×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

DARPA Wants To Get Rid of Password Protection

samzenpus posted more than 2 years ago | from the forget-the-words dept.

Security 205

coondoggie writes "Researchers from the Defense Advanced Research Projects Agency will next week detail a new program it hopes will develop technology to dramatically change computer system security authorization. The program, called Active Authentication, looks to develop technology that goes way beyond today's use of hard to remember password protection and determine identity through 'use of software applications that can determine identity through the activities the user normally performs,' DARPA said."

cancel ×
This is a preview of your comment

No Comment Title Entered

Anonymous Coward 1 minute ago

No Comment Entered

205 comments

Great. (1)

Anonymous Coward | more than 2 years ago | (#38020146)

Everyone on Slashdot will be "authenticating" for the same account as they all browse Gizmodo and porn websites.

Re:Great. (5, Funny)

game kid (805301) | more than 2 years ago | (#38020246)

That's not true. I don't browse Gizmodo.

Re:Great. (1)

mlush (620447) | more than 2 years ago | (#38020860)

That's not true. I don't browse Gizmodo.

I don't browse Gizmodo any more:-(, they keep redirecting me to the UK site which gets perhaps 10% the comments that the US site gets.

Re:Great. (1)

jpapon (1877296) | more than 2 years ago | (#38021092)

I have the same problem, but with the German version... which is much harder for me to understand. Very annoying.

And suddenly... (1)

tigersha (151319) | more than 2 years ago | (#38020152)

acting becomes the hot new job area. Except the actors work for the Mafia now, not Hollywood.

Re:And suddenly... (1)

syousef (465911) | more than 2 years ago | (#38020286)

acting becomes the hot new job area. Except the actors work for the Mafia now, not Hollywood.

Much as well all find some actors so annoying that we'd like to see them knee capped, I don't think so ;-)

Re:And suddenly... (1)

mgiuca (1040724) | more than 2 years ago | (#38020452)

So how would things be different to what they are now?

Re:And suddenly... (0)

Anonymous Coward | more than 2 years ago | (#38020714)

"determine identity through the activities the user normally performs"

So, no way this would work for public servants.

This can only make the work place more awkward. (5, Funny)

Anonymous Coward | more than 2 years ago | (#38020158)

I shudder to think how much porn I would need to watch before I can check my email.

Re:This can only make the work place more awkward. (3, Funny)

syousef (465911) | more than 2 years ago | (#38020314)

I shudder to think how much porn I would need to watch before I can check my email.

Perhaps they'll incorporate biometrics of your private parts. Unzip, insert......."welcome mr todger, how may i assist you today".

Re:This can only make the work place more awkward. (5, Funny)

Tastecicles (1153671) | more than 2 years ago | (#38020530)

lol ok here you go [welookdoyou.com] . NSFW.

First website I ever bookmarked. I have waited for years to sneak that into a slashdot thread.

Re:This can only make the work place more awkward. (1)

bryan1945 (301828) | more than 2 years ago | (#38020594)

That is fascinating, horrifying, and WTF! all at the same time.

Re:This can only make the work place more awkward. (1)

syousef (465911) | more than 2 years ago | (#38020866)

That is fascinating, horrifying, and WTF! all at the same time.

Well I gurantee you anyone who pays $1000 for the pair of units gets F$@#ed...just not as intended. The only horrifying part is that there are people that desperate and stupid. Why on earth would anyone think that a mastabatory aid is best located attached to a mini-tower and located in a drive bay? I can only assume that anyone who thinks this is a good idea is in no danger of polluting the gene pool.

Re:This can only make the work place more awkward. (0)

Anonymous Coward | more than 2 years ago | (#38020838)

It would be shame not to mod you up when you waited so many years ;-)

Re:This can only make the work place more awkward. (1)

syousef (465911) | more than 2 years ago | (#38020868)

lol ok here you go [welookdoyou.com] . NSFW.

First website I ever bookmarked. I have waited for years to sneak that into a slashdot thread.

Glad I could provide an excuse to use it. You're lucky they didn't go out of business before you managed to.

Re:This can only make the work place more awkward. (1)

Tastecicles (1153671) | more than 2 years ago | (#38020932)

I just remembered... Family Guy already did it:

Female Voice: Welcome to the inner vault. Penial Identification required.
Quagmire: Let me handle this. [Unzips his pants, puts his pelvis to the door and it opens. He then re-zips his pants]
Peter: That's amazing? How the hell did you match it?
Quagmire: Oh, I didn't match the shape. I just stuck it in there and broke it.

Season 7 Ep. 7, "Oceans Three And A Half"

Re:This can only make the work place more awkward. (2)

ibib (464750) | more than 2 years ago | (#38020898)

"click to enlarge" suddenly has a new ring to it...

Re:This can only make the work place more awkward. (2)

Tastecicles (1153671) | more than 2 years ago | (#38021054)

As Cletus T. Judd famously said, "When I was a kid I was told that if I clicked my mouse too much I would go blind."

Re:This can only make the work place more awkward. (0)

Anonymous Coward | more than 2 years ago | (#38020914)

what happens if its cold...

Re:This can only make the work place more awkward. (2)

Sulphur (1548251) | more than 2 years ago | (#38021222)

I shudder to think how much porn I would need to watch before I can check my email.

Perhaps they'll incorporate biometrics of your private parts. Unzip, insert......."welcome mr todger, how may i assist you today".

I'm sorry Dave, I can't do that.

Re:This can only make the work place more awkward. (3, Funny)

deniable (76198) | more than 2 years ago | (#38020384)

Email doesn't worry me. ATMs do, especially if there's a line.

Obligatory XKCD (5, Funny)

mosb1000 (710161) | more than 2 years ago | (#38020160)

Here's the XKCD [xkcd.com] on password strength.

Re:Obligatory XKCD (0)

Anonymous Coward | more than 2 years ago | (#38020180)

I do this on reddit... it works great for remembering.

Re:Obligatory XKCD (0)

Anonymous Coward | more than 2 years ago | (#38020182)

That is a particularly cool one to me. XKCD is right on the money here...

Re:Obligatory XKCD (2)

TennCasey (1667347) | more than 2 years ago | (#38020194)

The main problem with that is that if it became normal practice, you could bet that password tools like John the Ripper and Medusa would add support for combining arbitrary dictionary words, thus making it not take that long to crack.

Re:Obligatory XKCD (3, Informative)

Anonymous Coward | more than 2 years ago | (#38020238)

Even assuming you only use the 3000 most common words in the English language, 4 words gives you close the the same number of possibilities as an alphanumeric password of 9 characters.

Re:Obligatory XKCD (3, Insightful)

moderatorrater (1095745) | more than 2 years ago | (#38020334)

That's assuming random distribution among the 3000 most common words. How non-randomly distributed the real world usage becomes is basically the entire strength of the scheme. A 9 character password should be strong by the pure math. In the real world, it's probably "password1" and will get cracked within 10 tries.

Re:Obligatory XKCD (4, Informative)

Anthony Mouse (1927662) | more than 2 years ago | (#38020604)

That's the whole point. Using "correct horse battery staple" is stronger in the real world because people can pick random common words, have a decently high level of entropy, but still remember the passphrase. As opposed to using "Pa$$word1" to meet the complexity requirements with something they can remember and then seeing it get cracked in fifteen seconds.

Plus, if you need more entropy, you can obviously just use more words. If you use something like "frozen biology department literally conducts every experiment after august but before march" then you have something with more entropy than you can crack in any practical amount of time even with offline methods (and even including the fact that it has grammatical ordering which reduces entropy some), but any idiot can memorize it in short order.

Re:Obligatory XKCD (1)

definate (876684) | more than 2 years ago | (#38020950)

Also, since most attacks are blind, they wouldn't necessarily know you're using words, or what word set, if there's caps or similar, perhaps it's somewhat salted with a few random characters at the start. The further you go, the more improbable it would be for them.

Re:Obligatory XKCD (2)

mark_elf (2009518) | more than 2 years ago | (#38021178)

frozen biology department literally conducts every experiment after august but before march is not available.

Alternatives:

frozen biology department literally conducts every experiment after august but before march1

frozen biology department literally conducts every experiment after august but before march99

Mrfrozen biology department literally conducts every experiment after august but before march2011

Re:Obligatory XKCD (1)

digitig (1056110) | more than 2 years ago | (#38021158)

Even assuming you only use the 3000 most common words in the English language, 4 words gives you close the the same number of possibilities as an alphanumeric password of 9 characters.

And of course, one of the words in the XKCD example is not one of the 3000 most common English words.

Re:Obligatory XKCD (3, Informative)

Anonymous Coward | more than 2 years ago | (#38020244)

You are missing the point of the comic. It explicitly measures the entropy [wikimedia.org] of the two password selection schemes. The selection scheme itself is not secret; the point is that if there are about 2048 (2^11) "common" words, then there are 2^44 passwords made out of 4 common words, which is a lot more than the estimated ~2^28 possibilities for the more common password scheme.

Re:Obligatory XKCD (3, Interesting)

jamesh (87723) | more than 2 years ago | (#38020344)

You are missing the point of the comic. It explicitly measures the entropy [wikimedia.org] of the two password selection schemes. The selection scheme itself is not secret; the point is that if there are about 2048 (2^11) "common" words, then there are 2^44 passwords made out of 4 common words, which is a lot more than the estimated ~2^28 possibilities for the more common password scheme.

What the comic doesn't take into account is methods of discovering the password other than brute force. If the password is known to be 4 common words, and you somehow discover a few letters of the password (eg looking over someone's shoulder) and have a rough idea of the placement of those letters within the password, it suddenly becomes a whole lot easier to guess what the remaining letters are, as opposed to a random password where knowing a few letters in the password doesn't help in determining what the other letters are. Using something like the acoustic keystroke logger posted on Slashdot the other day becomes a whole lot easier too as the search space is diminished because the words are common dictionary words.

Re:Obligatory XKCD (5, Insightful)

RajivSLK (398494) | more than 2 years ago | (#38020886)

You are misinterpretting the idea. The password is not stronger simply because it's longer. It's stronger because there are many more common words than there are letters in the alphabet. Think of each word in the password as a single letter. However, instead of the alphabet being 26 letters (or 62 if you include upper and lowercase and numbers) the alphabet is 2048 letters long. Then picking a 4 "letter" password gives you 2^44 bits of entropy. A completely random 8 letter alphanumeric password would give ~47 bits. If someone sees a couple of letters from a four word password and can somehow deduce from that an entire word (for arguments sake) you still have 2^33 bits of entropy. If somebody sees two characters from your 8 character randomly generated password you have only ~2^31 bits of entropy left. If you really must have random passwords it's really not a bad idea to at least tack on a single word to the end of your password just for the fun of it. Jg9D2js7 = 47 bits of entropy Jg9D2js7cricket = 58 bits of entropy and in the real word probably much harder to guess than four dictionary words because it doesn't follow one scheme or the other- it's a mix of the two.

Re:Obligatory XKCD (1)

RajivSLK (398494) | more than 2 years ago | (#38020892)

Sorry for the poor formatting-- here it is better:

You are misinterpretting the idea. The password is not stronger simply because it's longer. It's stronger because there are many more common words than there are letters in the alphabet.

Think of each word in the password as a single letter. However, instead of the alphabet being 26 letters (or 62 if you include upper and lowercase and numbers) the alphabet is 2048 letters long. Then picking a 4 "letter" password gives you 2^44 bits of entropy. A completely random 8 letter alphanumeric password would give ~47 bits.

If someone sees a couple of letters from a four word password and can somehow deduce from that an entire word (for arguments sake) you still have 2^33 bits of entropy. If somebody sees two characters from your 8 character randomly generated password you have only ~2^31 bits of entropy left.

If you really must have random passwords it's really not a bad idea to at least tack on a single word to the end of your password just for the fun of it.
Jg9D2js7 = 47 bits of entropy
Jg9D2js7cricket = 58 bits of entropy and in the real word probably much harder to guess than four dictionary words because it doesn't follow one scheme or the other- it's a mix of the two.

Word combinations are BS (1)

Anonymous Coward | more than 2 years ago | (#38021230)

This idea is bullshit.

the alphabet is 2048 letters long

Yes, but more like 8000-20000 "letters", if you take an average native vocabulary.

Then picking a 4 "letter" password gives you 2^44 bits of entropy.

No. Not unless a computer chooses this at random. A human will pick MEANINGFUL, grammatically correct word combinations (or some "smart" variation, like replacing O with 0, which in fact is not smart at all, but very typical and commonplace).

But how easy is it to remember COMPLETELY random choices from such a large set, even if the words themselves are known? We know the alphabet, but we can't necessarily remember a specific combination of letters from the alphabet.

So what's REALLY going on here? Simply that the words in the XKCD example are easy to remember because they DO have meaning; they're not random at all; no more than 0123456789 is a "random" combination of numbers.

Re:Obligatory XKCD (1)

mbkennel (97636) | more than 2 years ago | (#38020252)

If there are really 44 bits of entropy then it should be OK. XKCD looks at 4 words of 11 bits---2048 possibilities if uniformly distributed, given humans, that's probably not unreasonable.

We have to let the computer choose the password, and the human agree to memorize it. And it MUST be 4 words, not one, or three.

Five is *right* *out*.

Re:Obligatory XKCD (1)

syousef (465911) | more than 2 years ago | (#38020394)

We have to let the computer choose the password, and the human agree to memorize it. And it MUST be 4 words, not one, or three.

Five is *right* *out*.

That sounds like a sendup of a Monty Python skit.

Re:Obligatory XKCD (5, Informative)

adamchou (993073) | more than 2 years ago | (#38020388)

i'm not sure i completely agree with that. for one thing, he calculates entropy wrong. according to wikipedia, the set of all ascci characters has an entropy of 6.5446 bits per character. given an 11 character password, thats ~72 bits. a 26 letter character set has an entropy of 4.7004 bits per character with 24 letters, that gives the password 112 bits. that doesn't make my case for why i disagree, just showing that he calculated entropy wrong. i actually don't even know how he came up with those numbers.

now, as to why i don't disagree, let me first define a premise. the password is being attacked via a brute force attack. there are no rainbow tables in use or exploiting of the encryption algorithm. a dictionary can and will (as you'll see later on) be used. now, let me recalculate the passwords in terms of possible password permutations. i don't know how to calculate it with bits of entropy and even if i did, it'd be really confusing to understand.

with a 24 character length password from a set of 26 characters, the number of possible passwords is 26^24 or 9.1 x 10^33. for a password that is 11 characters in length from a 96 character set, its 96^11 or 6.4 x 10^21. again, the plaintext password is stronger.

now here's where my criticism comes in... when you reduce the password to using only english words, you exclude from the set of possible passwords words like "sdfjae" or "fjwioxe". in other words, its no longer completely random. in fact, i believe you so significantly reduce the entropy space that it is now much weaker than the random character password.

lets take for instance a 5 character length password. given all available password combinations, that would yield us the set of possible passwords that is 26^5 or 11, 881, 376. now using the dictionary at http://www.wordbyletter.com/words_by_length.php [wordbyletter.com] , i used a script to pull all the 5 letter words and count how many there were. that yielded us 9755 words. of course, its possible the word list at that site isn't complete and once you start increasing the character length, the number of word combinations will increase.

i'm not going to try to calculate the possible number of permutations of a 24 character english word password but its definitely significantly less than the 112 bits of entropy we calculated earlier. is it less than the 72 bits for the ascii character set? i don't know. but maybe someone smarter than me can go tell us that one.

therefore, this allows us to use a brute force attack that doesn't attempt every character but rather, every possible word in the english dictionary. it should also be noted that most of the words in the english dictionary are extremely rare and usually unheard of. my point in this wasn't conclusively disprove the artists rendition. rather, i just wanted to draw doubt and show that there might afterall be a reason why we don't use extremely long passwords of words we commonly use.

Re:Obligatory XKCD (1)

thegarbz (1787294) | more than 2 years ago | (#38020538)

You've made a false assumption there. When using passwords you can't assume the entropy of the entire ASCII table as you're limited to what you can input. For one thing the first 32 characters of the ASCII table can't be typed. A lot of passwords will also only allow a limited set of special characters disallowing things like | or escape characters like \.

Re:Obligatory XKCD (2)

adamchou (993073) | more than 2 years ago | (#38020990)

I didn't. You actually made the false assumption. The wikipedia article [wikipedia.org] , only counts all printable ascii characters. As for a password not allowing escape characters... I've never seen one that didn't allow escape characters. That's just bad coding if that's what the programmer did.

Re:Obligatory XKCD (0)

Anonymous Coward | more than 2 years ago | (#38020612)

i'm not sure i completely agree with that. for one thing, he calculates entropy wrong.

dude, "Tr0ub4dor&3" is not random.

Re:Obligatory XKCD (1)

xenobyte (446878) | more than 2 years ago | (#38020706)

The 4 words scheme suggested isn't bad, as long the hacker doesn't know that this is what you're doing.

To make it safe in a world where John The Ripper implements many of such schemes in its initial dictionary style attacks, you need to introduce both other symbols than lowercase a-z, and glue characters between those words. If you 'lamerfy' those words and add three glue characters, one between each of the words, you still need to remember only 7 items (four words and three symbols) and you still get a password that isn't readily guessed or constructed by cracking tools and thus ends up with an entropy similar to a string of random characters or the same length. And it's easier to remember than that string of random characters...

Re:Obligatory XKCD (0)

Anonymous Coward | more than 2 years ago | (#38020740)

The 4 words scheme suggested isn't bad, as long the hacker doesn't know that this is what you're doing.

good luck with that [wikipedia.org]

Re:Obligatory XKCD (0)

Anonymous Coward | more than 2 years ago | (#38020788)

I don't see the problem? Even in a completely transparant system you have to assume that the hacker does not know anything about the key.

Re:Obligatory XKCD (0)

Anonymous Coward | more than 2 years ago | (#38021170)

the attacker doesn't know the key, but the attacker does know how the key is generated.

Re:Obligatory XKCD (5, Informative)

edgr (781723) | more than 2 years ago | (#38020758)

i'm not sure i completely agree with that. for one thing, he calculates entropy wrong. according to wikipedia, the set of all ascci characters has an entropy of 6.5446 bits per character. given an 11 character password, thats ~72 bits. a 26 letter character set has an entropy of 4.7004 bits per character with 24 letters, that gives the password 112 bits. that doesn't make my case for why i disagree, just showing that he calculated entropy wrong. i actually don't even know how he came up with those numbers.

People understanding things in this way is exactly why everyone chooses bad passwords. His point is that if everyone has passwords like Tr0ub4dor&3, password guessers won't guess random printable ASCII characters, they'll guess a word and then try some substitutions on it.

So 'Troubador' can be guessed with a dictionary attack, which is why the word only gets about 16 bits of entropy (that puts it in the top 64000 most common words in English). There is additional entropy added by the substitutions but substituting '0' for 'o' is much easier to guess than changing the 'o' to a random character.

i'm not going to try to calculate the possible number of permutations of a 24 character english word password but its definitely significantly less than the 112 bits of entropy we calculated earlier. is it less than the 72 bits for the ascii character set? i don't know. but maybe someone smarter than me can go tell us that one.

And again, since an attacker would be using a dictionary attack, the correct way to calculate entropy is per word, not per character. The xkcd calculates 11 bits of entropy per common word which suggests these words are in the top 2^11=2048 most common words which seems reasonable (a quick glance at wikipedia suggests around 80% of the words in written texts are built from the most common 2000 words). So we get 44 bits of entropy. Obviously less than 72 bits but how many people are really going to create a completely random alpha-numeric-punctutation string of 11 characters (not built from a word or pattern)?

Re:Obligatory XKCD (4, Informative)

Anthony Mouse (1927662) | more than 2 years ago | (#38020848)

now here's where my criticism comes in... when you reduce the password to using only english words, you exclude from the set of possible passwords words like "sdfjae" or "fjwioxe". in other words, its no longer completely random. in fact, i believe you so significantly reduce the entropy space that it is now much weaker than the random character password.

Of course you reduce the amount of entropy, per character. The point is to use more characters in order to make the password have the same level of security while being easier to remember.

The example four English word password "correct horse battery staple" has 28 characters. It has about the same amount of entropy as a 7 character password that randomly uses any of the slightly less than 100 characters you can type on a keyboard. A 28 character random password has preposterously more entropy. But it looks like this: "#1-:';Gqz_UR]l~g607PM_/v@/e6". That's utterly useless because the user will never remember it so it ends up on a sticky note on the user's monitor. Even the 7 character random password ends up on the sticky note. The four English word password gets memorized and not written on anything.

Misapplied theory. (2)

mosb1000 (710161) | more than 2 years ago | (#38021154)

The point is that people remember words, not characters, so it makes absolutely no sense use a string of random characters as a password. By disregarding the way people actually think, and the passwords that are generated in practice (rather than in theory), security "experts" have managed to build a standard that results in lots of forgotten passwords while still being relatively insecure when applied in the real world.

It's the definition of boneheaded groupthink, and your post is just another example of someone misapplying theory by ignoring all the practical considerations. It's like it actually never occurred to you that people need to be able to remember their passwords.

Or... (2)

ysth (1368415) | more than 2 years ago | (#38020164)

everyone could just make their password "rms"

Re:Or... (1)

TheInternetGuy (2006682) | more than 2 years ago | (#38020198)

It could work if everyone had really difficult to guess user names.

Re:Or... (1)

mcvos (645701) | more than 2 years ago | (#38020992)

You joke, but the crappy online banking system my bank uses, has assigned me a really hard to remember username.

I can choose my password freely, fortunately, but they have stupid limitations and requirements forcing me to make my password easier. I really need to switch to a different bank someday.

Google and Facebook already do this, no ? (1, Interesting)

droopycom (470921) | more than 2 years ago | (#38020166)

Authenticate based on "activities the user normally perform" ?

Aren't Google, Facebook and advertisers already tracking our every move ? And figuring out when people come back to visit a site ?

I'm sure you can identify people that way, but can it really be secure ?

Re:Google and Facebook already do this, no ? (3, Interesting)

thegarbz (1787294) | more than 2 years ago | (#38020560)

When we recently traveled I logged into Facebook on my phone. At home I log in from many different devices at many different places in the city. None of this rings alarms. As I was traveling Facebook didn't blink an eye when I suddenly logged in from Europe.

My girlfriend on the other hand was not so mobile. She last logged in from Australia. When she sat down at a kiosk in Dubai and logged in Facebook refused her login and made her play a guessing game. It showed pictures of her friends and asked her to match the faces to the names.

I was actually quite impressed with not only the way in which Facebook didn't simply accept the login but also posed a quiz that worked quite well at identifying if you are who you say you are.

Re:Google and Facebook already do this, no ? (1)

JasterBobaMereel (1102861) | more than 2 years ago | (#38020946)

You can see my fingerprints, see my face, fairly easily see my retinas, watch what I do .... ....now tell me, what is my password ...?

TSA Authenticator (2)

Greyfox (87712) | more than 2 years ago | (#38020174)

Validates your identity after fondling your balls for 3 minutes.

Re:TSA Authenticator (0)

Anonymous Coward | more than 2 years ago | (#38020808)

No, no, no. They validate your identity with the driver's license check, then fondle your balls for three minutes.

<sarcasm>After all, if you don't want to be manhandled by a member of your own gender for several minutes, it must be either because you hate America (which makes you a terrorist) or because you consider homosexuality to be evil, which means you must be a Muslim, which means you must be a terrorist. See how much more sense it makes when... no, wait....</sarcasm>

Sometimes I wonder what's more absurdly broken: the TSA's notion of security or Internet banking's notion of security. Then I fly somewhere and lose all doubt. Could be worse, though. At least nobody has smuggled a bomb up his @$$ yet. I can see the conversation as yet another anal-probed passenger waddles away from the security line:

TSA agent: Rectum? I hardly knew 'im.

yeah! (0)

Anonymous Coward | more than 2 years ago | (#38020190)

1984 is coming...............first thought.

Get Arrested for 3AM Programming (0)

Anonymous Coward | more than 2 years ago | (#38020196)

Or, any other time you are acting irregularily. Just had a meeting with idiotic higher-ups that made you a bit punchy?; writing a grocery list, (because most people frequently use the words Cabbage and Celery at work); using different names for scenarios then you normally use?
Flagged or kicked or arrested...

"Active" Authentication? (0)

Trogre (513942) | more than 2 years ago | (#38020210)

Sounds worryingly Microsoft-ish.

Not that it's a problem in this case, since this system is doomed to fail before it even begins.

Re:"Active" Authentication? (3, Interesting)

syousef (465911) | more than 2 years ago | (#38020308)

Sounds worryingly Microsoft-ish.

Not that it's a problem in this case, since this system is doomed to fail before it even begins.

So many things wrong with this idea. I'd hate for my to change a little and all of a sudden I'm locked out.

I guess you'd be able to replace one Office Space drone with another ("I usually come in about 15 minutes late, i use the side door that way lumberg can't see me, then i just kinda space out for about an hour.")

Re:"Active" Authentication? (1)

gutnor (872759) | more than 2 years ago | (#38021078)

So many things wrong with this idea. I'd hate for my to change a little and all of a sudden I'm locked out.

Why do people assume that "being resilient to mood change" is not part of the acceptance criteria of the solution ... DARPA wants a solution to replace password that works in practice, not just pick a random idea from a brainstorming session.

really? (0)

Anonymous Coward | more than 2 years ago | (#38020226)

This has got to be the stupidest fucking idea I have ever read about. Clowns like these just make fools of us all...

Re:really? (1)

mcavic (2007672) | more than 2 years ago | (#38020408)

+1, thank you.

Actually, it's an interesting idea, the ability for a machine to recognize a person just by their mere presence. I just don't see how it's possible without using biometrics.

Not surprising... (1)

SuperCharlie (1068072) | more than 2 years ago | (#38020262)

It was only a matter of time before they found a way to use all the Google, Twitter and Facebook data to uniquely identify people and groups. "it doesnt matter if I post up my fish on Facebook or tell people Im eating at Joes on my twitter feed" Ive heard that a thousand times here.. Its not the specific data..its how it is used in a grander scheme. And even if you dont participate, the algorithms and systems created from this still effect you. This is the first step to positive, unescapable recognition. Thanks.

TFS doesn't make sense. (3, Interesting)

Tastecicles (1153671) | more than 2 years ago | (#38020324)

System authentication takes place, necessarily, BEFORE any activity can take place. Therefore, there's no way in this physical universe you can run an authentication based upon a users' activity to unlock the platform he would need access to to actually *do* anything.

My first thought on this, however, is old hat: fingerprint recognition (easily defeated with a boxcutter and a Kleenex), facial recognition (the jury's out on this one, I have a Windows 7 box and FR authentication just plain doesn't work), voice sampling (decent quality analogue playback? Help me out here, how easy is it to defeat a voice sampler?), retinal scanning... there are several methods of passwordless authentication, which can be made more secure (and quite possibly safer) with random combination of two or three of them. I'll tell you how old hat: Star Trek II. Kirk authenticates himself for access to Project Genesis report with voice sampling and retinal scan. That was a plot device used in a movie in what, 1982? Yeah, a bit before HD webcams and commercially available low power LED lasers. Way before MP3. If DARPA are trying any of this on for patents, they'll fall over on prior art.

Re:TFS doesn't make sense. (1)

mark-t (151149) | more than 2 years ago | (#38020410)

Prior art in the context of patents always refers to something that actually existed previously. This keeps people from patenting things that other people patented long ago, where the patents have expired. Something being in a work of fiction won't cut it as an example of "prior art".

It may, however, make it qualify as "obvious".... particularly if the fictional work is popular.

Re:TFS doesn't make sense. (1)

Anonymous Coward | more than 2 years ago | (#38020546)

Also I don't think that anywhere in U.S.C. Title 35 is there any kind of provision that allows the government to patent an idea. So really why are we talking about prior art with a group of people who can't patent anything and by some creative use of a TOP SECRET stamp go ahead and ignore any existing patents?

Re:TFS doesn't make sense. (0)

Anonymous Coward | more than 2 years ago | (#38020632)

[quote]
System authentication takes place, necessarily, BEFORE any activity can take place.
[/quote]
Well, that is what they will figure out after receiving the budget increase.

It's the same thing as your burglar alarm going off after the burglar has been in your house for 20 minutes and based on his activities the system finally determines that it is not you.

Re:TFS doesn't make sense. (0)

Anonymous Coward | more than 2 years ago | (#38020656)

What about handwriting, except rather than simply analyzing the sample of the handwriting, you analyze the whole movement of the hand? That's just an example, so please don't hold me to it as the gold standard. The idea is, "to authenticate, play this game for two minutes and we'll see how your mouse/keyboard/game movement correlates with sessions where we knew you were you." Can still be thrown off for certain things, though, such as intoxication, injury.

The basic idea does pan out, especially if you can create a series of short tasks with enough leeway to allow "sloppy" authentication while still prohibiting fakes with a high level of certainty.

Re:TFS doesn't make sense. (0)

Anonymous Coward | more than 2 years ago | (#38020888)

Star trek computers use three-factor authentication. At least on Federation ship computers. The users security code (which isnt very secure, as they speak it loudly to the computer), voice recognition and a physical token in the form of the commbadge. Authentication reguires the right phrase be spoken in the right voice and in the room where the badge is located.

Re:TFS doesn't make sense. (0)

Anonymous Coward | more than 2 years ago | (#38021110)

System authentication takes place, necessarily, BEFORE any activity can take place. Therefore, there's no way in this physical universe you can run an authentication based upon a users' activity to unlock the platform he would need access to to actually *do* anything.

Not necessarily. In case the current system can somehow handover the identity to the next system (quick example would be a token like kerberos, saml, oauth) then in that case authentication would be done based on a system that transfer that identity to next system. For example (probably a bad analogy), the person enters the building and based on their behavior till the point they reach the desk(top) we can decide whether we want to allow user access to the desktop and so on.

Vaporware (-1)

Anonymous Coward | more than 2 years ago | (#38020364)

Since we're discussing vaporware, I am developing something similar to this except you'll have to perform no actions for it to determine your identity.

And when you exhibit abnormal behavior?? (4, Interesting)

Toe, The (545098) | more than 2 years ago | (#38020368)

"Normal" behavior is a baseline, not a universal.

What about when you have a cold? Your voice is messed up, your brain is foggy, you become clumsy which means your behaviors change, you take medicines which make you groggy and thus different, and so on.

What about when you start taking a prescription (or other) drug that messes with your mind and/or with your reflexes, and/or with your nervous system?

What about when you're in a bad mood? What about when you've just experienced a life-changing event and everything about you seems different? What about if you get food poisoning, get hit by a bus, get burned in a fire, get a brain tumor, or are just having a bad friggin' day?

How many people are "normal" every day of their life? 0.00000000%, right?

Re:And when you exhibit abnormal behavior?? (1)

Psychotria (953670) | more than 2 years ago | (#38020424)

And what about people like me who have 21, 34, 55, 89, 144 or more personalities (sometime less)? It's going to be terrible :-(

Re:And when you exhibit abnormal behavior?? (0)

Anonymous Coward | more than 2 years ago | (#38020844)

I can see how this new protection will end...

1) A guy can't gain access because he isn't feeling good that day
2) Guy tries again and again
3) Guy gets frustrated, starts getting postal

Re:And when you exhibit abnormal behavior?? (1)

Tastecicles (1153671) | more than 2 years ago | (#38021064)

oh no, this is DARPA.

Guy on Deadman Switch suddenly develops cataracts, the skin falls off his hands and a killer virus destroys his larynx.

Meet you sixty miles up in about four minutes.

What if behaviours change? (4, Insightful)

MacTO (1161105) | more than 2 years ago | (#38020438)

Memories (or notes) don't change radically. Ditto for biometrics. Yet behaviours do change, as soon as a person's priorities change. It may not happen often and there is probably a transition period, but I would be lying if I claimed that I am the same person I was a year ago.

For a group concerned about military security, like DARPA, denying access based upon behavioural changes may be appropriate. After all, it may demonstrate bribery or blackmail or some other change of heart. But for everyday transactions it is inappropriate. After all, would you want to be denied access to your money because you went from a greedy SOB to a charitable person (or vica versa).

Re:What if behaviours change? (2)

justin12345 (846440) | more than 2 years ago | (#38020550)

For a group concerned about military security, like DARPA, denying access based upon behavioural changes may be appropriate. After all, it may demonstrate bribery or blackmail or some other change of heart.

Or getting shot at. Isn't the saying that life in the military consists of long stretches of boredom, occasionally interrupted by brief periods of utter terror? I'd hate to lose access to the network the moment I needed it most just because an IUD just put a shard of metal in my hand, making it difficult to talk or type at my normal rate.

Re:What if behaviours change? (0)

Anonymous Coward | more than 2 years ago | (#38020728)

I thought IUDs went in the uterus, not the hand...

Re:What if behaviours change? (0)

Anonymous Coward | more than 2 years ago | (#38020900)

just because an IUD just put a shard of metal in my hand, making it difficult to talk or type at my normal rate.

I like extreme pr0n as much as anyone, but if you ended up with a shard of metal in your hand from interacting with an IUD then you are definitely Doing It Wrong.

Re:What if behaviours change? (1)

jpapon (1877296) | more than 2 years ago | (#38021136)

Also, as a general rule, I don't think you are generally getting shot at while you are trying to enter a password into a computer. If so, you should probably deal with the people shooting at you instead of trying to read your encrypted email.

They can do this all they want. (0)

Anonymous Coward | more than 2 years ago | (#38020464)

No matter what they want us to do I will keep my 1024bit encrypted disks safe with a constantly changing randomly generated 128 or more character password.

We already have better tech (2)

jtownatpunk.net (245670) | more than 2 years ago | (#38020624)

Put a USB fingerprint reader on a key fob. The device makes a secure connection to the service requesting authentication and does its magic. Authentication is only accepted from readers registered to the account. For really secure access (banking and such), send an SMS to the user's validated cell phone or an email to their verified email account with a one-time code that the person has to enter before it expires in a minute or two.

There are plenty of ways we can provide secure authentication that doesn't rely on memorizing random character strings. Trouble is, "the world" needs to agree on a standard and implement it.

Re:We already have better tech (1)

JasterBobaMereel (1102861) | more than 2 years ago | (#38020938)

Fingerprint readers can be easily defeated ...

Now go away and do some bricklaying without gloves, and then try and access your computer ... oh sorry you won't have fingerprints for a week or so ...

Re:We already have better tech (0)

Anonymous Coward | more than 2 years ago | (#38021126)

Fingerprint is a password you leave behind everywhere you go. Having a fingerprint reader on a laptop, where you have fingerprints all-over is FAIL (in my book). You can easely transfer a fingerprint to a paper and fool the reader (i think).

Re:We already have better tech (1)

biodata (1981610) | more than 2 years ago | (#38021212)

Cue epidemic of amateur finger amputations by petty criminals looking to log in to people's bank accounts. Fingerprint (and iris scan and all other biometrics) are not secure in any way at all. You can fool them by forging the biometric with a photograph or other copy, or obtain the body part itself.

Because the government would never violate ... (1)

oheso (898435) | more than 2 years ago | (#38020712)

Guidorizzi expects researchers to take special care to ensure this program doesn't violate privacy laws or allow information about a user's identity to be misused by others.

Er ... this is for DARPA.

We offer you great opportunities to buy wholesale (-1)

Anonymous Coward | more than 2 years ago | (#38020748)

We offer you great opportunities to buyimitation watches [imitation-watchs.com] wholesale (products), which come in great design, exquisite craftsmanship and low prices. imitation rolex watches [imitation-watchs.com] Enjoy yourself with free shopping.

My dog would be a bad authenticator (0)

Anonymous Coward | more than 2 years ago | (#38020876)

My house key will get you into my house, but the dog in my living room knows you're not me. No amount of holding up my key and saying you're me is going to convince my dog you're who you say you are. My dog knows you don't look like me, smell like me or act like me.

My dog knows you're not me too, and if you're futzing around outside she might bark at you. But as soon as you come inside, the worst thing that might happen is that you'll be licked to death or concussed by her happily wagging tail.

new authorization scheme (1)

mitashki (1116893) | more than 2 years ago | (#38020904)

I will let my dog enter the passwords for me from now on. In this way I will remove myself as possible man-in-the-middle.

Stage 2 (1)

VoidCrow (836595) | more than 2 years ago | (#38021056)

Cue applications that polymorph and cue the use to change his/her behavior according to learned profiles.

Forget passwords. We use keys today. (2, Interesting)

Anonymous Coward | more than 2 years ago | (#38021076)

We know passwords don't work, so change the concept to keys. People understand keys. They know they aren't expected to remember them so they keep them safe on keyrings and a standard (preferably cross platform) OS service should be a keyring manager.

A password: twulriem
A short key: XiuPE&(K-8Ln:5;&S_?H'a/3

So instead of password fields, use key block fields. Expect that people will save the key in a key manager.

BQ)`0h9!*{yatTvqo,S
jNgf&_{W}ii'8UL/g
\pEaz{p?5N)lmU(&}(
%zLvcR[5r}6Kvmg-uk
6*f@2vo4D%`uOY?]SZ
M%=P_F1d3Oz:g+3{|v]
54lT55|DYunE"V{1pm]+o
$lfWsGFbWS7Fr`L?
IeL)Ot1H$V$F7'0xzVb
~_q][7?gfz[WaQ%?Q)
w*JMg%MPe;Fi]\W{5
[J~NTZ)(Iu$q191bSm
@7|h-]6q@$|Dguy(Kb
6'\2F`I6sWO5$c%%
\|Tu:(VMH?T['8;5GVYI
U8KS@lKV[&(i$VR$f&

Contribute instead of complaining (1)

spaceman375 (780812) | more than 2 years ago | (#38021166)

All the comments so far have been focused on why it won't work or will be a problem (I'm not counting the snarky ones.) How about you geniuses come up with workable suggestions? I've thought for years that we need a trust based system. Every method for authentication is fallible and hackable, so we need to use a mix of them. Every time my face is on camera (red light camera, store security camera, the web cam two cubicles over...), it should be verified that I match previous facial recognitions. Every time I speak any microphone within range should authenticate my voice. Automatic tracking of my cellphone and car should contribute. One very important factor is location tracking - if I am at work I can't be authenticated at the gas station unless enough time has passed for me to get there, even if my credit card is swiped. Every validation of my identity should raise the trust level, and it should decay over time so new authentications need to be continuously collected. That way passwords can contribute, but using one in the wrong place or time when I am demonstrably somewhere else will be denied and noticed. Yes I can still buy stuff over the net with a credit card, IF authentication says that request came from a device I am using AND I provide another token (i.e. password) or verify that purchase on another nearby device, raising the trust level in my location and intent to purchase. As long as it has a short-term and long-term memory, trust based authentication like this can handle the variations in humans from catching a cold or encountering a life-changing situation. Truly, location tracking with decay and continuous updates contributing to a calculable level of verifiable identity is the best we can do. Funny to say, but it is no longer black and white in this digital age.

Re:Contribute instead of complaining (1)

biodata (1981610) | more than 2 years ago | (#38021242)

So you are saying that you think the internet should be spying on every single thing everyone does and using all this spying to profile everyone. I must say I don't like that idea. Do you think this spying should be the responsibility of governments or unaccountable corporations? I have a better idea. Get over the idea that computers can securely identify a person and stop building systems that depend on this happening. Use computers for more fun things.

great for scripting (0)

Anonymous Coward | more than 2 years ago | (#38021180)

So, how will they authenticate automated procedures? Like, I don't know, backup runs or database queries?

A couple of years ago there already was a program that could recognize a user by their use of keyboard and mouse. That would be useful for monitoring/intrusion detection, and I would be surprised (not really, it's darpa) if they don't already use something like that. But using that as authentication? No way.

Load More Comments
Slashdot Account

Need an Account?

Forgot your password?

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>
Sign up for Slashdot Newsletters
Create a Slashdot Account

Loading...