×

Announcing: Slashdot Deals - Explore geek apps, games, gadgets and more. (what is this?)

Thank you!

We are sorry to see you leave - Beta is different and we value the time you took to try it out. Before you decide to go, please take a look at some value-adds for Beta and learn more about it. Thank you for reading Slashdot, and for making the site better!

DARPA Wants To Kill the Password

samzenpus posted about 4 months ago | from the at-least-zero-characters-long dept.

United States 383

jfruh writes Many security experts agree that our current authentication system, in which end users are forced to remember (or, more often, write down) a dizzying array of passwords is broken. DARPA, the U.S. Defense Department research arm that developed the Internet, is trying to work past the problem by eliminating passwords altogether, replacing them with biometric and other cues, using off-the-shelf technology available today.

Sorry! There are no comments related to the filter you selected.

FRIST (-1, Offtopic)

Anonymous Coward | about 4 months ago | (#47646273)

FRIST POAST!

Re:FRIST (-1)

Anonymous Coward | about 4 months ago | (#47646623)

Frist poasters suck donkey cock, did you know that? No exceptions.

There we go again (4, Funny)

ArcadeMan (2766669) | about 4 months ago | (#47646283)

Kill and eliminate passwords? Violence is not the answer.

Re:There we go again (2, Funny)

Anonymous Coward | about 4 months ago | (#47646369)

You say that now, but wait until you watch a password facehug and implant an embroy in your friend. He might seem fine then, but you'll be convinced when a password bursts out of his chest and start running around.

Take off and nuke the entire website from orbit. It's the only way to be sure.

Re: There we go again (4, Insightful)

Anonymous Coward | about 4 months ago | (#47646477)

We don't need to kill and eliminate passwords, we just need to modify them. The problem with passwords for the average user is the dizzying array of requirements from various websites (between 8 and 20 characters long, required to have upper/lower case and numbers, must have punctuation except "|~, etc.). I've never understood why passwords can't be sentences, like "I'm going to take my dog, Spot, to the park today." It's much easier to remember for the layperson and pretty quick to type once you've done it a few times. IANAC (I Am Not A Cryptologist), but I thought password strength was a function of length and potential characterset. It seems like everyday sentences would be the way to go since guessing it exactly right would be exceedingly difficult.

Re: There we go again (0, Interesting)

Anonymous Coward | about 4 months ago | (#47646711)

I've never understood why passwords can't be sentences, like "I'm going to take my dog, Spot, to the park today."

They can be, but it would be incredibly stupid to use something like that. A dictionary attack would crack that password in seconds.

What I do is have a single, strong password that I have stored only in my brain and all other passwords are hashed on-the-fly from that and the domain or name of whatever I need the password for. I get unique, strong password for everything, but only have to remember a single one.

Re: There we go again (3, Insightful)

Desler (1608317) | about 4 months ago | (#47646829)

Only if you're dumb enough to let authentication program be suspceptible to such an attack. Dictionary attacks can be trivially defeated by rating limiting tries and after, say, 5 tries not allowing any more attempts for some cooldown period. No attacker is going to bother if they can only have 5 tries every 15 to 20 minutes.

Re: There we go again (1)

Desler (1608317) | about 4 months ago | (#47646837)

Rating limiting = rate limiting.

Re: There we go again (3, Informative)

AC-x (735297) | about 4 months ago | (#47646887)

Dictionary attacks can be trivially defeated by rating limiting tries and after, say, 5 tries

Unless they have a copy of the password hash

Re: There we go again (1)

Desler (1608317) | about 4 months ago | (#47646889)

To clarify, I should say any brute forcing attacks rather than just dictionary attack. Any authentication program that allows unlimited tries without any rate limiting is totally broken.

Re: There we go again (0)

Anonymous Coward | about 4 months ago | (#47646925)

Thanks for suggesting everyone configure their system such that I can DOS them! Bonus for making it take so few fake triest on my part.

Re: There we go again (1)

Anonymous Coward | about 4 months ago | (#47646857)

They can be, but it would be incredibly stupid to use something like that. A dictionary attack would crack that password in seconds.

That's not how a dictionary attack works. Like, at all. Unless the ENTIRE phrase is listed as a single entry in the "dictionary", then no, it would not be cracked. A dictionary attack does not try every combination of every word in the dictionary. Your password could be "passworda" and you would stilll be safe if "passworda" wasn't in the word list.

https://en.wikipedia.org/wiki/Dictionary_attack

Re: There we go again (2, Insightful)

Anonymous Coward | about 4 months ago | (#47646913)

Dictionary attack on a >50 character password that includes capitals and punctuation in seconds? I want some of what you are smoking.
Even if the attacker somehow knew that it was using sentances made entirely of valid words and not just random characters/words (how would he know this?) thats still one hell of a lot of words to attack.

Re:There we go again (0)

Anonymous Coward | about 4 months ago | (#47646923)

Kill and eliminate passwords? Violence is not the answer.

How about terminating them with "extreme prejudice"?

All good until someone simulates biometrics... (5, Insightful)

Anonymous Coward | about 4 months ago | (#47646285)

You can change a password, you can't change your retina print. What do you do when your account is compromised? Get new eyes?

Re:All good until someone simulates biometrics... (3, Insightful)

peragrin (659227) | about 4 months ago | (#47646333)

New eyes , new finger prints, and new DNA.

What happens if you get sick or injured? Can you imagine pink eye with retinal scanners? Finger print scanners are fooled by gummy bears.

Re:All good until someone simulates biometrics... (2)

rodrigoandrade (713371) | about 4 months ago | (#47646385)

Pink eyes, eh? Don't go to work stoned, then..

Re:All good until someone simulates biometrics... (5, Funny)

Thanshin (1188877) | about 4 months ago | (#47646389)

Finger print scanners are fooled by gummy bears.

Where I work, the scanners are quite high. Way beyond the reach of even the tallest gummy bears.

Re:All good until someone simulates biometrics... (4, Funny)

Anonymous Coward | about 4 months ago | (#47646423)

They may be short, but don't be fooled - they can actually reach quite high if they have their juice with them.

Re:All good until someone simulates biometrics... (3, Funny)

Anonymous Coward | about 4 months ago | (#47646531)

For those of you that don't get the joke: there was a cartoon about bouncing gummi bears in the 80s. It has an amazing theme song:
https://www.youtube.com/watch?... [youtube.com]

Re:All good until someone simulates biometrics... (3, Funny)

Bob9113 (14996) | about 4 months ago | (#47646793)

>> Finger print scanners are fooled by gummy bears.

> Where I work, the scanners are quite high.

Aww, come on, now, no need to point fingers. If you had to sit there and check people's fingerprints all day you might spark up a bowl and get tempted by gummi bears once in a while too.

The problem is false negative (3, Insightful)

Geoffrey.landis (926948) | about 4 months ago | (#47646663)

What happens if you get sick or injured? Can you imagine pink eye with retinal scanners?

Yes, this is the serious problem-- just as serious as the problem of people fooling the password-alternative is the problem of the false negatives: getting locked out.

Notice that most of these weren't fingerprint scanners or retinal scanners-- they were stuff like gait monitors, or even more bizarre stuff, like listening to your heartbeat. So, if you twist your ankle--or even buy a new pair of shoes-- you're out of luck. Taking pseudoephedrine for a cold? Ooops, your heartrate is different. You're locked out.

--instead of using these instead of password, however, what about if you use alternate ID as a second check. It doesn't lock you out, but it does trigger a watchdog alert that pays attention to what you're doing.

You can change a password, you can't change your retina print. What do you do when your account is compromised? Get new eyes?

Yes, we've all seen dozens of those science fiction stories where they steal people's eyes, or cut off their fingers, or take swabs of their DNA.

Re:All good until someone simulates biometrics... (-1)

Anonymous Coward | about 4 months ago | (#47646339)

It is also sounds terrible for privacy. Fuck this, and whatever other nonsense they come up with.

Re:All good until someone simulates biometrics... (1)

Anonymous Coward | about 4 months ago | (#47646813)

Exactly, google and yahoo web services will no longer ask for your real name... they will already know it by cross referencing your biometric password to a government database of biometric ID's.

Re:All good until someone simulates biometrics... (4, Insightful)

mellon (7048) | about 4 months ago | (#47646501)

Exactly right. Biometric passwords are much easier to fake, because you can't change them. They also provide a nice means of identifying surveillance targets. It's almost as if these guys are getting direction from the NSA or something.

Re:All good until someone simulates biometrics... (1)

bombman (87339) | about 4 months ago | (#47646599)

Well, then instead of Russian (hackers?) breaking in and stealing passwords, they will steal the
biometric data that is matched against in the database, and then they can spoof that....

It may be less useful as a 'cracklib' though.

Re:All good until someone simulates biometrics... (1)

m00sh (2538182) | about 4 months ago | (#47646647)

You can change a password, you can't change your retina print. What do you do when your account is compromised? Get new eyes?

Instead of all this BS, just make an app that stores all the sub-passwords from a master password.

You can link your biometrics to the master password and even if you sub-passowrds are compromised, you can change them.

If you master password is compromised, then used a different finger or a different combination of biometric plus another password.

The biggest problem I have faced is the arbitrary password rules. Some sites require you have to choose from .\$[] character set whereas others cannot have it in the password. Some have length limits and some minimums. Some require at least two alphanumeric characters. Some allow phrases some don't.

Re:All good until someone simulates biometrics... (0)

Anonymous Coward | about 4 months ago | (#47646903)

New eyes worked in Minority Report.

Ultimately... (5, Insightful)

Anonymous Coward | about 4 months ago | (#47646301)

Ultimately whatever password replacement you come up with gets turned into TCPIP packets over the intertubes. Whether you are measuring my height, fingerprint, penis size or whatever metric you come up with, it gets turned into 0's and 1's that I can grab and duplicate. It is still information on a remote server than can be hacked and used by third parties.

And worse... once hacked, I can't do much to change my biometrics... so I'm totally screwed once the host server is hacked and a million biometric accounts are compromised.

Re:Ultimately... (1)

Anonymous Coward | about 4 months ago | (#47646495)

Ah, but you're assuming they won't invent a "don't save this" bit, which would prevent all systems handling such information from ever saving it...

Just look at the success of the evil bit and do-not-copy bit... :-)

Re:Ultimately... (1)

LordLimecat (1103839) | about 4 months ago | (#47646747)

Or you use some common sense, and use transport encryption.

Re:Ultimately... (1)

DigiShaman (671371) | about 4 months ago | (#47646523)

Mushroom stamping the scanner. Now that's new concept I haven't heard of before.

Keep it classy.

Ultimately... (0)

Anonymous Coward | about 4 months ago | (#47646583)

The biometric information can be secured using hashed and salted databases.... unfortunately that's the exact same thing which companies are already not using giving us compromised passwords. The one nice attribute of bioinformatics which can somewhat protect information is that the information gathered from sensors is statistical in nature so simply copying the raw bytes will be easy to detect but it also wouldn't be hard to manipulate the information so it looks unique.

Re:Ultimately... (1)

pixelpusher220 (529617) | about 4 months ago | (#47646597)

small comfort, but people whose biometrics are hacked would be the perfect cyber criminals no? I mean, you can't tie those bio-metrics to just 'them' anymore right?

excuse me, I need to go take a red pill...

Re:Ultimately... (5, Funny)

digitig (1056110) | about 4 months ago | (#47646669)

Whether you are measuring my height, fingerprint, penis size or whatever metric you come up with

Penis size is pretty useless as a biometric. It changes depending on the site being accessed.

presumably so... (5, Insightful)

Anonymous Coward | about 4 months ago | (#47646307)

...when the NSA wants to tap into various accounts, they can track exactly who they belong to and who accesses them because it will be linked to your personally identifiable biometrics

Re:presumably so... (1)

Somebody Is Using My (985418) | about 4 months ago | (#47646595)

Also, the various government agencies are increasingly working on gathering and archiving the biometric data of everyone they can. Right now they can collect fingerprints or DNA if you are arrested (and often this information is not purged if you are not convicted); I wouldn't be too surprised if they soon start gathering retina patterns as well. If devices start requiring biometric data over passwords, then the government (and any of their partners, or their employees or anyone who has hacked the database) will have access to anything secured by that data too.

The government can probably get my password too, but at least I can change the password every now and then to make things harder for them. Swapping out my eyeballs doesn't seem as appealing.

Passwords died in the 80s (-1)

Anonymous Coward | about 4 months ago | (#47646313)

We're easily four decades past the point where a human-readable password should have been discontinued.

Re:Passwords died in the 80s (2)

szmccauley (667273) | about 4 months ago | (#47646383)

In the 80s we didn't even bother with passwords, okay maybe by the late 80s. And every machine on the network had an IP that was directly on teh internets. As for this article, it's yet another example of how stupid people, even the intelligent, are when it comes to passwords. Who the fsck writes down a dizzying array of passwords? I know about 5 passwords off by heart at any given time, and use a password manager and an encrypted database to hold all of my passwords. Of course, without 2-factor auth those lists of passwords are seriously dangerous and that, dear humans, is where the danger lies. If anyone manages to crack my passowrd manager or my encrypted database, I'm fscked. Okay, let's hear what the folks have to say about this age old problem.

Biometrics are great until... (0)

Anonymous Coward | about 4 months ago | (#47646315)

"hacking your password" becomes "hacking off your fingers."

Please choose biometrics that aren't part of my extremities.

Re:Biometrics are great until... (1)

martin-boundary (547041) | about 4 months ago | (#47646403)

Please choose biometrics that aren't part of my extremities.

Who do you think you are, a civilian? A citizen accepts personal responsibility for the safety of the body politic, defending it with his life, a civilian does not. What's a few extremities in the war against computer bugs?

Re:Biometrics are great until... (1)

king neckbeard (1801738) | about 4 months ago | (#47646537)

Be careful what you wish for, or they'll use internal organs (which are by definition not extremities), and you don't want anybody cutting those out.

Re:Biometrics are great until... (1)

ketomax (2859503) | about 4 months ago | (#47646569)

Are you okay with your barber charging you for the time spent in fighting your spam.

I can't change my fingerprint (5, Insightful)

Ubi_NL (313657) | about 4 months ago | (#47646321)

I can change my password anytime if I think somebody copied it. I cannot change my fingerprint or retina. There is no way I'm giving random webshops or google my biometric data.

Re:I can't change my fingerprint (1)

Anonymous Coward | about 4 months ago | (#47646405)

I cannot change my fingerprint or retina.

Sounds like a DRM issue. You should complain to somebody!

So...revoke the certificate (4, Informative)

Overzeetop (214511) | about 4 months ago | (#47646453)

Any biometric password should be based on a certificate, not a direct digital representation of the biometric.

Re:So...revoke the certificate (1)

Anonymous Coward | about 4 months ago | (#47646555)

Yep, certificates are the answer. Heck you could generate your own self signed certificate, as long as the server stores the public key or the fingerprint, its as good as any other login/password combination for proving you are whomever created that combination in the first place. Now if you needed absolute identity (which for the majority of websites you don't want), you'd need a central authority to verify it. Large banks could provide this service possibly.

Re:So...revoke the certificate (2)

Graydyn Young (2835695) | about 4 months ago | (#47646605)

This is correct. Take a look at what these guys are doing with biometrics:

getnymi.com [getnymi.com]

They aren't sending your biometric data all over the internet. They verify your identity on device and then send a token around.

Re:I can't change my fingerprint (0)

OzPeter (195038) | about 4 months ago | (#47646469)

I can change my password anytime if I think somebody copied it. I cannot change my fingerprint or retina. There is no way I'm giving random webshops or google my biometric data.

Given that your current password is not stored in plain text (hard to keep a straight face when typing that), I'd assume that your retinal password would not be stored as a plain image file as well.

Instead I can imagine that a hash of your retinal image is stored as your password, and that you can update your retinal password by rescanning your eyes and generating a new hash, which you can authoritatively tell the server is now your new password. Thus when the server is hacked and your retinal password compromised, you can generate a new one.

Note that I am not a security researcher and have no idea if what I just said is pure BS or not. However I would hope that people who ARE security researchers have already thought about these aspects.

Re:I can't change my fingerprint (2)

Another, completely (812244) | about 4 months ago | (#47646535)

It's more likely that your biometric would just unlock a stick that you carry around with you. The stick would then use an internally-generated key to authenticate you to the remote site.

Re:I can't change my fingerprint (1)

gregorio (520049) | about 4 months ago | (#47646593)

Note that I am not a security researcher and have no idea if what I just said is pure BS or not. However I would hope that people who ARE security researchers have already thought about these aspects.

No, it is not possible to "hash a retina scan", because just like fingerprint scans, the matching process for retina scans is based on feature comparisons. One can say that a retinal feature table is "a kind of a hash", but I disagree: it is quite easy to generate an artificial retina "clone" image from a list of features, just like it is easy to create a fake fingerprint from a list of fingerprint minutiae.

But database hackings are not the big issue here. If fingerprint or retina readers ever go maistream, you'll be simply sharing your password everywhere, from the gym to your job's access system.

Re:I can't change my fingerprint (1)

mdmkolbe (944892) | about 4 months ago | (#47646701)

Hashing may prevent Yahoo from breaking into your Google account, but it doesn't help if someone acquires the pre-hash data (e.g. by lifting your fingerprint). The problem noted by the GP still stands.

Granted, random websites are less likely to be able to lift your fingerprint, but coworkers, roommates, and cashiers could do that pretty easily. When Mythbusters tested fingerprint scanners, even though Grant was on alert that they would try to steal his fingerprint, Kari got them by asking him to copy a stack of CDs.

Re:I can't change my fingerprint (0)

Anonymous Coward | about 4 months ago | (#47646609)

You have 21 members to choose from, choose wisely.

Re:I can't change my fingerprint (2)

bombman (87339) | about 4 months ago | (#47646615)

Can I have a glass of formaldehyde and eyeballs next to my computer i can use if i want to change my password?

Re:I can't change my fingerprint (1)

sociocapitalist (2471722) | about 4 months ago | (#47646875)

I can change my password anytime if I think somebody copied it. I cannot change my fingerprint or retina. There is no way I'm giving random webshops or google my biometric data.

You'll probably end up giving it to the US government if you go through customs. If not now then whenever Patriot Act III passes.

developed the Internet... (0)

Anonymous Coward | about 4 months ago | (#47646325)

DARPA, the U.S. Defense Department research arm that developed the Internet. I thought that I alone develped the internet

A new type of hacker (0)

Anonymous Coward | about 4 months ago | (#47646329)

Hacker will take on a new meaning as they take the biometrics needed from someone.

As long as certain rules are kept (5, Interesting)

Thanshin (1188877) | about 4 months ago | (#47646331)

I'm ready to switch passwords for anything else as long as:
1 - It can't be extracted from me by an easier method than torture or blackmail.
2 - It stops working forever if I'm dead.

Otherwise, some blood will have to wash away the naivete. Again.

Re:As long as certain rules are kept (3, Insightful)

LWATCDR (28044) | about 4 months ago | (#47646411)

"2 - It stops working forever if I'm dead."
That is what I am worried about. I would like my wife to have access to my online accounts if for no other reason than to say good bye for me.

Re:As long as certain rules are kept (1)

Sobrique (543255) | about 4 months ago | (#47646513)

Most biometrics do stop working when you die. Retinal prints change if there's no blood flow - the 'eyeball-on-a-pencil' just doesn't work. Other methods ... well, generally you can detect a pulse, and the change in pattern from the blood pressure is more secure anyway. (Even before you decide you don't want to let zombies^Wresidual human resources in.)

Re:As long as certain rules are kept (1)

FridayBob (619244) | about 4 months ago | (#47646905)

I'm ready to switch passwords for anything else as long as:
1 - It can't be extracted from me by an easier method than torture or blackmail.
2 - It stops working forever if I'm dead.

Agreed. Other authentication factors can be taken from you without much difficulty, but password access requires actual conscious cooperation.

On the other hand, I know where they're coming from. For the last five years I've been working on getting as many network services as possible to work with Kerberos authentication. So far, I've got OpenLDAP, OpenAFS, Netatalk (AFP), NFS, OpenSSH, Exim (SMTP), Dovecot (IMAP) and Apache (HTTP) to work with it, which has eliminated a lot of password use, as well as improved security. It would be fun to add MFA to the equation, but I'd still prefer to somehow remain consciously involved in the authentication process. Finally, people may hate having to remember new passwords all the time, although they get used to it, but the fact that they are so easy to change is also an advantage.

Mind signature (0)

Anonymous Coward | about 4 months ago | (#47646351)

They're going to make signature of your mind since there is nothing else that couldn't be cut or duplicated.

Smart Cards with PINs (0)

Anonymous Coward | about 4 months ago | (#47646407)

We've been using them for 30 plus years for ATM machines and they're easy to carry around. And nobody will be kidnapped to make them work.

Re:Smart Cards with PINs (0)

Anonymous Coward | about 4 months ago | (#47646577)

Using what?

Passwords don't need to be killed (4, Insightful)

nine-times (778537) | about 4 months ago | (#47646417)

Passwords don't need to be killed. If you're thinking about replacing it with biometrics, I think that's thinking about the problem the wrong way too. The fact is, we already have all the technology we need to solve this problem much better than we do today. It's simple: instead of passwords, you should have a password protected private key, with a single password, and then use public keys for authentication. That way, you only need to know one password, and you've also eliminated a lot of the danger of snooping on connections because the private key isn't being sent.

Of course, it would require that everyone pretty much agree on one set of standards for how it's supposed to be implemented, and than developers have to build their products with those standards. Then you probably also want some trustworthy and inexpensive/free Certificate Authorities. Ideally you'd want to be able, though not required, to use the same private key for everything-- email encryption, ssh logins, maybe even credit card purchases-- so you'd need mechanisms for managing your keys, keeping them safe but also making them available when needed. Throw in some dual-factor authentication where you want a high level of security, and you've basically solved the issue.

Re: Passwords don't need to be killed (1)

Anonymous Coward | about 4 months ago | (#47646655)

I personally think this is the best idea on here. Especially with two step.

DARPA wants for fail at this also? (1)

gweihir (88907) | about 4 months ago | (#47646419)

As many, may other have before, because this problem is not really solvable without AU that can recognize a person? Well, it is a waste of taxpayer money, and fail they will. Biometrics is basically unusable unless you have a security guard monitor the taking of the measurement.

Won't work (2)

DaMattster (977781) | about 4 months ago | (#47646421)

You can kill the password in favor of strong security tokens but if the underlying code is poorly written and full of security holes, then it won't be any more secure than what we have now. If you can steal a few retinal images through an exploit, you could, in theory, make a model with the retinal pattern.

Leave the choice to the user (1)

NotInHere (3654617) | about 4 months ago | (#47646427)

Now thats something innovative DARPA could do: I don't want biometrics, but perhaps someone else might like it, as they don't care much for computers, and would have used a 12345qwert like password.

Come on, most of these authentication methods are inferior, I just don't have the abilities I have with passwords: evil people have to beat me with a stick until they know my password instead of just having to cut off my finger, I can change it whenever I want, a password doesn't identify me (I can stay anon), I can give it to someone else, and when I am eating (drinking, got my finger cut off because someone wanted to break into another computer of mine) something I can enter the password with my other hand, without changing the way my hand tremors.

Re:Leave the choice to the user (0)

Anonymous Coward | about 4 months ago | (#47646559)

+1. Also, by using biometrics that means the gov't can hack into your account on any website because they have biometrics of all citizens (or eventually will). Of course the NSA would want to push biometrics.

Standards Conflict (1)

Joe Gillian (3683399) | about 4 months ago | (#47646443)

There's no way I can see this happening, if only because no one would be willing to settle on a single standard for biometric verification. For instance, I can imagine that some places will want a simple fingerprint.. but others will demand that the fingerprint scanner used by the user to submit their prints detect warmth so that they can be sure that there's no artificial prints, dead bodies, or severed extremities being used to bypass the scan.

Other places will want retinal scans (One eye? Both eyes? Proof of life verification?), voiceprints, voiceprints backed by facial recognition, or any number of other things. In the end, it would lead to the end-user being forced to buy lots of expensive hardware, some of which they may never wind up using. The other thing they don't consider - what about mobile devices that don't have multiple USB ports, or can't support the drivers for biometric scanners?

Passwords can work, but human-readable ones do not. What we need are more secure passwords that aren't human-readable, not Minority Report.

PKI SSL (2)

Sobrique (543255) | about 4 months ago | (#47646447)

We're used to using SSL from client to server. But it works both ways around. You can use client side SSL certificates to authenticate. Client side SSL certificates that you can lock down with a decent passphrase, SSLVerifyClient [modssl.org]

Not as hard to implement as some of the pipe dreams out there. Of course, it does require a degree of tech savvy on the part of users - and more importantly, enforcing it's use, to avoid laziness bypassing.

Then your challenge becomes certificate transport - you'll need a way to carry around your cert, or somehow get hold of it when you need it, which is easier said than done. The real advantage of passwords is their portability. Biometrics have a similar advantage, but as already noted - are a bit harder to revoke/change.

Re:PKI SSL (1)

fuzzyfuzzyfungus (1223518) | about 4 months ago | (#47646653)

It's pretty tricky to avoid the 'carry something around' requirement; but people seem to be good enough at that when they need to be.

I suppose the major mess would be all the phones and tablets that either don't have card readers or USB, or have USB but will never receive driver support outside of third party hacks. Smartcards and their USB attached analogs can handle the job but having accounts that you can't access from almost any mobile device will probably play poorly.

FIDO / U2F - open Yubikey-like standard protocol (1)

Lennie (16154) | about 4 months ago | (#47646479)

How about a standard protocol around devices like Yubikey hardware tokens for integration in the browser (or use with other applications):

https://air.mozilla.org/fido-u... [mozilla.org]

Google, Microsoft are already involved, Mozilla is looking into it.

666 (2, Interesting)

musmax (1029830) | about 4 months ago | (#47646485)

And he causes all, the small and the great, and the rich and the poor, and the free men and the slaves, to be given a mark on their right hand or on their forehead, and he provides that no one will be able to buy or to sell, except the one who has the mark, either the name of the beast or the number of his name. Rev 13:17

Re:666 (-1)

Anonymous Coward | about 4 months ago | (#47646667)

Ugh, why does every story have to turn religious, or should I say the Christian religion. Course to Christian's there are no other religions out there and Jesus was a white guy...... Wake up. Not everything out there is about Religion all the time......

Re:666 (1)

PPH (736903) | about 4 months ago | (#47646919)

Yeah. But in this case, they have a good point. Whoever controls your access token controls your life (soul).

Even if you don't believe in God, the Bible was used to teach practical knowledge to the people back in its day. There is some common sense wisdom in there if you can get around the concept of an invisible guy in the sky.

Re:666 (1)

fuzzyfuzzyfungus (1223518) | about 4 months ago | (#47646675)

You crazy end-times nutjobs... Everyone knows that Verichip(tm) brand subdermal RFID solutions are supposed to be implanted in the arm, not the hand or forehead!

Re:666 (1)

PPH (736903) | about 4 months ago | (#47646843)

Damn you! That's the combination to my briefcase.

Re:666 (0)

Anonymous Coward | about 4 months ago | (#47646893)

Pfft, I use the much more secure 12345

Noone has to remember passwords any more (1)

biodata (1981610) | about 4 months ago | (#47646491)

Don't people just click on the 'Forgot Password' button every time their browser forgets their password?

merhaba arkadalar (0)

Anonymous Coward | about 4 months ago | (#47646519)

merhaba arkadalar türkiyeden katlyorum buraya. benim siteme sizleride beklerim www.islamisohbete.org

Biometrics? Over Internet? (1)

bradgoodman (964302) | about 4 months ago | (#47646579)

I concur with the previous post saying you "can't change" biometric stuff if your password is "compromised" - but my further point is that biometrics are "secure" in an "embedded" world when you have a physical scanner attached to a physical device. When you're on the "open internet" - and such biometric data has to be collected and shuttled accross "the 'net" - you now have the same sort of issue as with "traditional" passwords - i.e. someone snarfing and/or "replying" that data.

So whereas biometrics might replace a traditional "password" - we need more systems which aren't vulnerable to the type of 1.8-billion-password-stealing-Russian-problems we see all over the place. I have been a big fan of much of the two-factor stuff, and some of the hashing schemes out there. It will be interesting to see what kind of other solutions could exist - though I don't think anything "static" like biometrics gets us anywhere.

informativE CockCock (-1)

Anonymous Coward | about 4 months ago | (#47646607)

Something you know... (1)

Doub (784854) | about 4 months ago | (#47646621)

If instead of switching from one factor to another they promoted multi-factor authentication, they'd relax constraints on each factor (ie. passwords easier to remember, biometrics cheap to implement).

Kill the Password Rules Firstly! (0)

Anonymous Coward | about 4 months ago | (#47646625)

I know this doesn't apply to all of you, but our company want us to change password every three month.
I know this is pointless, but hopefully, after I compliant enough times on various places, this stupid rule can be removed.

A precursor for chip implants? (0)

Anonymous Coward | about 4 months ago | (#47646641)

I suppose that having to remember multiple passwords could be quite a burden for some.

An identity chip implant would fix that.

Personally, i'd take a little ginseng and work on sharpening my memory instead.

If man can make it, then man can break it. (1)

zenlessyank (748553) | about 4 months ago | (#47646649)

End of discussion. There isn't a lock anywhere that can't be broken.

Eyeball Frying Fun (1)

userw014 (707413) | about 4 months ago | (#47646657)

Using biometrics as an authentication factor (with or without passwords or token generators) brings me to:

[1] Can the biometric be consistent across different vendors or models of readers - or will people be locked-in to individual vendors (or worse, models) of readers?

[2] Is the interface between the biometric reader and the computer secure?

[3] How stable are biometrics over time - both long term and short term?

[4] What happens when the same biometric is used in different security contexts - from banking to dating sites?

I doubt that these are new questions, but other than the stability of biometrics over time, I don't recall seeing them asked before.

Re:Eyeball Frying Fun (1)

dbIII (701233) | about 4 months ago | (#47646723)

As for 3, maybe it's an early warning of high blood pressure when your retina scan doesn't work any more, or prostate trouble when fingerprints go.
They can take my biometrics from my cold, dead hands. Passwords/passphrases are a different story.

Re:Eyeball Frying Fun (0)

Anonymous Coward | about 4 months ago | (#47646863)

If your fingerprints are being destroyed by your prostate condition, I'd suggest pulling your thumb out of your ass.

dARPA to reduce agrivation and wasted time (0)

Anonymous Coward | about 4 months ago | (#47646665)

Because they can't locate exactly where in your brain that testy password is stored so they could remove it, they will be very excited with your fingerprint, drop of blood, or eyeball.. thank you very much.

They should watch "Archer"... (5, Funny)

QilessQi (2044624) | about 4 months ago | (#47646761)

Pam: Oh, OK, then good luck with all the biometric scanners. Unless you wanna cut off my fingers and scoop out my retinas.

Kidnappers look at each other.

Pam: Oh, don't be dicks!

Safety (0)

Anonymous Coward | about 4 months ago | (#47646801)

"Stick your hands up, and hand over your eye".

And just before someone brings up the usual "but the scanner won't accept a dead eye"... That line of thinking is a sign of a coldblooded bureaucrat (or BOFH) who cares only about the system. When your eye is refused by the scanner, I'm going to think you tricked me into cutting out the wrong eye. Guess what, now you're losing the other eye also.

An important safety aspect of a password is that it can safely be handed over to the guy with the gun. Then you can change the password once you're safe.

Oh great (0)

Anonymous Coward | about 4 months ago | (#47646807)

Now instead of using a $5 hammer to coerce the password out of me, the bad guys will use a $5 saw to cut off my fingerprint.

What other tech gives a choice? (1)

RhettLivingston (544140) | about 4 months ago | (#47646853)

Passwords don't simply show your identity. Making the choice to enter them also shows your permission. Sure they can be snooped, but they can't be easily extracted against your will. All biometric based keys are available with a warrant. The password is the only one that I know of that I have any chance of hiding. By carefully employing different passwords for every site with the aid of KeePass or a similar tool and changing them all periodically (would be nice if KeePass automated this) and guarding KeePass with the strongest encryption, a very strong password, and another key, I've got a better chance of controlling access to my data (which I consider little different from my mind) than with any other approach I've heard of.

Bad idea (1)

mark-t (151149) | about 4 months ago | (#47646859)

Because accidents happen. No matter how improbable... no matter what kind of artificial barriers we might try and design to prevent them, over time even the unthinkable can and often will happen.

And when it does, some kind of mitigatory system needs to be in place, or else once the system has been compromised, nobody will ever want to use it again. In the case of biometrics, if a database of people's biometric "passwords" has been compromised, potentially allowing somebody to access whatever that database might be linked to, that mitigatory system is going to end up being the password until a different biometric system can be put in place.

Biometrics can make sense as an alternative to passwords in some contexts... such as on an internal and private network, where certain people who work there need regular access to particular information, while they do not want just anyone using the computers, and biometrics can measured by a computer much more quickly than a password can be entered, so it serves as a convenient shortcut. They don't, however, make sense as a general replacement for passwords. Honestly, I can't help but feel that the people who keep suggesting this are terminally lazy and don't want to have to remember passwords in the first place.

i'm all for killing passwords (0)

Anonymous Coward | about 4 months ago | (#47646873)

As long as the new method is not based on biometrics

Hoping for better solution (1)

Ogive17 (691899) | about 4 months ago | (#47646897)

At work I have so many passwords with different requirements and different reset schedules that I had to turn to the low tech approach of writing every one down on a post it note and hiding it under my calculator on my desk. I do take my laptop home every evening.

Interesting enough, email is the only program we no longer have to sign in to each time, and it also does not time out after inactivity like every other program. That is the place where most sensitive business information would be located. All they would need to do is crack my windows password (while also knowing my login name).

I wish I could log in to windows and do one authentication to unlock every other program I use routinely.

of course they do (1)

jsepeta (412566) | about 4 months ago | (#47646901)

If DARPA doesn't like passwords, they shouldn't use them. But that shouldn't have any bearing on us puny civilians.

Load More Comments
Slashdot Login

Need an Account?

Forgot your password?