DARPA Wants To Kill the Password 383
jfruh writes Many security experts agree that our current authentication system, in which end users are forced to remember (or, more often, write down) a dizzying array of passwords is broken. DARPA, the U.S. Defense Department research arm that developed the Internet, is trying to work past the problem by eliminating passwords altogether, replacing them with biometric and other cues, using off-the-shelf technology available today.
All good until someone simulates biometrics... (Score:5, Insightful)
You can change a password, you can't change your retina print. What do you do when your account is compromised? Get new eyes?
Ultimately... (Score:5, Insightful)
Ultimately whatever password replacement you come up with gets turned into TCPIP packets over the intertubes. Whether you are measuring my height, fingerprint, penis size or whatever metric you come up with, it gets turned into 0's and 1's that I can grab and duplicate. It is still information on a remote server than can be hacked and used by third parties.
And worse... once hacked, I can't do much to change my biometrics... so I'm totally screwed once the host server is hacked and a million biometric accounts are compromised.
presumably so... (Score:5, Insightful)
...when the NSA wants to tap into various accounts, they can track exactly who they belong to and who accesses them because it will be linked to your personally identifiable biometrics
I can't change my fingerprint (Score:5, Insightful)
I can change my password anytime if I think somebody copied it. I cannot change my fingerprint or retina. There is no way I'm giving random webshops or google my biometric data.
Re:All good until someone simulates biometrics... (Score:4, Insightful)
New eyes , new finger prints, and new DNA.
What happens if you get sick or injured? Can you imagine pink eye with retinal scanners? Finger print scanners are fooled by gummy bears.
Re:As long as certain rules are kept (Score:4, Insightful)
"2 - It stops working forever if I'm dead."
That is what I am worried about. I would like my wife to have access to my online accounts if for no other reason than to say good bye for me.
Passwords don't need to be killed (Score:5, Insightful)
Passwords don't need to be killed. If you're thinking about replacing it with biometrics, I think that's thinking about the problem the wrong way too. The fact is, we already have all the technology we need to solve this problem much better than we do today. It's simple: instead of passwords, you should have a password protected private key, with a single password, and then use public keys for authentication. That way, you only need to know one password, and you've also eliminated a lot of the danger of snooping on connections because the private key isn't being sent.
Of course, it would require that everyone pretty much agree on one set of standards for how it's supposed to be implemented, and than developers have to build their products with those standards. Then you probably also want some trustworthy and inexpensive/free Certificate Authorities. Ideally you'd want to be able, though not required, to use the same private key for everything-- email encryption, ssh logins, maybe even credit card purchases-- so you'd need mechanisms for managing your keys, keeping them safe but also making them available when needed. Throw in some dual-factor authentication where you want a high level of security, and you've basically solved the issue.
Re: There we go again (Score:4, Insightful)
We don't need to kill and eliminate passwords, we just need to modify them. The problem with passwords for the average user is the dizzying array of requirements from various websites (between 8 and 20 characters long, required to have upper/lower case and numbers, must have punctuation except "|~, etc.). I've never understood why passwords can't be sentences, like "I'm going to take my dog, Spot, to the park today." It's much easier to remember for the layperson and pretty quick to type once you've done it a few times. IANAC (I Am Not A Cryptologist), but I thought password strength was a function of length and potential characterset. It seems like everyday sentences would be the way to go since guessing it exactly right would be exceedingly difficult.
Re:All good until someone simulates biometrics... (Score:5, Insightful)
Exactly right. Biometric passwords are much easier to fake, because you can't change them. They also provide a nice means of identifying surveillance targets. It's almost as if these guys are getting direction from the NSA or something.
The problem is false negative (Score:4, Insightful)
What happens if you get sick or injured? Can you imagine pink eye with retinal scanners?
Yes, this is the serious problem-- just as serious as the problem of people fooling the password-alternative is the problem of the false negatives: getting locked out.
Notice that most of these weren't fingerprint scanners or retinal scanners-- they were stuff like gait monitors, or even more bizarre stuff, like listening to your heartbeat. So, if you twist your ankle--or even buy a new pair of shoes-- you're out of luck. Taking pseudoephedrine for a cold? Ooops, your heartrate is different. You're locked out.
--instead of using these instead of password, however, what about if you use alternate ID as a second check. It doesn't lock you out, but it does trigger a watchdog alert that pays attention to what you're doing.
You can change a password, you can't change your retina print. What do you do when your account is compromised? Get new eyes?
Yes, we've all seen dozens of those science fiction stories where they steal people's eyes, or cut off their fingers, or take swabs of their DNA.
Re: There we go again (Score:3, Insightful)
Only if you're dumb enough to let authentication program be suspceptible to such an attack. Dictionary attacks can be trivially defeated by rating limiting tries and after, say, 5 tries not allowing any more attempts for some cooldown period. No attacker is going to bother if they can only have 5 tries every 15 to 20 minutes.
Re: There we go again (Score:2, Insightful)
Dictionary attack on a >50 character password that includes capitals and punctuation in seconds? I want some of what you are smoking.
Even if the attacker somehow knew that it was using sentances made entirely of valid words and not just random characters/words (how would he know this?) thats still one hell of a lot of words to attack.
Re: There we go again (Score:1, Insightful)
Yeah, and I can unlock your phone without being locked out by the authentication program if I know your PIN. Were you going for a Captain Obvious award or did you think a tautological statement was somehow insightful? But if the attacker knows the password hash that is not a dictionary attack. In fact, there would be no need for any attack at all.
Re: There we go again (Score:4, Insightful)
You seem to have no clue what a password hash actually is. The whole point of a cryptographic hash [wikipedia.org] is it's one way operation; You can turn a password into a hash easily, but you can't turn a hash into a password without brute forcing it.
Having a hash of a sufficiently string password is perfectly safe, in fact here's one now, bet you can't find the password from it. It's a basic SHA1 hash, not even salted: b6faa93a9e6ca445875c6b5511e2153bb51ef43a
However if a chosen password appears in a password dictionary than you can cut down your brute force search space by so much it goes from taking years (even centuries) to crack a password to taking a few hours (sometimes minutes).
A standardized interface for changing passwords (Score:5, Insightful)
Every single site has a different way of giving you a way to change your password. This makes it impossible to write programs to write programs to change your password....like a password manager for instance. Imagine if you could just type in your new password into your password manager program, and it changes all the passwords it manages with one click. They could all be randomly generated and different for every site. Hints, recovery, email addresses, could all be updated with one click. With a history as to the previous versions in case something went south.
Instead of struggling with writing all the captcha's, and strength meters, and interfaces, and all the CRAP that the every site on the planet does differently. Just standardize the interface and maintenance of passwords. And then standardize the strength of the generator programs. And voila, permanent security that is controlled where it should be: in your hands.
Re:As long as certain rules are kept (Score:4, Insightful)
"Oh, they should have prepared for that in advance, as soon as they knew they were going to die". Yeah, well, perhaps in some fantasy world. No, the survivors clean up in real life.
Re:The problem is false negative (Score:5, Insightful)
"Yes, we've all seen dozens of those science fiction stories where they steal people's eyes, or cut off their fingers, or take swabs of their DNA."
cute, but not what the poster is talking about.
Your info, weather its a password, or the bio-metric info will get turned into a string and stored in a database.
Once that database in compromised, your bio-metric info on EVERY system you log into needs to be change to a different bio metric. They don't actually need to physical eye.
Re: There we go again (Score:4, Insightful)
Duh. Being Captain Obvious again?
By your previous posts it seemed you needed things put in simple terms, especially since you claimed that 1) knowing the hash is the same as knowing the password (it's not) and 2) rate limiting could defeat offline password cracking (it can't). Do you stand by those claims?
Of course, this is why you lock the accounts until the user resets the password. Poof that attack vector is now gone.
That's no solution: 1) Relies on the attack being detected in the first place. 2) If the user has reused their password elsewhere this doesn't reset those too. It's also completely irrelevant to the question of being able to dictionary attack a password.