DARPA Wants To Kill the Password 383
jfruh writes Many security experts agree that our current authentication system, in which end users are forced to remember (or, more often, write down) a dizzying array of passwords is broken. DARPA, the U.S. Defense Department research arm that developed the Internet, is trying to work past the problem by eliminating passwords altogether, replacing them with biometric and other cues, using off-the-shelf technology available today.
So...revoke the certificate (Score:5, Informative)
Any biometric password should be based on a certificate, not a direct digital representation of the biometric.
Re: There we go again (Score:4, Informative)
Dictionary attacks can be trivially defeated by rating limiting tries and after, say, 5 tries
Unless they have a copy of the password hash
Re: There we go again (Score:4, Informative)
Are you sure about that? [xkcd.com]
Re: There we go again (Score:5, Informative)
You probably shouldn't try to write about things you don't know about or understand.
1. The industry accepted way to store passwords securely in a database is with a one-way, salted cryptographic hash (using as CPU intensive algorithm as possible).
2. Many organisations have had database intrusions where these password hashes have been stolen (eg. eBay [threatpost.com], Linkedin [sophos.com], LivingSocial [arstechnica.com] etc.)
3. When this happens (i.e. "they have a copy of the password hash") passwords can be cracked offline. Strong passwords are safe (too hard to brute force), but weak passwords can be found using a dictionary attack.
4. Once the password is found offline a hacker can log straight in to the victim's online account with a single password attempt.
Re: There we go again (Score:5, Informative)
Hey Desler I really don't get you, you (appear to) know what a salt is yet you don't understand that an attacker would be performing the attack on the hash offline, with their own hardware. Rate limiting their own hardware would be, as you put it, the height of idiocy.