DARPA Wants To Kill the Password 383
jfruh writes Many security experts agree that our current authentication system, in which end users are forced to remember (or, more often, write down) a dizzying array of passwords is broken. DARPA, the U.S. Defense Department research arm that developed the Internet, is trying to work past the problem by eliminating passwords altogether, replacing them with biometric and other cues, using off-the-shelf technology available today.
There we go again (Score:5, Funny)
Kill and eliminate passwords? Violence is not the answer.
Re: (Score:2, Funny)
You say that now, but wait until you watch a password facehug and implant an embroy in your friend. He might seem fine then, but you'll be convinced when a password bursts out of his chest and start running around.
Take off and nuke the entire website from orbit. It's the only way to be sure.
Re: (Score:3)
There's no need to nuke the website from orbit. The server is running IIS, it will implode on itself sooner or later.
Re: There we go again (Score:4, Insightful)
We don't need to kill and eliminate passwords, we just need to modify them. The problem with passwords for the average user is the dizzying array of requirements from various websites (between 8 and 20 characters long, required to have upper/lower case and numbers, must have punctuation except "|~, etc.). I've never understood why passwords can't be sentences, like "I'm going to take my dog, Spot, to the park today." It's much easier to remember for the layperson and pretty quick to type once you've done it a few times. IANAC (I Am Not A Cryptologist), but I thought password strength was a function of length and potential characterset. It seems like everyday sentences would be the way to go since guessing it exactly right would be exceedingly difficult.
Re: (Score:3)
The kicker (for me) is that many websites DON'T allow certain character sets.
I've had websites tell me that I'm not allowed to use special characters. One of which was a financial institution.
Re: There we go again (Score:4)
Re: (Score:3, Insightful)
Only if you're dumb enough to let authentication program be suspceptible to such an attack. Dictionary attacks can be trivially defeated by rating limiting tries and after, say, 5 tries not allowing any more attempts for some cooldown period. No attacker is going to bother if they can only have 5 tries every 15 to 20 minutes.
Re: There we go again (Score:4, Informative)
Dictionary attacks can be trivially defeated by rating limiting tries and after, say, 5 tries
Unless they have a copy of the password hash
Re: There we go again (Score:4, Insightful)
You seem to have no clue what a password hash actually is. The whole point of a cryptographic hash [wikipedia.org] is it's one way operation; You can turn a password into a hash easily, but you can't turn a hash into a password without brute forcing it.
Having a hash of a sufficiently string password is perfectly safe, in fact here's one now, bet you can't find the password from it. It's a basic SHA1 hash, not even salted: b6faa93a9e6ca445875c6b5511e2153bb51ef43a
However if a chosen password appears in a password dictionary than you can cut down your brute force search space by so much it goes from taking years (even centuries) to crack a password to taking a few hours (sometimes minutes).
Re: (Score:2)
Only if the passwords haven't been salted properly. Even then, a rainbow tables attack can also be thwarted by the same techniques I mentioned above. Allowing any attacker the ability to do 10s of millions if not a couple of billion (with powerful enough hardware) tries a second to brute force a password is just the height of idiocy. Using constant time password checking, rate limiting, cooldown periods and as a last resort IP bans makes you such an unattractive target that they usually just move on to some
Re: There we go again (Score:5, Informative)
Hey Desler I really don't get you, you (appear to) know what a salt is yet you don't understand that an attacker would be performing the attack on the hash offline, with their own hardware. Rate limiting their own hardware would be, as you put it, the height of idiocy.
Re: (Score:3)
The point he was making is that with proper procedure, a hash could never be attacked offline. As soon as the hash database were compromised, all hashes contained therein would be invalidated. The attacker could brute force that database to their heart's content, and no valid passwords would ever result from it.
This of course assumes the administrators are paying close enough attention to notice in short order when the database has been compromised, and that all users define a secondary means of contact t
Re: (Score:3)
Re: There we go again (Score:5, Informative)
You probably shouldn't try to write about things you don't know about or understand.
1. The industry accepted way to store passwords securely in a database is with a one-way, salted cryptographic hash (using as CPU intensive algorithm as possible).
2. Many organisations have had database intrusions where these password hashes have been stolen (eg. eBay [threatpost.com], Linkedin [sophos.com], LivingSocial [arstechnica.com] etc.)
3. When this happens (i.e. "they have a copy of the password hash") passwords can be cracked offline. Strong passwords are safe (too hard to brute force), but weak passwords can be found using a dictionary attack.
4. Once the password is found offline a hacker can log straight in to the victim's online account with a single password attempt.
Re: There we go again (Score:4, Insightful)
Duh. Being Captain Obvious again?
By your previous posts it seemed you needed things put in simple terms, especially since you claimed that 1) knowing the hash is the same as knowing the password (it's not) and 2) rate limiting could defeat offline password cracking (it can't). Do you stand by those claims?
Of course, this is why you lock the accounts until the user resets the password. Poof that attack vector is now gone.
That's no solution: 1) Relies on the attack being detected in the first place. 2) If the user has reused their password elsewhere this doesn't reset those too. It's also completely irrelevant to the question of being able to dictionary attack a password.
Re: (Score:3)
Nope, because I never claimed that. You misunderstood my point and started falsely assuming things
Yes you did:
"But if the attacker knows the password hash that is not a dictionary attack. In fact, there would be no need for any attack at all." - No, you still need to attack (brute force) the hash to extract the password.
"Yes, that's why you stop such attacks by rate limiting and cooldowns and then eventually just ban their IP if they are just obviously an attacker. If they can only have 5 tries every 15-20 minutes the attacker is going to give up unless the user's password just happens to be near the ve
Re: (Score:3)
Few attacks actually try to login repeatedly.
If they do, there are botnets that help you try lots in a short period of time.
Most attacks involve dumping the password hash database.
And e
Re: (Score:2)
Depends on the hash used, if its a external attack, or if someone has a copy of the db and is trying to figure out what the passwords are.
If you can see everyone hashed password, patterns will emerge.
Re: (Score:2, Insightful)
Dictionary attack on a >50 character password that includes capitals and punctuation in seconds? I want some of what you are smoking.
Even if the attacker somehow knew that it was using sentances made entirely of valid words and not just random characters/words (how would he know this?) thats still one hell of a lot of words to attack.
Re: (Score:2)
I think sentences would be OK. Because of proper case and punctuation, a dictionary hack would take some time.
Also, a brilliant idea I came up with is to use web sites that relate, in some way, to the app or web page I'm trying to get into.
For instance for Facebook, a sentence ... "I love Facebook but it takes up a lot of my time."
or
http://www.timesuck.com/ [timesuck.com]
The sentence would take about 40 tresvigintillion years to crack on a PC. The web site, as password, would take about 837 quintillion years (both estimat
Re: There we go again (Score:4, Informative)
Are you sure about that? [xkcd.com]
Re: (Score:3)
"They can be, but it would be incredibly stupid to use something like that. A dictionary attack would crack that password in seconds"
Really? How?
First off, I would expect that a password cracking script's dictionary would include variations of single words and maybe combinations of 2. There are 11 words in that sentence. Anyone with such a password is such an outlier I can't believe any reasonable script today would be written to even try that!
So, what if everyone used passwords like that? No doubt cracking
Re: (Score:3)
The real bad part about a grammatically correct sentence is memory mutation.
"I'm going to take my dog, Spot, to the park."
"I'm going to take my dog to the park today."
"I'm taking my dog, Spot, to the park today."
"#&@*!!! What was that passphrase?"
Re: There we go again (Score:4, Interesting)
I'm surprised more black-hats don't set up "free" services with that intention.
Re: (Score:2)
Why do they want to kill my password? What's wrong with "@13 unicorn #DARPA gangbang!"? It's secure isn't it?
Re: (Score:3)
Why do they want to kill my password? What's wrong with "@13 unicorn #DARPA gangbang!"? It's secure isn't it?
Damnit, time to change the combination on my luggage again...
All good until someone simulates biometrics... (Score:5, Insightful)
You can change a password, you can't change your retina print. What do you do when your account is compromised? Get new eyes?
Re:All good until someone simulates biometrics... (Score:4, Insightful)
New eyes , new finger prints, and new DNA.
What happens if you get sick or injured? Can you imagine pink eye with retinal scanners? Finger print scanners are fooled by gummy bears.
Re: (Score:3)
Re:All good until someone simulates biometrics... (Score:5, Funny)
Finger print scanners are fooled by gummy bears.
Where I work, the scanners are quite high. Way beyond the reach of even the tallest gummy bears.
Re:All good until someone simulates biometrics... (Score:4, Funny)
They may be short, but don't be fooled - they can actually reach quite high if they have their juice with them.
Re: (Score:3, Funny)
For those of you that don't get the joke: there was a cartoon about bouncing gummi bears in the 80s. It has an amazing theme song:
https://www.youtube.com/watch?... [youtube.com]
Re:All good until someone simulates biometrics... (Score:4, Funny)
>> Finger print scanners are fooled by gummy bears.
> Where I work, the scanners are quite high.
Aww, come on, now, no need to point fingers. If you had to sit there and check people's fingerprints all day you might spark up a bowl and get tempted by gummi bears once in a while too.
The problem is false negative (Score:4, Insightful)
What happens if you get sick or injured? Can you imagine pink eye with retinal scanners?
Yes, this is the serious problem-- just as serious as the problem of people fooling the password-alternative is the problem of the false negatives: getting locked out.
Notice that most of these weren't fingerprint scanners or retinal scanners-- they were stuff like gait monitors, or even more bizarre stuff, like listening to your heartbeat. So, if you twist your ankle--or even buy a new pair of shoes-- you're out of luck. Taking pseudoephedrine for a cold? Ooops, your heartrate is different. You're locked out.
--instead of using these instead of password, however, what about if you use alternate ID as a second check. It doesn't lock you out, but it does trigger a watchdog alert that pays attention to what you're doing.
You can change a password, you can't change your retina print. What do you do when your account is compromised? Get new eyes?
Yes, we've all seen dozens of those science fiction stories where they steal people's eyes, or cut off their fingers, or take swabs of their DNA.
Re:The problem is false negative (Score:5, Insightful)
"Yes, we've all seen dozens of those science fiction stories where they steal people's eyes, or cut off their fingers, or take swabs of their DNA."
cute, but not what the poster is talking about.
Your info, weather its a password, or the bio-metric info will get turned into a string and stored in a database.
Once that database in compromised, your bio-metric info on EVERY system you log into needs to be change to a different bio metric. They don't actually need to physical eye.
Re: (Score:3)
I had a cancerous tumor on my retina.
After treatment, which included radiation (Chip sewn on the lower back part of my eyeball for a week) and lasers, along with the ongoing process of the optic nerve dying from the radiation exposure, I suspect my retina is quite different, and still changing, from 4 years ago when the tumor was treated.
Retinal patterns DO change some times. It's rare, but it happens.
Re: (Score:2)
You hit the nail on the head.
Biometrics are useful, but what about just going with a tried and true PIV/CAC token?
I have always used authentication tokens. (Preferably, multiple tokens for redundancy.) For example, I have several Aladdin eTokens. They are set with a fairly short (16 character) user passphrase, and an obnoxiously long (but memorable) admin passphrase. Both passphrases will permanently lock if more than a certain number of bad attempts are done.
These days, I wish there were a way to make
Re: (Score:2)
Do not verify password with remaining eye.
Joking aside, I suspect DARPA is aware of those issues and taking them into account.
" Finger print scanners are fooled by gummy bears."
Some.
Re:All good until someone simulates biometrics... (Score:5, Insightful)
Exactly right. Biometric passwords are much easier to fake, because you can't change them. They also provide a nice means of identifying surveillance targets. It's almost as if these guys are getting direction from the NSA or something.
Re: (Score:2)
You can change a password, you can't change your retina print. What do you do when your account is compromised? Get new eyes?
Instead of all this BS, just make an app that stores all the sub-passwords from a master password.
You can link your biometrics to the master password and even if you sub-passowrds are compromised, you can change them.
If you master password is compromised, then used a different finger or a different combination of biometric plus another password.
The biggest problem I have faced is the arbitrary password rules. Some sites require you have to choose from .\$[] character set whereas others cannot have it
Re: (Score:2)
You can change a password, you can't change your retina print. What do you do when your account is compromised? Get new eyes?
Instead of all this BS, just make an app that stores all the sub-passwords from a master password.
There are plenty of apps that allow you to store your passwords in a database. Do a lookup on "password manager" and you should get over 250,000,000 hits. The problem is that you need to make sure that the passwords you use are not trivial and should be preferably over 8 alpha-numeric characters in length as well as having at least one special character (ie. !,@$# ... etc). A password generator is actually very good for this however the more complex a password the more you need to rely on a password databas
Re: (Score:3)
With physical keys, a lot of people forget about securing their keys. They leave them out where they can be photographed, for example, or quickly imprinted, or even just compared to another key with all the bite codes on it so the numbers can be noted.
Same goes for locks. A lot of people don't secure their locks, either, which leaves an attacker plenty of opportunity to bypass. Even an area with security which will detect an attempt to pick a lock or force it open, is still vulnerable. You see a guy go up t
Ultimately... (Score:5, Insightful)
Ultimately whatever password replacement you come up with gets turned into TCPIP packets over the intertubes. Whether you are measuring my height, fingerprint, penis size or whatever metric you come up with, it gets turned into 0's and 1's that I can grab and duplicate. It is still information on a remote server than can be hacked and used by third parties.
And worse... once hacked, I can't do much to change my biometrics... so I'm totally screwed once the host server is hacked and a million biometric accounts are compromised.
Re: (Score:2)
Re: (Score:2)
excuse me, I need to go take a red pill...
Re:Ultimately... (Score:5, Funny)
Whether you are measuring my height, fingerprint, penis size or whatever metric you come up with
Penis size is pretty useless as a biometric. It changes depending on the site being accessed.
Re: (Score:3)
Whether you are measuring my height, fingerprint, penis size or whatever metric you come up with
Penis size is pretty useless as a biometric. It changes depending on the site being accessed.
So, that's perfect, password per site, and hard to fake.
Re: (Score:2)
But easy to lose as you become jaded.
Re: (Score:2)
Penis size is pretty useless as a biometric. It changes depending on the site being accessed.
Doubly so on this one, where everyone claims theirs is a foot long.
Re: (Score:2)
Or you use some common sense, and use transport encryption.
presumably so... (Score:5, Insightful)
...when the NSA wants to tap into various accounts, they can track exactly who they belong to and who accesses them because it will be linked to your personally identifiable biometrics
Re: (Score:2)
Also, the various government agencies are increasingly working on gathering and archiving the biometric data of everyone they can. Right now they can collect fingerprints or DNA if you are arrested (and often this information is not purged if you are not convicted); I wouldn't be too surprised if they soon start gathering retina patterns as well. If devices start requiring biometric data over passwords, then the government (and any of their partners, or their employees or anyone who has hacked the database)
I can't change my fingerprint (Score:5, Insightful)
I can change my password anytime if I think somebody copied it. I cannot change my fingerprint or retina. There is no way I'm giving random webshops or google my biometric data.
So...revoke the certificate (Score:5, Informative)
Any biometric password should be based on a certificate, not a direct digital representation of the biometric.
Re: (Score:2)
getnymi.com [getnymi.com]
They aren't sending your biometric data all over the internet. They verify your identity on device and then send a token around.
Re: (Score:3)
As a professional engineer, I have to certify the designs I send out were created by me. In the past, a rubber stamp and an ink signature were used (still are in many places), but I sign everything digitally. I've created and posted a public key hosted on my web server which has been sufficient for 99.9% of clients to date - all but 2. One client required a know authority to hold the certificate, but wasn't willing to pay for it, so we "compromised" and I hand signed the sheets. The other client simply woul
Re: (Score:2)
Can I have a glass of formaldehyde and eyeballs next to my computer i can use if i want to change my password?
Re: (Score:2)
I can change my password anytime if I think somebody copied it. I cannot change my fingerprint or retina. There is no way I'm giving random webshops or google my biometric data.
You'll probably end up giving it to the US government if you go through customs. If not now then whenever Patriot Act III passes.
Re: (Score:3)
Re: (Score:2)
Note that I am not a security researcher and have no idea if what I just said is pure BS or not. However I would hope that people who ARE security researchers have already thought about these aspects.
No, it is not possible to "hash a retina scan", because just like fingerprint scans, the matching process for retina scans is based on feature comparisons. One can say that a retinal feature table is "a kind of a hash", but I disagree: it is quite easy to generate an artificial retina "clone" image from a list of features, just like it is easy to create a fake fingerprint from a list of fingerprint minutiae.
But database hackings are not the big issue here. If fingerprint or retina readers ever go maistream,
Re: (Score:2)
Hashing may prevent Yahoo from breaking into your Google account, but it doesn't help if someone acquires the pre-hash data (e.g. by lifting your fingerprint). The problem noted by the GP still stands.
Granted, random websites are less likely to be able to lift your fingerprint, but coworkers, roommates, and cashiers could do that pretty easily. When Mythbusters tested fingerprint scanners, even though Grant was on alert that they would try to steal his fingerprint, Kari got them by asking him to copy a sta
As long as certain rules are kept (Score:5, Interesting)
I'm ready to switch passwords for anything else as long as:
1 - It can't be extracted from me by an easier method than torture or blackmail.
2 - It stops working forever if I'm dead.
Otherwise, some blood will have to wash away the naivete. Again.
Re:As long as certain rules are kept (Score:4, Insightful)
"2 - It stops working forever if I'm dead."
That is what I am worried about. I would like my wife to have access to my online accounts if for no other reason than to say good bye for me.
Re: (Score:2)
Re:As long as certain rules are kept (Score:4, Insightful)
"Oh, they should have prepared for that in advance, as soon as they knew they were going to die". Yeah, well, perhaps in some fantasy world. No, the survivors clean up in real life.
Re: (Score:2)
I'm ready to switch passwords for anything else as long as:
1 - It can't be extracted from me by an easier method than torture or blackmail.
2 - It stops working forever if I'm dead.
Agreed. Other authentication factors can be taken from you without much difficulty, but password access requires actual conscious cooperation.
On the other hand, I know where they're coming from. For the last five years I've been working on getting as many network services as possible to work with Kerberos authentication. So far, I've got OpenLDAP, OpenAFS, Netatalk (AFP), NFS, OpenSSH, Exim (SMTP), Dovecot (IMAP) and Apache (HTTP) to work with it, which has eliminated a lot of password use, as well as im
Re: (Score:2)
well if you're looking for a biometric that stops working when you're dead, then a penis size based reader would be the perfect choice.
Passwords don't need to be killed (Score:5, Insightful)
Passwords don't need to be killed. If you're thinking about replacing it with biometrics, I think that's thinking about the problem the wrong way too. The fact is, we already have all the technology we need to solve this problem much better than we do today. It's simple: instead of passwords, you should have a password protected private key, with a single password, and then use public keys for authentication. That way, you only need to know one password, and you've also eliminated a lot of the danger of snooping on connections because the private key isn't being sent.
Of course, it would require that everyone pretty much agree on one set of standards for how it's supposed to be implemented, and than developers have to build their products with those standards. Then you probably also want some trustworthy and inexpensive/free Certificate Authorities. Ideally you'd want to be able, though not required, to use the same private key for everything-- email encryption, ssh logins, maybe even credit card purchases-- so you'd need mechanisms for managing your keys, keeping them safe but also making them available when needed. Throw in some dual-factor authentication where you want a high level of security, and you've basically solved the issue.
Re: (Score:3)
DARPA wants for fail at this also? (Score:2)
As many, may other have before, because this problem is not really solvable without AU that can recognize a person? Well, it is a waste of taxpayer money, and fail they will. Biometrics is basically unusable unless you have a security guard monitor the taking of the measurement.
Won't work (Score:3)
Leave the choice to the user (Score:2)
Now thats something innovative DARPA could do: I don't want biometrics, but perhaps someone else might like it, as they don't care much for computers, and would have used a 12345qwert like password.
Come on, most of these authentication methods are inferior, I just don't have the abilities I have with passwords: evil people have to beat me with a stick until they know my password instead of just having to cut off my finger, I can change it whenever I want, a password doesn't identify me (I can stay anon), I
Standards Conflict (Score:2)
There's no way I can see this happening, if only because no one would be willing to settle on a single standard for biometric verification. For instance, I can imagine that some places will want a simple fingerprint.. but others will demand that the fingerprint scanner used by the user to submit their prints detect warmth so that they can be sure that there's no artificial prints, dead bodies, or severed extremities being used to bypass the scan.
Other places will want retinal scans (One eye? Both eyes? Proo
PKI SSL (Score:3)
Not as hard to implement as some of the pipe dreams out there. Of course, it does require a degree of tech savvy on the part of users - and more importantly, enforcing it's use, to avoid laziness bypassing.
Then your challenge becomes certificate transport - you'll need a way to carry around your cert, or somehow get hold of it when you need it, which is easier said than done. The real advantage of passwords is their portability. Biometrics have a similar advantage, but as already noted - are a bit harder to revoke/change.
Re: (Score:2)
I suppose the major mess would be all the phones and tablets that either don't have card readers or USB, or have USB but will never receive driver support outside of third party hacks. Smartcards and their USB attached analogs can handle the job but having accounts that you can't access from almost any mobile device will probably play poorly.
FIDO / U2F - open Yubikey-like standard protocol (Score:2)
How about a standard protocol around devices like Yubikey hardware tokens for integration in the browser (or use with other applications):
https://air.mozilla.org/fido-u... [mozilla.org]
Google, Microsoft are already involved, Mozilla is looking into it.
666 (Score:2, Interesting)
Re: (Score:2)
Re: (Score:2)
Damn you! That's the combination to my briefcase.
Re: (Score:2)
Yeah. But in this case, they have a good point. Whoever controls your access token controls your life (soul).
Even if you don't believe in God, the Bible was used to teach practical knowledge to the people back in its day. There is some common sense wisdom in there if you can get around the concept of an invisible guy in the sky.
Noone has to remember passwords any more (Score:2)
Re: (Score:2)
Biometrics? Over Internet? (Score:2)
So whereas biometrics mig
They should watch "Archer"... (Score:5, Funny)
Pam: Oh, OK, then good luck with all the biometric scanners. Unless you wanna cut off my fingers and scoop out my retinas.
Kidnappers look at each other.
Pam: Oh, don't be dicks!
What other tech gives a choice? (Score:2)
Bad idea (Score:2)
Because accidents happen. No matter how improbable... no matter what kind of artificial barriers we might try and design to prevent them, over time even the unthinkable can and often will happen.
And when it does, some kind of mitigatory system needs to be in place, or else once the system has been compromised, nobody will ever want to use it again. In the case of biometrics, if a database of people's biometric "passwords" has been compromised, potentially allowing somebody to access whatever that dat
Hoping for better solution (Score:2)
Interesting enough, email is the only program we no longer have to sign in to each time, and it also does not time out after inactivity like every other program. That is the place where most sensitive business information would be located. All
of course they do (Score:2)
If DARPA doesn't like passwords, they shouldn't use them. But that shouldn't have any bearing on us puny civilians.
What about remote control? (Score:2)
Biometrics is a great idea to ensure that people are in direct proximity of the device, but what about all the remote control I do?
No, sorry ... (Score:2)
The last thing we need is for our biometric information to be in the hands of every web site which requires a login.
It will kill anonymity, because you will be universally identified.
Sorry, DARPA, but we trust neither you nor private corporations with this kind of stuff.
A standardized interface for changing passwords (Score:5, Insightful)
Every single site has a different way of giving you a way to change your password. This makes it impossible to write programs to write programs to change your password....like a password manager for instance. Imagine if you could just type in your new password into your password manager program, and it changes all the passwords it manages with one click. They could all be randomly generated and different for every site. Hints, recovery, email addresses, could all be updated with one click. With a history as to the previous versions in case something went south.
Instead of struggling with writing all the captcha's, and strength meters, and interfaces, and all the CRAP that the every site on the planet does differently. Just standardize the interface and maintenance of passwords. And then standardize the strength of the generator programs. And voila, permanent security that is controlled where it should be: in your hands.
SQRL (Score:2)
DARPA: send beer
nntp://news.grc.com/grc.sqrl/ [grc.com]
Methods (Score:2)
1) Something you know
2) Something you have
3) Something you are
Any security system is made up of some combination of the above.
Vote fraud, Medicaid fraud, etc (Score:2)
Biometric identification is needed to reduce fraud. We all know how easy it is for one person to vote as many times as they want [dailycaller.com]. There is no way to even estimate how much Medicaid recipient fraud costs. Biometrics certainly won't eliminate fraud in these and other places but it's a step in the right direction.
Unfortunately we're very unlikely to see any progress on this anytime soon. Even suggesting that a person should present identification when voting is met with howls of protest.
Comment removed (Score:3)
Re: (Score:2)
Re: (Score:2)
Who do you think you are, a civilian? A citizen accepts personal responsibility for the safety of the body politic, defending it with his life, a civilian does not. What's a few extremities in the war against computer bugs?
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
They can take my biometrics from my cold, dead hands. Passwords/passphrases are a different story.