 6 years ago | (#24548493)

Yeah, OpenID can work with just about any authentication scheme, all without requiring you to provide your credentials on someone else's site.

A much more apt criticism of OpenID would be that it relies on DNS for authentication purposes, and DNS is fundamentally insecure. Why bother stealing passwords when you can just poison the cache of an OpenID site's nameservers, tricking the site into authenticating users against a bogus OpenID server of your choosing?

Re:OpenID (1)

Cyberax (705495) | more than 6 years ago | (#24548643)

In theory, hardware tokens can also authenticate that the OpenID server is the real one.

We need more passwords... (1)

ettlz (639203) | more than 6 years ago | (#24547891)

...and we must enforce their strength and use like bastards.

Let us not be pussies about this, short of submitting a biometric signature every time I want to authenticate just how else can a machine tell I am me?

Re:We need more passwords... (1)

vertinox (846076) | more than 6 years ago | (#24548457)

Let us not be pussies about this, short of submitting a biometric signature every time I want to authenticate just how else can a machine tell I am me?

You could implant an RDIF chip to someone heart which only functions when the heart is beating so if someone removed that it not longer function.

A little extreme, but no one could ever call you a pussy.

Re:We need more passwords... (1)

ettlz (639203) | more than 6 years ago | (#24548481)

You could implant an RDIF chip to someone heart [...] A little extreme, but no one could ever call you a pussy.

No, they'd call me Harkonnen.

This could just be my ignorance- (3, Insightful)

FlyingSquidStudios (1031284) | more than 6 years ago | (#24547895)

But doesn't this restrict people to using secure sites only from their own machines? I have encountered situations where I was at friends' houses, relatives' houses or even a work computer where I want to do something somewhat security-sensitive like checking e-mail. Wouldn't this sort of security measure make that far more difficult?

Re:This could just be my ignorance- (1)

rasputin465 (1032646) | more than 6 years ago | (#24549207)

But doesn't this restrict people to using secure sites only from their own machines?

Yes, yes it does. Several commenters have suggested workarounds to this, like carrying memory sticks with all your keys and the like. But I think it's highly unlikely that will never catch on. Personally, I don't see any problem using passwords, as long as the user is smart about usage (i.e. no public terminals, use only over encrypted connections, mixed upper/lower case/numbers/special characters, keep it secret, etc.).

But to be fair, no, I did not RTFA.

totally safe authentication method! (5, Funny)

ocularDeathRay (760450) | more than 6 years ago | (#24547915)

Jean-Luc Picard: Begin auto-destruct sequence, authorization Picard-four-seven-alpha-tango.

Beverly Crusher: Computer, Commander Beverly Crusher. Confirm auto-destruct sequence, authorization Crusher-two-two-beta-Charlie.

Worf: Computer, Lieutenant Commander Worf. Confirm auto-destruct sequence. Authorization Worf-three-seven-gamma-echo.

Computer: Command authorization accepted. Awaiting final code to begin auto-destruct sequence.

Re:totally safe authentication method! (2, Interesting)

Saishu_Heiki (969303) | more than 6 years ago | (#24548325)

I was always under the impression that this was a two-stage security system as well. There is the password ("Picard-four-seven-alpha-tango") and a voice-print analysis to confirm it was the correct person issuing the order.

Of course, I don't remember any time where Worf tried to use Riker's credentials, so I can't really back it up...

Re:totally safe authentication method! (3, Interesting)

elFarto the 2nd (709099) | more than 6 years ago | (#24548919)

IIRC, Data has used Picard's credentials, and he was impersonating his voice, so that would support your theory.

Regards
elFarto

Re:totally safe authentication method! (1)

apparently (756613) | more than 6 years ago | (#24548377)

Well, it only looks tragically insecure, as is it well-known that for licensing rights reasons, TNG wasn't allowed to show the crew reading from their RSA SecurIDs. So truly, voice authenticated RSA isn't that unreasonable, is it?

Jean-Luc Picard: Begin auto-destruct sequence, authorization Picard-four-seven-alpha-tango.

Beverly Crusher: Computer, Commander Beverly Crusher. Confirm auto-destruct sequence, authorization Crusher-two-two-beta-Charlie.

Worf: Computer, Lieutenant Commander Worf. Confirm auto-destruct sequence. Authorization Worf-three-seven-gamma-echo.

Computer: Command authorization accepted. Awaiting final code to begin auto-destruct sequence.

Re:totally safe authentication method! (1)

pentalive (449155) | more than 6 years ago | (#24549005)

Add to that the ship is tracking the whereabouts of each crew member at all times. So that adds a factor of "Where you are" I suppose it's done with combadges though so perhaps only a "what you have"

Re:totally safe authentication method! (2, Funny)

Kidbro (80868) | more than 6 years ago | (#24549157)

Sheridan: This is Captain John J. Sheridan. Serial number XO7Y39-Alpha. Security code: obsidian.
Ivanova: This is Commander Susan Ivanova. Serial number Z48M27-Epsilon. Security code: griffin.
Michael Garibaldi: This is Chief Warrant Officer Michael Garibaldi. Serial number V17L98. Security code: peekaboo.
. . .
Ivanova: Peekaboo?
Garibaldi: Would you have guessed it?

(linky [wikiquote.org] )

How could it blame OpenID? (3, Interesting)

sam0737 (648914) | more than 6 years ago | (#24547929)

OpenID does not required the use of password as the way for human to authentication oneself to the system.

It's just up to the OpenID signatory to use whatever technology to authenticate someone. This human interface is decoupled with the underlying authentication.

Although most public signatory currently use username+password, but it could be change. Say you could implement your own, using PKI to recognize your own certificate stored on removable media. If you gone crazy enough, nothing stop you from implementing One-time password + Biometric + whatever-you-can-think-of to authenticate yourself to your own signatory.

its not that hard (4, Funny)

circletimessquare (444983) | more than 6 years ago | (#24548013)

i have trouble keeping track of all my usernames and passwords like everyone else

so i put it in passwords.txt in my shared emule folder, so i can access it anywhere in the world ;-)

smart, huh?

Passwords are fine (0)

Anonymous Coward | more than 6 years ago | (#24548023)

As long as you use at least 200 random alpha-numeric characters. No geek worth his salt would chose a password with anything less.

It takes about five hours to learn such a string, then all you do is append/prepend/insert different ordinary words into it for different sites and usages.

What about digitags? (3, Interesting)

nicc777 (614519) | more than 6 years ago | (#24548097)

My bank uses a combination of Digitag [fnb.co.za] and SMS notification as added layers of security.

In South Africa, everyone with a bank account by law has to undergo a KYC process (know your client). This basically means that you as a client have to verify your ID at a branch (in person) with ID documents and some of your monthly bills. Your cellphone number is then captured to which all notifications of activity on your accounts are sent.

The Digitag [actividentity.com] is used during online authentication. As a further backup, a one time pin (OTP) is send to your cellphone. This OTP is required for certain transactions like once off payments.

Granted the system is not perfect (there is still human stupidity), but I would like to hear your comments on these tpye of systems, as they are becoming more and more part of our lives.

OpenID and Multi-Factor Authentication (4, Informative)

master_runner (958234) | more than 6 years ago | (#24548243)

Although the password is still there, many OpenID providers are moving towards advanced multi-factor authentication. For example, when I (or anyone else) attempt to log in to my OpenID account, the account provider calls my cellular phone. I must answer the call and confirm (by pressing the # key) in order to log in. This means that in order for an intruder to gain access to my account, they must have my password and my mobile phone, and if anyone else tries to log in to my account the unexpected call will alert me to this fact. I also know that other OpenID providers support the hardware key popularized by PayPal that generates a one-time password for each login. Other OpenID providers (including mine) support authentication via SSL certificates. There's a whole range of alternative and multi-factor authentication schemes offered by today's OpenID providers, and over time more and more methods are being introduced. OpenID allows users to choose an authorization service based on the security that they offer rather than based on what website they want to log in to.

MyOpenID (2, Informative)

lattyware (934246) | more than 6 years ago | (#24548261)

MyOpenID allows you to use a phone call to log in. When you try to login, they call, you, and you press hash, it logs you in. Free too.

I have a better idea. (0)

Anonymous Coward | more than 6 years ago | (#24548349)

Anal prints. Like finger prints, only instead of your finger it's your anus. <Colbert>Nobel Prize, please!</Colbert>

Cryptographic login (1)

McDutchie (151611) | more than 6 years ago | (#24548355)

Quoth TFA:

Instead, machines have a cryptographically encoded conversation to establish both parties' authenticity, using digital keys that we, as users, have no need to see.

I've been doing that for years with SSH [berkeley.edu] . Funny, that.

OpenID Isn't Tied to Passwords (2, Insightful)

Daveman692 (558544) | more than 6 years ago | (#24548427)

There seems to be a slight misconception in the NY Times article around OpenID being tied to passwords. OpenID does not specify the authentication mechanism for the user to their OpenID Provider which means that we've seen many companies (including Microsoft) experiment with alternative authentication mechanisms atop OpenID. The big benefit OpenID then provides them is that they're instantly able to start letting users use their new authentication mechanism at any site which accepts OpenID logins. More about this over at http://openid.net/2008/08/10/challenges-facing-openid/ [openid.net] .

Graphical Pattern Method (3, Interesting)

BPPG (1181851) | more than 6 years ago | (#24548477)

At my university, they were trying an experimental password alternative that comp-sci students could opt-in for.

Basically, we were presented with an image; this particular image was a bunch of cars in a parking lot, with people walking or standing around. I think it was a 400 by 400 pixel image. To set your pattern, you had to click and memorize five or six arbitrary points in the image, and also memorize the order you click them in. The idea was that it was supposed to be a lot easier to remember than an equally powerful password. Some people liked the new system, while others had a lot of trouble remembering the exact position of each of their clicks. I fell into the latter group.

Re:Graphical Pattern Method (1)

Hektor_Troy (262592) | more than 6 years ago | (#24549013)

EXACT position? You'd think a 'fairly close' position would do. For people walking, car park etc, you'd probably go with a specific car or face/hand/leg rather than [327;173].

not again... (0)

Anonymous Coward | more than 6 years ago | (#24548509)

Jesus. When will people understand that OpenID leaves authentication entirely to the provider? If you think requiring the user to fart in your head is more secure than typing in passwords, then set up an OP which requires users to fart in your head on login. It's as simple as that.

All these OpenID critics think they are so fucking smart in security, but none of them seem to have bothered reading the specification or a basic tutorial.

Isn't that what OpenID does? (1)

johny42 (1087173) | more than 6 years ago | (#24548607)

machines have a cryptographically encoded conversation to establish both parties' authenticity

Isn't this what OpenID does? TFA obviously doesn't understand the point of OpenID, which is to completely abstract from the details of the method the user uses to authenticate. The OpenID specification doesn't care whether you use password or some special hardware token to authenticate with your OpenID provider. It's just the fact that most OpenID providers use web-based password authentication that gives it the bad reputation. There certainly are a few that use public key cryptography, and you can always setup your own using whatever you consider the most secure.

At some point, humans'll have to be authenticated (1)

wolf12886 (1206182) | more than 6 years ago | (#24548783)

Encryption using public and private keys has its place, but can only identify machines, as the keys can't (reasonably) be memorized by humans, thus, at some point, humans will always have to be in the loop.

Load More Comments
Slashdot Login

Need an Account?

Forgot your password?