Beta

Slashdot: News for Nerds

×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

NYT Password Security Discussion Overlooks Universal Logins

timothy posted more than 3 years ago | from the your-voice-is-your-password dept.

Privacy 127

A recent NYT piece explores the never-ending quest for password-based security, to which reader climenole responds with a snippet from ReadWriteWeb that argues it's time to think more seriously about life beyond passwords, at least beyond keeping a long list of individual login/password pairs: "These protective measures don't go very far, according to the New York Times, because hackers can get ahold of passwords with software that remotely tracks keystrokes, or by tricking users into typing them in. The story touches on a range of issues around the problem, but neglects to mention the obvious: the march toward a centralized login for multiple sites."

cancel ×

127 comments

In matters of security (4, Insightful)

Pojut (1027544) | more than 3 years ago | (#33498658)

In matters of security, the most important tool anyone can have is common sense. Phishing scams, "dangerous" websites, revealing important information willy nilly...all things that cause major problems in the digital world, and all things that could be almost completely avoided if common sense was more prevalent.

Granted, some people "don't know any better"...but that's why you educate those types of people if you know any.

Re:In matters of security (2, Insightful)

Nursie (632944) | more than 3 years ago | (#33498806)

Well, it doesn't help that companies are ill informed a lot of the time. I got a call today claiming to be from my ISP, asking for feedback on the service. At the end of the call they said they just wanted to verify my identity and asked for my DOB and the answer to my secret question that gets used as a password backup/reset mechanism, so they could confirm they were talking to the right person.

I told them absolutely not, they phoned me, I only prove my identity with private information when I've phoned a number/service I recognise, not a random caller.

I'm pretty sure it was them as I got a 'thanks for your feedback' email afterwards, but WTF?
I'm tempted to think it was some sort of test/survey thing to find out how dumb people are, but that's probably being too generous.

Re:In matters of security (2, Interesting)

Pieroxy (222434) | more than 3 years ago | (#33499020)

I live in France and when you're late for your electric bill they have a robot call you that propose you to enter your credit card information to pay your bill 'on the phone'.

Again, I am pretty sure it's them calling, and I am pretty sure also that this is something new as I never got it before. But this is scary. And I can't help but be scared at how many people will provide their credit card information on such an incoming call...

Re:In matters of security (4, Insightful)

PPH (736903) | more than 3 years ago | (#33499140)

My credit card company (Visa) calls me occasionally about suspicious activity on my card. When they leave a message, the number they leave is NOT the same as the customer service number on the back of my card.

It's been explained to me that this number gets me to the same place as the customer service number with a few less steps. But I've told them that I'll never call anything other than the number on the card. And that its a really bad idea to train customers to return calls to just any number and expect them to identify themselves with SSNs, relatives names, and provide their card number.

If anyone is supposed to be smart enough to figure social engineering attacks out, it should be Visa and their ilk.

Re:In matters of security (1, Informative)

Anonymous Coward | more than 3 years ago | (#33500580)

I agree this is a very, very bad practice. However, you are mistaken in your facts. It is not Visa that is doing this it is your bank. The number you call is your banks number and not Visa. Visa has very little contact with the cardholder and the policies that brought this about were due to your bank. Easy enough to change banks!

Re:In matters of security (1)

WNight (23683) | more than 3 years ago | (#33501828)

It has a Visa logo on it, it's Visa doing it. They only license their trademark to partners in good standing.

You want us to think they're astute enough to manage to push every little contract change, etc, to their partner banks, but NOT enough to be able to check for proper security practices?

Re:In matters of security (0)

Anonymous Coward | more than 3 years ago | (#33501312)

Visa and their ilk _are_ a social engineering attack!

Re:In matters of security (0)

Anonymous Coward | more than 3 years ago | (#33501778)

When I switched mobile carriers several months back, some signals got crossed and I forgot to pay the bill for the first month of my new service. A CSR called me and gently asked me to please pay for the service, and that she'd gladly take my credit card information over the phone.

I was baffled for a few moments, then stuttered that I'd rather set up automatic payments on the web site, like I thought I had already done. She was confused why I didn't want to read her my credit information right away. I hung up and fixed things on the web site.

Unbelievable.

Re:In matters of security (1)

mcgrew (92797) | more than 3 years ago | (#33499520)

In matters of security, the most important tool anyone can have is common sense.

And paying attention. However, not everyone has common sense, and some people have an attention defecit.

I'm listening... (2, Insightful)

GoChickenFat (743372) | more than 3 years ago | (#33500202)

So educate me... How do I use common sense to determine if the site I just logged into actually secures the login information on the backend? Is it stored in clear text, transmitted in clear text, available to everyone in the company? I have no idea what happens to the credentials I just entered. How do I use common sense to determine if Facebook, MySpace, Slashdot, NYT, etc are taking the securing of my personal and login information seriously? Do you read every EULA completely? Would you even know if the company did not follow their EULA? Do you have the resources to sue if they don't?

Common sense tells me that no site is to be trusted implicitly; they are all dangerous.

Re:I'm listening... (1)

Pojut (1027544) | more than 3 years ago | (#33501078)

I was referring to things like phishing emails, nigerian bank scams, etc.

One example would be if you get an email from Paypal/your bank/etc saying something about your account, don't click on the link...type the URL in yourself.

That sort of thing.

Re:I'm listening... (1)

Myopic (18616) | more than 3 years ago | (#33501590)

So, you were proposing a partial solution of half measures and best guesses? Wow, you sure laid the smackdown on all those unknowledgeable l00zers.

Idiots (5, Funny)

The_mad_linguist (1019680) | more than 3 years ago | (#33498664)

Why don't you hunter2s shut the hunter2 up!

Re:Idiots (3, Funny)

Abstrackt (609015) | more than 3 years ago | (#33498818)

Why don't you *******s shut the ******* up!

Jeez, you really are a mad linguist.

Re:Idiots (1)

sconeu (64226) | more than 3 years ago | (#33499042)

No, he's a Marklar.

Re:Idiots (3, Funny)

c++0xFF (1758032) | more than 3 years ago | (#33499056)

Why don't you *******s shut the ******* up!

You must have used some really foul language. Slashdot never censors posts like that!

Re:Idiots (-1, Flamebait)

Erikderzweite (1146485) | more than 3 years ago | (#33499654)

Here, have a look: http://bash.org/?244321 [bash.org]
And leave your geek card while you're on your way off slashdot.

Re:Idiots (0)

Anonymous Coward | more than 3 years ago | (#33499868)

Woosh!

Re:Idiots (1)

c++0xFF (1758032) | more than 3 years ago | (#33500338)

My first Whoosh on Slashdot. That should be one of the achievements.

Single point of failure (2, Insightful)

$RANDOMLUSER (804576) | more than 3 years ago | (#33498666)

Always a great idea. Windows registry anyone?

Re:Single point of failure (1, Interesting)

Anonymous Coward | more than 3 years ago | (#33498698)

Speaking of Microsoft,

Link from TFA regarding password strength [microsoft.com] . It's where they got that table in the article. At the Microsoft site, they have a link...

They have a Password Checker: [microsoft.com] is your password strong test?

That's just a mock phishing example waiting to happen.

Re:Single point of failure (1)

Harodotus (680139) | more than 3 years ago | (#33500654)

Some "best" password tested results from the Microsoft site:
  - aaaaaaaaaaaaaaaaaaaaaaaaaaaaa
  - 123456789012345678901234567890123456789012345
  - qwertyuiop[]\asdfghjkl;'z
  - `1234567890-=qwertyuiop[

I'm thinking they don't do dictionary attacks here...

Re:Single point of failure (1)

kenrblan (1388237) | more than 3 years ago | (#33498800)

Remember when building a critical system ask WNGD? (What would Northrop Grumman Do?)

Re:Single point of failure (3, Insightful)

tverbeek (457094) | more than 3 years ago | (#33498846)

Maybe the NYT article doesn't mention centralized login because such an obviously bad idea?

Re:Single point of failure (1)

bluefoxlucid (723572) | more than 3 years ago | (#33498984)

Yeah my initial response was going to be "LOL"

Re:Single point of failure (1)

jimicus (737525) | more than 3 years ago | (#33499412)

Maybe the NYT article doesn't mention centralized login because such an obviously bad idea?

It's not quite as simple as that.

On the face of it, yes, it introduces a single point which, if compromised, has pretty bad consequences. But at the same time, if there's only one password to remember the likelihood of it being written down, exactly the same as the username or otherwise trivially guessable probably drops dramatically.

Now, if something like OpenID were to support certificate-based authentication...

Re:Single point of failure (2, Interesting)

tverbeek (457094) | more than 3 years ago | (#33500862)

While it might reduce by a marginal amount the likelihood of the account being compromised, the potential consequences would be profoundly greater. That's a poor trade-off.

Several years ago, the pretty-damn-good and carefully-guarded common password that I used for buying things from sites such as Amazon, eBay, iTunes, etc. - reasonably well-run, reputable companies - was compromised somehow. (I have other different passwords that I use for message boards, others for banking, others for work-related accounts, etc.) Just dealing with that small breach was a serious hassle; if my financial institutions, e-mail, or privileged accounts had been involved, it could've been disastrous. Thank-you, but Do Not Want.

Re:Single point of failure (1)

Ephemeriis (315124) | more than 3 years ago | (#33498890)

Always a great idea. Windows registry anyone?

It doesn't actually have to be a single point of failure though... What ever happened to OpenID [openid.net] ?

Re:Single point of failure (0)

Anonymous Coward | more than 3 years ago | (#33499340)

I think OpenID, while still used in some places, is slowly failing as it becomes used for spam. It's still useful as an authentication method, but not as a method for account creation on websites.

Re:Single point of failure (1)

sarathmenon (751376) | more than 3 years ago | (#33498978)

Not exactly. I use clipperz.com to store my passwords, and one of the features it provides is a direct login. The way this works is that it submits the password form directly, without you having to visit the website and copy paste the password from clipperz. It's impermeable to keyloggers and clipboard sniffers because you don't copy or type the password anywhere. Now, if your system is already hosed, your could theoretically be hacked. But, at that point you're SOL anyway.

Yeah, I know the drawbacks of using a password manager, and an online one at that. But it's the best tradeoff I've seen. I have to remember only one strong password, and I can just randomly type in unique passwords for the sites I visit. Plus, their architecture is solid.

Re:Single point of failure (1)

vux984 (928602) | more than 3 years ago | (#33499198)

Pretty cool. Is there an open source equivalent? One that can be hosted on one's own servers?

Re:Single point of failure (1)

vux984 (928602) | more than 3 years ago | (#33499222)

Replying to my own post because clipperz actually appears to be Affero GPL... !

Re:Single point of failure (1)

Sancho (17056) | more than 3 years ago | (#33499622)

Hey, that's pretty neat. Thanks for pointing that out.

Torn (4, Insightful)

esocid (946821) | more than 3 years ago | (#33498674)

I'll admit, I feel torn when I see that OpenID login. Increase my chance of giving someone access to everything? Or make it simple?
In the end I compromise and simply use a variation of one password for those.

There is the problem with centralized logins: the masses don't consider the first part, and only think of the convenience.

Re:Torn (1)

Pieroxy (222434) | more than 3 years ago | (#33499058)

OTOH, for stupid online forums and unimportant stuff such as random blogs, it makes sense. Unfortunately, those are the ones NOT proposing openId...

Re:Torn (1)

tronbradia (961235) | more than 3 years ago | (#33499130)

What's easier: getting your openID taken down? Or changing all the passwords to sites that you gave the same or similar password to, everywhere on the internet?

I don't even have a list of all the sites I've given my crap password to. But if they were all authenticated with openID, I would only have one problem to fix.

Re:Torn (4, Informative)

houghi (78078) | more than 3 years ago | (#33499244)

There used to be a time that you could easily host your own OpenID with e.g. http://siege.org/phpmyid.php [siege.org]
You point to http://yoursite.example.com/ [example.com] instead of the one from Google or any other OID provider.
That way you limit the chance of giving somebody else access as you manage your own login and password.

Some others might be found here : http://openid.net/developers/libraries [openid.net]

Re:Torn (1)

Eil (82413) | more than 3 years ago | (#33499252)

This is why you choose a reliable OpenID provider for your account. A reliable provider should have a good security record and (ideally) explain the details of their authentication system including how the passwords are stored.

Since OpenID is open, you can also be your own provider.

Re:Torn (1)

boxwood (1742976) | more than 3 years ago | (#33499274)

KeePass is a pretty good solution. it saves all your passwords into an encrypted file. All you have to remember is the password to get into KeePass and you have access to all your passwords. Most of the tim you can just click on the username field on the webpage, click on the sitename in KeePass, hit ctrl-v and it'll enter your username and password and submit it.

So you can have all your passwords for every site be a unique password of random characters, but have to only remember one password. Works for Windows, MacOS, Linux, and has a standalone version you can put on a thumbdrive if you need to use a computer at an internet cafe or whatever.

A simple keylogger won't get your passwords, they'd have to keep track of copy and paste operations to get your passwords.

Re:Torn (2, Informative)

Chelloveck (14643) | more than 3 years ago | (#33500800)

I like SuperGenPass [supergenpass.com] . It never actually saves a copy of your passwords, it algorithmically generates them from the site's domain name and your master password. (Actually, from any two strings. By convention it's the domain and master password, but you could use any identifier/keyword pair.)

It's made to run as a bookmarklet which auto-populates password fields on web forms. There's also a mobile version [supergenpass.com] for when you're using someone else's computer. Either way the password is dynamically generated by JavaScript running locally. The mobile version is also good for pages which have funky login prompts that don't play nice with the bookmarklet. (I'm looking at you slashdot!)

Re:Torn (1)

Sancho (17056) | more than 3 years ago | (#33499916)

The best thing to do is to look at how you currently operate and see if OpenID would improve security or not. If you're already using passwords in a particular way, you probably aren't going to change much.

A lot of people reuse their passwords, despite the fact that best practices suggest a unique password for each site. In this case, it just makes sense to go with OpenID.

If you already use lots of unique passwords, and you have no problem remembering them, then keep on doing that. OpenID gives you little benefit.

As someone else mentioned, it's probably easier to recover from a lost OpenID password than remembering all of the sites that shared a common password and changing them there. Moreover, it's easier to deal with phishing if the only site you sign into is your OpenID provider. Heck, if you run your own OpenID provider, all the better. You're probably immune to phishing for all intents and purposes.

How does centralized login solve keylogging? (2, Interesting)

KarlIsNotMyName (1529477) | more than 3 years ago | (#33498688)

So they just need one password to access all your profiles?

Unless it was not actually your password for all those sites, but the password to a database (only available locally) that contained the password to those sites, I don't see how that's a solution. Actually, I thought the main problem with passwords was that people already used the same password for all their sites.

Re:How does centralized login solve keylogging? (1)

silas_moeckel (234313) | more than 3 years ago | (#33498794)

It's not one password shared among all the sites for the web it general work as thus, You go to the site you want to log in as it, it talks to the third party log in site and redirects the user there to log in they do whatever they need to log in and get redirected back to the original site with a cookie that site validates the cookie. If the user is already logged in they never even see the third party site, the primary site never sees the credentials and that third party site can use more than just passwords to authenticate the user. It's not perfect but it's much better than current. Effectively it's a single sign on system for the web, things like openid allow this to be fairly decentralized (allowing an arbitrary number of third party sites to process the log ins). You don't even have to break anonymity as the origin sites needs only a uuid to keep track of that user on there system.

Re:How does centralized login solve keylogging? (2, Insightful)

dstar (34869) | more than 3 years ago | (#33498816)

And this solves the keylogger problem how?

It doesn't. You still have to authenticate at some point; at most, it reduces the opportunities for a keylogger to catch the password (if you only have to type it in every couple of weeks).

In exchange, it provides phishers with a dream environment. The only way to be certain you're actually connected to your authentication provider is to use SSL and make sure that you see the lock -- and if your security depends on Joe Random User doing that, you've already lost.

Shalon Wood

Re:How does centralized login solve keylogging? (1)

ceoyoyo (59147) | more than 3 years ago | (#33498892)

Showing that the submitter doesn't even understand the very basics of security.

Re:How does centralized login solve keylogging? (1)

bluefoxlucid (723572) | more than 3 years ago | (#33499014)

The only way to be certain you're actually connected to your authentication provider is to use SSL and make sure that you see the lock -- and if your security depends on Joe Random User doing that, you've already lost.

Shalon Wood

You have no idea what you're talking about; this is a huge nonsequitar from the discussion on keylogging, although technically mostly accurate (there are ways to break this, but they rely on specialized conditions).

Re:How does centralized login solve keylogging? (1)

silas_moeckel (234313) | more than 3 years ago | (#33499220)

With 2 factor authentication keyloging is practically useless, you using a one time password that only works once. The two most common types of this are the keyfobs that use a large random number, the time and some math to generate a new string of numbers every minute, and a list of numbers you use once. Banks like the list as it's pretty easy to print a list of passwords on a piece of paper and mail it to you. Key fobs quality varies but for the ones that do not plug into the computer you would need a lot of samples or some hardware hacking to break into it (or steal the seed from the hopefully well protected servers running auth).

Re:How does centralized login solve keylogging? (1)

Bengie (1121981) | more than 3 years ago | (#33499630)

If OpenID takes off like a rocket, I'll pay for User/Pass/FOB to secure my account. Would be awesome

Google+OpenID+FOB=Awesome

Re:How does centralized login solve keylogging? (1)

gdshaw (1015745) | more than 3 years ago | (#33500260)

It doesn't. You still have to authenticate at some point; at most, it reduces the opportunities for a keylogger to catch the password (if you only have to type it in every couple of weeks).

You're assuming (incorrectly) that authentication to your OpenID provider is necessarily by means of a password. This is not a requirement: you could use SSL certificates, Kerberos, smartcards, or any other security technology that takes your fancy. You could also (for example) require that the login be authorised from a machine on your LAN.

I'm not saying that this is common practice (it isn't), but if you want this level of security then there is nothing in the OpenID protocol to prevent you from achieving it.

Id go for this if it was a ssl certificate (1)

pgmrdlm (1642279) | more than 3 years ago | (#33499028)

Just asking if that type of security exists for open id?

Re:Id go for this if it was a ssl certificate (1)

pgmrdlm (1642279) | more than 3 years ago | (#33499044)

Individual certificate, sorry. Should have been part of the original post.

Re:How does centralized login solve keylogging? (3, Insightful)

Bigjeff5 (1143585) | more than 3 years ago | (#33498798)

Exactly my thoughts.

Keyloggers still work, phishing scams still work, and social engineering still works. If centralized logins become the norm, the bad folks will simply target the centralized logins.

Your risk with centralized logins, however, skyrockets. Now, instead of losing control of one login to one website, you lose everything. Moreover, they don't even have to guess what sites you have access to, they can simply dig through the centralized login site and find it once they have your account info.

The NYT article is interesting, but the SlashDot summary is near useless. There is no need to specifically include universal logins in the discussion, because universal logins suffer from exactly the same issues that individual logins do. The only possible reason for including them is the fact that the potential loss is much much higher with a universal login.

Re:How does centralized login solve keylogging? (1)

IndustrialComplex (975015) | more than 3 years ago | (#33499052)

Keyloggers still work, phishing scams still work, and social engineering still works.

Except that this DOES address those issues, it doesn't make them impossible, but you are missing some advantages here.

Let's say you maintain passwords with 10 different services (not unlikely anymore). Does the typical person know the practices of each of those services? Do they keep track of when those practices change? No, of course they don't.

But let's say you reduce that to one service. All of a sudden you CAN expect people, if demonstrated to them and repeated, that KEYLOGINSERVICE will only contact them by this method (FedEx?, etc) will NEVER ask for ANY information if they are calling you (or may NOT call you). Our website will look like THIS exactly, and here are several ways to verify that.

You know, all the 'standard' verification methods that are used by all the sites we use now (or some, none?) but this time you only have to remember it for ONE site, instead of a variety of methods employed by a variety of sites. When people get in the habit of realizing that the keyservice will NEVER call them, will only do things a certain way, it WILL help combat phishing, social engineering, etc.

Re:How does centralized login solve keylogging? (2, Informative)

Sancho (17056) | more than 3 years ago | (#33500076)

Correct. What this does is improve the safety for people who can manage the presence of mind to avoid phishing for a particular site, while increasing the overall damage done for everyone who gets compromised.

However I'm not going to log in to my OpenID provider on an untrusted computer. I might be willing to log in to, e.g. Facebook on an untrusted computer. So now my options are a little more limited.

Re:How does centralized login solve keylogging? (1)

maxume (22995) | more than 3 years ago | (#33499906)

All the stupid users everyone is worrying about already use their email account as a single point of failure, so switching to another system that concentrates risk really isn't the disaster you are painting.

Re:How does centralized login solve keylogging? (1)

Ephemeriis (315124) | more than 3 years ago | (#33498920)

So they just need one password to access all your profiles?

No.

The idea is to implement some kind of centralized authentication - not necessarily a password. You could do one of those RSA keychain fobs... Or some kind of smartcard or biometric or something... Since it's centralized, you only need one doohickey/password/scan/whatever. And once you're authenticated against that one central site, you don't need to continually re-authenticate everywhere you go.

In theory, you can do something more secure. The end user only needs one doohickey. The individual websites don't need to spend a ton of time or money developing fancy authentication schemes. So you've actually got less burden on both the end user and the individual websites.

Re:How does centralized login solve keylogging? (1)

Frigga's Ring (1044024) | more than 3 years ago | (#33499558)

Biometrics are still considered too intrusive by many people, but not a bad idea. Two-factor authentication using a token is fine until someone loses or breaks their token. If getting a replacement is too difficult or takes too long, you won't get people to adopt the technology. If getting a replacement is too easy, then you're back to the original issue: if they could get your token, someone would just need your PIN to access everything.

resistance.... (2, Interesting)

M. Kristopeit (1890764) | more than 3 years ago | (#33498694)

this story neglects to mention the obvious: the resistance from developers unwilling to hand the security of their systems and the trust of their users over to a 3rd party.

OpenID isn't the solution (3, Informative)

yourcelf (709552) | more than 3 years ago | (#33498744)

The trouble with OpenID is it's still one identity that you're carting around, allowing yourself to be tracked across multiple sites.

A better solution is just to use a password manager (KeepassX, Last Pass, etc.) which lets you manage your own multiple identities in a secure way. This gives you the convenience of a single sign-on with the security of a distinct identity for every site where you want it.

Re:OpenID isn't the solution (1)

atisss (1661313) | more than 3 years ago | (#33498950)

wrong. password managers would be susceptible to the same problems - sniffers, etc, and they are less comfortable if you're using multiple computers.

You can customize your own OpenID server for keeping sessions on trusted IP addresses, but requiring some rotating logic only known to you when visiting from guest computers.

Re:OpenID isn't the solution (1)

bsDaemon (87307) | more than 3 years ago | (#33498970)

All the Mac, Linux and BSD-based workstations I use regularly have KeePassX installed, and I keep a mirror copy of the database on my IronKey, as well as synching up the critical personal information with the built-in Windows programm on the IronKey for if I need to use a Windows machine without KeePassX on it. I don't honestly know what the root passwords to my personal VPS servers, my account passwords, or any of my banking passwords are. I know the pass phrase for the ironkey, and the passphrase for the keepassx database. Everything else is randomly generated on my behalf.

Re:OpenID isn't the solution (2, Interesting)

shaiay (21101) | more than 3 years ago | (#33499696)

you do know that KeePassX is a post of the windows KeePass and the database is compatible between versions? There is even a portable version you can put on you IronKey, so you don't have to export keepass data tou your IronKey

Re:OpenID isn't the solution (1)

bsDaemon (87307) | more than 3 years ago | (#33500096)

No, I hadn't seen the portable version of KeePass, I guess since I just install it from ports or the package repository and don't actually get it from the website. This is much handier though.

Re:OpenID isn't the solution (0)

Anonymous Coward | more than 3 years ago | (#33500288)

I'm just waiting for the day it turns out one of those password generating/storing apps is reporting all the passwords it generates for you to some third party.

Re:OpenID isn't the solution (1)

ADRA (37398) | more than 3 years ago | (#33498980)

Correct my if I'm wrong, but couldn't the only one that could realistically track your actions through OpenID be your authentication provider themselves? Don't trust them? Make your own. If you mean that people can track you based on your credentials exposed through OpenID, then I'd say there's absolutely nothing new there. The one flaw I find with OpenID is its reliance on HTML in order to present the authentication. If they came up with some non-html login form standard to allow for application logins, I'd be sold. PS: Oauth+OpenID may be an eventual solution, but every time I look at really integrating into an app I feel like cutting myself instead.

Re:OpenID isn't the solution (1)

Hadlock (143607) | more than 3 years ago | (#33499146)

OpenID be your authentication provider themselves? Don't trust them? Make your own.

OpenID is really expensive to run though; it requires a verisign security cert, which runs $250+/year.

Re:OpenID isn't the solution (1)

Sancho (17056) | more than 3 years ago | (#33500162)

Could you give some more details on this? As far as I can tell, there's no registration requirement for OpenID, and you can be a provider with all open source software. Who requires a verisign security cert?

Re:OpenID isn't the solution (1)

bhcompy (1877290) | more than 3 years ago | (#33499338)

I agree with this sentiment.

Realistically, just keep a few different classes of passwords depending on the website. For Slashdot, Fark, your general BBS, etc, a less secure password is not that big of an issue, and I'll use one or two different passwords depending on the security restrictions of the website.

Then, you have websites like Woot that will allow you to use your Facebook, Yahoo, OpenID, whatever passwords, but Woot stores your payment information. That's not the kind of place that you want to use a universal password, and instead use a more secure password. Same goes for utility, banking, etc, except those get the highest level passwords.

I have about 10 primary passwords(and variations of them if there is a rotating password policy). Not difficult to remember, but then again I remember all of my locker combinations since jr high.

Single sign-on password management is just as stupid security wise as storing all of your personal and/or business documents on Google Docs. Never give someone a one stop shop for all of your stuff. Granted if OpenID used 30 second randomly generated passwords tied to an RSA Token on your person, I'd be more willing to adopt that type of single sign-on system.

Wait.... (3, Funny)

yoblin (692322) | more than 3 years ago | (#33498870)

Great, so I'll be able to use Facebook Connect to login to my bank accounts soon????? Count me in!!!!!!

Re:Wait.... (4, Funny)

Pieroxy (222434) | more than 3 years ago | (#33499096)

Better yet! I can post my bank account balance on facebook in one click! And my actions portfolio! My credit rating! Yeeeeeaaah!!!!

TPTB'd like to keep our identities (2, Insightful)

marcuz (752480) | more than 3 years ago | (#33498888)

NY Times knows what they are doing while supporting this call for centralized password management and identity system. They serve the powers that be on their quest to even greater power. I agree with their point - increasing the so called safety - but on the other hand I am a bit worried about having a few people in charge of the identities of eventually entire population. Almighty government and rich corporations will certainly be willing to help us with our identities.

Re:TPTB'd like to keep our identities (2, Insightful)

ADRA (37398) | more than 3 years ago | (#33499054)

Passports, Driver's Licenses, Social Security numbers... yeah the governments just can't be trusted with your identity. Lets trust in Google/Yahoo/Facebook/Microsoft/IBM/etc for our identity needs. Even better, lets have hundreds of incompatible schemes and make user sign up and use them all. That surely has to be more secure than having a single point of failure. I mean look, There's only one ROOT signatory (Verisign) and you just KNOW they fuck up everything they touch, right?

Three factor authentication... (2, Insightful)

HerculesMO (693085) | more than 3 years ago | (#33498940)

I like OpenID, but if you couple it with a three factor authentication, whether it be a smartcard, or biometric, or whatever.. that's when it becomes useful.

Too bad the current implementation doesn't support it. Sadly, World of Warcraft and Starcraft II do.

Go figure.

Re:Three factor authentication... (1)

VGPowerlord (621254) | more than 3 years ago | (#33499262)

I like OpenID, but if you couple it with a three factor authentication, whether it be a smartcard, or biometric, or whatever.. that's when it becomes useful.

Too bad the current implementation doesn't support it. Sadly, World of Warcraft and Starcraft II do.

Go figure.

Three factor authentication? So, something you know (password), something you have (smartcard), and something you are (biometrics)?

Or did you mean two factor?

Re:Three factor authentication... (1)

HerculesMO (693085) | more than 3 years ago | (#33499284)

Sorry, it's early in the week :)

Re:Three factor authentication... (1)

VGPowerlord (621254) | more than 3 years ago | (#33499572)

Sorry, it's early in the week :)

Yes, virtual Mondays suck almost as much as real Mondays (my office was closed yesterday for Labor Day, so today is Virtual Monday for me, too).

KeePassX (2, Informative)

bradley13 (1118935) | more than 3 years ago | (#33499008)

I am very happy with KeePassX. It stores your passwords and related information in an encrypted file. You can copy a password out of it to paste into a web-form. This means

  • You don't have to remember your passwords - they can be randomly generated according to a wide set of rules.
  • You don't have to type your passwords - they transfer via the clipboard (which is automatically emptied after a few seconds)
  • Your passwords are (reasonably) secure, being stored in an encrypted file.

The obvious problem is that you need a password to open the KeePassX file. However, this at least does not go via browser, and I can manage to remember one complex, very secure password.

KeePassX is open-source, available for Windows/Mac/Linux, and compatible across all of these. Nice solution - give it a try! [keepassx.org]

p.s. I have no relation to the project - just a happy user!

Re:KeePassX (1)

Nerdfest (867930) | more than 3 years ago | (#33499260)

The obvious problem is that you need a password to open the KeePassX file.

Actually, you can use a file based key in addition to a password, for some 2 factored goodness.

Multi-factor authentication (0)

Anonymous Coward | more than 3 years ago | (#33499018)

Password is not dead. Any single factor authentication has security issues of its own. Multi-factors authentication is much safer (although not bullet proof). I wouldn't be surprised that sites providing access to sensitive data (banks, gov) to require at least two factors authentication in the near future. The current security practice asking you stupid question about yourself, in addition to a password, is ridiculously weak.

The password metaphor (3, Insightful)

tick-tock-atona (1145909) | more than 3 years ago | (#33499268)

What has always amazed me about authenication for access-control via a computer is the widespread use of "passwords". We treat computer access-control like it's a brand new problem, however it's really just the same old access-control problem that we solved at least 4000 years ago [wikipedia.org] .

Why don't we have passwords to get into our houses? Why don't we have passwords to get into our cars or P.O. boxes or even safe-deposit boxes? Because passwords are a pain in the ass that are inherently insecure because we, as humans, are terrible at remembering arbitrary strings of numbers/letters/symbols. What we are good at remembering - objects/ideas and the words associated with them - make for terrible passwords because they are so darn easy to guess.

The idea of a lock and key is one which we have been using for millenia for security, so why haven't we applied this simple metaphor for electronic access-control. We even have the technology readily available: Public Key Authentication. But for some reason the only place I've ever seen it used is in OpenSSH. In fact, it's considered superior to password authentication in OpenSSH and recommended over a password.

So why not have RSA keys to our email, online banking etc. just like we have keys to our houses, cars etc?

Re:The password metaphor (1)

rickb928 (945187) | more than 3 years ago | (#33499566)

Ok, so explain how an PKI key system would work.

I have visions of either having your key out there somewhere, and some way to securely access it, or having your key on something like a token.

If the key is out there, do I access it by providing a passcode to authenticate myself? Sounds like a password to me.

If it's on a token, well, where do I insert that, or do I use the token to get a passcode. Again, a password, though we use tokens here so it is at least something 'I HAVE', one of the three factors we like.

In the end, remember, I need a solution that works on multiple computers, does not leave behind any of itself, and can be remembered or discovered by ME easier than a password.

BTW, for my token-based access, we use both a fixed password and the token variable. Still a password. Something I have, the token as a variable password. Something I know, user name and fixed password. Something I am we do not yet support, but I'm willing. I use fingerprints on my little notebook at home. I don't at work or on any other machine.

Re:The password metaphor (2, Informative)

ledow (319597) | more than 3 years ago | (#33499570)

The UK Government Gateway used to issue keys to every individual user. You can use the GG to do everything from file tax forms to start a business. I've never had to do anything as secure and never been as worried about someone finding out those login details on any other website, including my own personal bank account. It was an absolute pain in the arse. 50% of their phone calls were for lost / reissued keys. It didn't stop automated tools scraping keys from compromised computers and causing all sorts of pain (even with separate password required). Issuing them took forever. And in the end you had to prove who you were to get one which was inevitably less secure than the key itself, prove who you were to get one revoked/reissued, prove who you were to do anything with them. Especially around the tax filing time, they were so busy re-issuing keys to people who'd lost them and just wanted to file their return before they got charged, you couldn't get through on the phone lines.

They scrapped it after only two years, I believe, and replaced it with a password system like the banks - two unique items of information posted to you in separate envelopes and requiring both to login. Although there's still a crush around filing time, it's not anywhere near the shambles of before. And to be honest, it wasn't the government fault. People are just inept at holding items secretly, especially when they are downloaded from a secure website that they have to authenticate against in some way anyway, and when the reissue process has to be secure anyway. It could work, if you could make everyone get used to saving such things in a good place but they are no better or worse - the gains in security are lost in practicality almost immediately. Even *generating* that amount of keys must take months.

Re:The password metaphor (1)

jimicus (737525) | more than 3 years ago | (#33499634)

I suspect it's more inertia than anything else - the technology didn't exist when it first became necessary to authenticate users, so people did the best they could think of - passwords.

Over the years, the concept has been tweaked to to make it more secure - eg. only storing hashes of passwords, demanding passwords of a particular complexity - but ATEOTD we're still polishing the same turd.

Technically speaking, it's entirely true that keypair authentication is much more secure, but there are still a lot of user interaction issues to resolve, eg:

- How come I can't insert a USB keyfob with a certificate signed by my employer's CA to log onto my PC? How come the same keyfob can't then be used with a mac? Linux?
- How come I need to install certificates separately in Firefox to IE on the PC or Safari on the Mac? It's not like Microsoft (or for that matter Apple) make it impossible for third-party applications to use the keystore.

In many ways, it's probably just as well these things haven't been solved. A PC that's got a malicious keylogger on there could have all sorts of other things, and if you think the worlds' malware authors would give up overnight just because the world moved over to key/certificate based authentication, you're in a dreamworld. You think changing a few passwords is awkward, how do you think your bank will react if your account is drained by someone who presented the correct certificate?

Re:The password metaphor (2, Interesting)

Sancho (17056) | more than 3 years ago | (#33500488)

Keyfobs make malware work much harder. You don't insert them--you press the button and a number pops up. Enter that number and your password into the website, and you're in. The number changes in X seconds (where X is usually 60 or less.)

It makes it hard for malware to do its job. Now the malware must do its work right then, while you're in your authenticated session. It has to work automatically to e.g. perform a balance transfer. Other mitigation such as CAPTCHAs make it even harder for the malware to use the authenticated session, unless there's a human somewhere using your session. Once you require that a person be involved in the malware transaction, your safety improves significantly.

I think the ideal solution would include the following:
Keyfob plus certificate on USB stick.
Randomly generated form elements.
Honeypot form elements.
Captchas on all pages authorizing movement of money.
5 minute session timeouts.
Tie session to IP address (ideal) or to geolocation data (since NAT, AOL, etc. may show you as coming from several addresses.)
Remote logout.
SMS/email notification of logins.

Re:The password metaphor (1)

maxume (22995) | more than 3 years ago | (#33500222)

Passwords are pretty much analogous to (most) house keys, they are simple secrets that work well enough most of the time (that you can put your secret in your pocket with the house key is largely an implementation detail).

Cryptography is some brand new thing compared to locks and keys.

Re:The password metaphor (1)

tiksi (1527943) | more than 3 years ago | (#33500412)

For those 4000 years, those keys have been easily stolen or copied, allowing me access to your house, car, PO box, etc.

Every day i see people leave their keys laying around. How is this system any better?

Re:The password metaphor (0)

Anonymous Coward | more than 3 years ago | (#33500506)

The idea of a lock and key is one which we have been using for millenia for
security, so why haven't we applied this simple metaphor for electronic
access-control. We even have the technology readily available: Public Key
Authentication. But for some reason the only place I've ever seen it used is in
OpenSSH. In fact, it's considered superior to password authentication in OpenSSH
and recommended over a password.

We do use the concept of a lock and key for security (the password is your key). The problem is in the digital world your "key" is just information. And information is really easy to copy.

The public key/private key concept is good in theory but it's difficult to impliment because you need to be able to trust that the public keys you're using actually belong to the right people.

My front door has a key code. (1)

AnAdventurer (1548515) | more than 3 years ago | (#33500820)

I have a password to get into my house, well, a key code. My deadbolt lock has a number pad. I punch in my code and the deadbolt unlocks. I hate carrying keys around, if I could get my truck to start up that way i would (I already have a hidden wireless keypad on my truck that will unlock and/or open the windows.

Key based authentication... (0)

Anonymous Coward | more than 3 years ago | (#33499280)

How come no one ever brings up the thought of Key based authentication. I feel this would help in a lot of ways...it adds an additional layer of protection against attacks. the website you log into just keeps your public key and nothing else. If no one can get a hold of your private key and passphrase then you are good. Since people tend to use the same password for every site then the chance of unlocking everything at once won't happen. I guess if you wanted to you could have the site keep both, but that is pointless to me.

What about using your phone? (0)

vakuona (788200) | more than 3 years ago | (#33499790)

Here's an idea. Why can't we build a mechanism to use your mobile phone as the other factor. You pay your provider to provide the service for you, and you get a new key each time you use the last one. So if I log on some website and use the key, I automatically get a new one on my phone. I could even receive them in tens to cater for situations where I might be out of network.

Re:What about using your phone? (1)

Tukz (664339) | more than 3 years ago | (#33500028)

Take a look at Blizzard's Battle.net Authenticator.
It generates a new key every 2 minutes I believe, and you have to enter that along your account name and a password.

If someone steals your password, it's useless without the authenticator.

I have it on my Android phone.
No one can log into my Battle.net account, without my phone.

Which is also password protected, heh.

I'd welcome a single sign on solution, that adapted this.

My country (Denmark) is currently forcing a single signon system down throat of official web sites, such as banks, IRS and the like.
And it's horrid, because it relies on a key card, with a certain number of keys.

When asked why the fuck they didn't include an optional key generator instead of having to replace the key card when it runs out, they had no real answer.

This single sign on solution, I do NOT welcome.

Re:What about using your phone? (1)

tiksi (1527943) | more than 3 years ago | (#33500446)

So all someone has to do to access ALL of your accounts is steal your phone? But that would never happen, who's ever heard of a phone get stolen?

Re:What about using your phone? (1)

Sancho (17056) | more than 3 years ago | (#33500510)

Phone could be password protected, with remote-wipe.

Re:What about using your phone? (1)

gmor (769112) | more than 3 years ago | (#33501424)

Google actually offers two-factor authentication with your cell phone [google.com] whenever you're at a new browser. It's not perfect yet: you can't revoke access for a browser once it's been verified, and there are unprotected APIs such as GData and IMAP. But at least it's a step in the right direction.

Just keep in mind... (0)

Anonymous Coward | more than 3 years ago | (#33500226)

Keep in mind that the username/password is stored on a server that a company owns, as well as other information you input such as your email, possibly credit card numbers.

Keep in mind that two companies, such as google mail and facxebook*, could potentially affiliate and 'share data', correlating a better picture of who you are and what you do. Basically, merging data from your spheres of influence on the internet, most with the intention to generate revenue or dossier.

Keep in mind a universal login system facilitates this hot-swapping of information.

Keep in mind that while it is easier to remember 1 password than 10, if that 1 is broken, it's as bad as all of those 10 being broken.

And keep in mind that while you have RIGHTS, digital law is murky as hell, courts can hardly agree on what the fuck is what, there is a legal expectation of not sharing personally-identifiable information however PID is not clearly defined and in all honesty once you make it into the shitstorm that is the court of law you have very few clear 'digital rights'. The above affiliate-information-sharing system is entirely legal until some judge hits a case and says it's not. To a degree, most of the technocratic elite are youngsters, under the age of, say, 30. Most Judges are well over their 30's, and many less technologically experienced than the average slashdot subscriber, something which may or may not bode well when you need educate on the finer points of internetworking in the courtroom. Lawmakers are also often shoved into this category, but it's a toss-up whether more have the acumen to even read the thousand-page bills they endorse and vote into law, much less the proficiency to understand more than f5'ing drudgereport.com.

* Just an extreme example; facebook has affiliates with which they can legally share anything you put on your page, even if you privatize it from other USERS. Presumably they sell these affiliations for money, re: 5 billion dollar company. Also presumably, Google is not a client of theirs. I really have no idea.

Already Have a Centralized Login Site for NYT? (0)

Anonymous Coward | more than 3 years ago | (#33500490)

Don't they already have a centralized login site for NYT, always works fone for me.

http://www.bugmenot.com/view/nytimes.com

Makes more sense to just use one password (1)

gurps_npc (621217) | more than 3 years ago | (#33500988)

OK, so I could use one website with 1 password, trusting them with all my information (and look how great Facebook does), or I could use multiple websites with one password. In either case, I am trusting people not to screw with my information. So I am trusting more people with multiple sites, but they don't KNOW that I am trusting them. Sure it's security by obscurity, but it still makes more sense than trusting the same company with all my info. And it still lets me use one password for finances and another for my email and another for my medical information, and a third for all my social websites and games. No need to give the people I play games with ANY access to my finances. But honestly there are many better solutions that moronically giving away your privacy just reduce the number of people that know your password. It's a really stupid idea.

Re:Makes more sense to just use one password (1)

Myopic (18616) | more than 3 years ago | (#33501708)

yes you could do that first thing, or that second thing, or any of a large number of other things which are all better than the first two options. good luck.

Central login and privacy (1)

Technomancer (51963) | more than 3 years ago | (#33501456)

Central login by definition links your multiple accounts to a single identity. In most cases it is not a problem. But do you really want somebody to know you login with the same ID to you bank, health insurance and pr0n site? I don' think so. I'd prefer to have several identities on-line. One for secure stuff (bank, financial, medical info etc), one for shopping, one for unimportant stuff like forums, diggs, facespaces etc and one or many for things that I may not be so proud off like pr0n sites. The quality of the passwords I use on these tiers of logins should be appropriate for the importance of the account.

An email password can allow access to most others (1)

r3xx3r (1358697) | more than 3 years ago | (#33501674)

Many many websites and programs that require passwords allow u to reset passwords by having them send u an email and a link in the email to reset the password. so, if ur email password is compromised many other passwords are comprimised as well.
Load More Comments
Slashdot Account

Need an Account?

Forgot your password?

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>
Create a Slashdot Account

Loading...