from the isn't-it-about-time-to-move-on dept.
Submitted via IRC for TheMightyBuzzard
A global study from IBM Security examining consumer perspectives around digital identity and authentication today, found that people now prioritize security over convenience when logging into applications and devices.
Generational differences also emerged showing that younger adults are putting less care into traditional password hygiene, yet are more likely to use biometrics, multifactor authentication and password managers to improve their personal security.
With millennials quickly becoming the largest generation in today's workforce, these trends may impact how employers and technology companies provide access to devices and applications in the near future. Overall, respondents recognized the benefits of biometric technologies like fingerprint readers, facial scans and voice recognition, as threats to their digital identity continue to mount.
Source: https://www.helpnetsecurity.com/2018/01/29/authentication-today/
(Score: 4, Informative) by Apparition on Tuesday January 30, @05:16AM
As someone who has been the victim of credit card fraud five times, and victim of the Chinese government helping itself to my name, address, telephone number, Social Security number, fingerprints, and God only knows what else [wired.com], I have to say no thanks to biometrics. Biometrics may make a passable identifier to replace logins with, but passwords? No.
Reply to This
(Score: 0) by Anonymous Coward on Tuesday January 30, @05:20AM (3 children)
But they don't get better security. The state just gets better tracking, of everything you do, everywhere you go, everything you buy. "Security" is bullshit. It certainly isn't for yours. And in fact, all this does is make fraud more convenient than trying to be honest. If my real credentials don't work, I just get some fake ones that will work better, and easier.
We have every right to demand convenience, and security. There is no reason to sacrifice one for the other. With sufficient demand we will get what we want. Unfortunately we have to do it together.
Reply to This
(Score: 5, Insightful) by maxwell demon on Tuesday January 30, @06:12AM (2 children)
"We have every right to demand both eating our cake and having it. There is no reason to sacrifice one for the other."
Security is inconvenience. Even a simple password prompt is an inconvenience. You cannot get security without inconvenience.
Biometrics is convenience (no need to have to remember passwords), but at the cost of security (biometrics are not unbreakable, as has been frequently proved, and if your biometrics has been cracked, you cannot simply replace it).
Two-factor authentification is security, but at the cost of inconvenience (you have to carry around that second factor; if you use the phone as second factor, you get more convenience because you carry it around anyway, but at the same time less security because phones are greatly more hackable than dedicated authentication devices).
Password managers are a mixed bag. In principle, they don't give more security, as they just store passwords; theoretically you'd be more secure by storing those passwords in your head. In practice, they actually can increase security because our brain's ability to hold strong passwords is not very good (OTOH, a weak password on your password manager effectively weakens all passwords stored in it). The password managers on one hand increase convenience because you have to remember less passwords (just the one for your password manager), on the other hand decrease it because you always have to have your password manager around, and if you happen to forget your password manager's password, the shit really hit the fan.
The Tao of math: The numbers you can count are not the real numbers.
Reply to This
Parent
(Score: 1) by anubi on Tuesday January 30, @06:47AM (1 child)
My main beef with password managers is monoculture.
Once the encryption algorithm of *that* manager has been compromised, all the others are apt to be compromised as well.
Once the word is out how a "bump key" works, nearly all mechanical locks of that design are degraded as far as security goes.
Personally, I consider the lock as nothing more than evidence that I intended no access, and violation of my lock is only evidence that entry was gained without permission. I have other methods ( covert cameras ) to document the act so I can seek redress in a court of law.
Everybody has known for years that locking your car is no defense against a Slim Jim. I have even had to use that way myself a couple of times when I locked my keys in the car.
The thing that concerns me these days is how impersonal identity theft has become. All done by scripts. I never will know who is dinging me, and nearly every business demands my info with the quite legitimate reason that they need to vet me... problem is they keep sharing that information, willingly or accidentally, so that slowly but surely, everyone's private affairs get cross-referenced and indexed onto darkweb databases. Nothing is private anymore. I don't have anything that can't be replicated sufficiently to deceive a sensor so as to perform actions in my name.
The number one reason for my failure to accept even "micropayments" on the web is because in order to pay, even one cent, I have to reveal my payment credentials. I can trust NOBODY. Not even Equifax! They all *say* they can be trusted, but their fine print all says "if you actually believe what we told you in large print, you are a big trusting fool!".
I can't shut down everything, but I will avoid any kind of payment / identification for certain things, well known to be highly risky, such as porn, warez, pirated stuff, anything illegal, gambling, and games. I don't even have a google account yet. I use an anonymous email account, which I would pay for, if I knew beyond a shadow of a doubt, that they would not share my real info. I have researched through Spokeo and already there is far more stuff out there on me than I feel comfortable with. As a result of the Equifax breach, I know that there is enough out there to confuse the entire population of the world as to who is really who.
Its no longer a function of being careful.
Its now a function of pure statistics as to when my identity is going to be misused.
My best attempt to cope with this was to adopt a much lower lifestyle, so little is at risk. Own your stuff outright and pay cash when possible, using credit cards if necessary for telepurchases. Pay your debts off. If you have money laying around, keep it in some sort of investment which requires you to interface with your banker/broker. Personally. Something fishy come over the wire, and they will question it.
"Prove all things; hold fast that which is good." [KJV: I Thessalonians 5:21]
Reply to This
Parent
(Score: 2) by c0lo on Tuesday January 30, @07:46AM
Yes, but recall that joke with the guy donning his runners and telling his companion: 'i don't need to run faster than the lion, I only need to run faster than you'.
If a hacker targets you, it's only a matter of time before he gets your identity. If you are only one of the many, you only need to be a bit 'more secure' than the most of others.
True, given how many companies store data about you, you have little control on what/when the things go south. Minimising your profile involve indeed minimising the number of companies you share your data with.
Also, which devices you use to interact with them.
I'm using a single payment processor and that is linked with a debit card account which is loaded only minutes before making a purchase. If a webshop doesn't accept that payment processor, I don't buy from that shop.
And I do my online shopping and ebanking only from a laptop at home, laptop that runs Linux (thanks deity the era of IE-only supported is dead), laptop that never leaves my home and is powered off most of the time.
Reply to This
Parent
(Score: 4, Insightful) by Anonymous Coward on Tuesday January 30, @05:32AM
Biometrics are a really really bad idea. I think we're all kind of influenced by the old sci-fi and thriller media where people login to things using retinal scans, voice checks, and other things. It seemed really cool and futuristic so naturally we want to go that way. In reality biometrics are like using the exact same password on every site you go to. Technology to spoof biometrics already exists and at that point literally every single device you've "secured" with it becomes broken. And unlike passwords, you can't simply change your biometrics.
Reply to This
(Score: 2) by The Mighty Buzzard on Tuesday January 30, @05:50AM (2 children)
Bytes are bytes are bytes. It doesn't matter if you derive them from keystrokes or points on someone's finger or retina. The only things that matter are making the key as large as is practical and not using methods that make the bytes that make up the key be easy to brute force.
As for fingerprints, you leave them all over the place every single day. Follow anyone around for an hour and I can pretty much guarantee they'll leave ten clear prints for you to lift from the multitude of things they touch without thinking about it.
Now with #freearistarchus! Not 10% off. Not 50% off. Not even 90% off. Free!
Reply to This
(Score: 3, Insightful) by c0lo on Tuesday January 30, @07:52AM (1 child)
Oh, but it does.
If your retinal pattern is captured/duplicated in a way which can be used to fool a retinal scanner, good luck in performing a retinal reset.
Replace that value for any biometrics derived bytes.
Reply to This
Parent
(Score: 0) by Anonymous Coward on Tuesday January 30, @10:59AM
Does anyone how reliable retina scans are in the case of a cataract or similar disease where the image of the retina gets less clearer?
Reply to This
Parent
(Score: 3, Insightful) by Rosco P. Coltrane on Tuesday January 30, @05:53AM
They're stored in your head - meaning:
1/ They're the only thing nobody can pry from you if you don't want to.
2/ They can be changed at will, unlike biometrics. If your biometric data are out in the open, it's game over. When your password is lost, you change it.
I'll keep my passwords thank you very much. All they require is a little bit of effort to remember them.
Reply to This
(Score: 2) by MichaelDavidCrawford on Tuesday January 30, @06:29AM (3 children)
I once saw a movie in which the bad guy wanted to get into a restricted area so he removed on of the good guy's eyeballs then held it up to the camera on the end of a pencil.
127.0.0.1 www.hosted-pixel.com # I Am Absolutely Serious
Reply to This
(Score: 1, Informative) by Anonymous Coward on Tuesday January 30, @10:51AM
Demolition man: http://www.imdb.com/title/tt0106697/ [imdb.com]
You're welcome.
Reply to This
Parent
(Score: 2) by The Mighty Buzzard on Tuesday January 30, @11:27AM
Outstanding movie. One of the best action flicks of all time.
Now with #freearistarchus! Not 10% off. Not 50% off. Not even 90% off. Free!
Reply to This
Parent
(Score: 0) by Anonymous Coward on Tuesday January 30, @03:02PM
Plenty of other occurrences in fiction as well;
http://tvtropes.org/pmwiki/pmwiki.php/Main/BorrowedBiometricBypass [tvtropes.org]
Reply to This
Parent
(Score: 3, Insightful) by MichaelDavidCrawford on Tuesday January 30, @06:31AM (11 children)
There is a certain class of website for which I've been using the very same password for twenty years.
If they require only what I regard as a sensible password I use the exact same one.
If they want what I regard as a paranoid password, I pull something out of my ass them request the change password link every time I log in.
I once had a spreadsheet with all my passwords on it but then I forgot the password to the encrypted disk image it was on.
127.0.0.1 www.hosted-pixel.com # I Am Absolutely Serious
Reply to This
(Score: 1, Insightful) by Anonymous Coward on Tuesday January 30, @06:43AM (10 children)
"elephant" here! I'm pretty much the same. The biggest problem is site A wants a six to eight character password while site B wants a ten to twelve character password. I have a "sensible" password, plus a paranoid one that adds a few bells and whistles (symbols). Then you get workplaces that make you change your password and keep a history so you can't use a previous one! fun...
Reply to This
Parent
(Score: 1) by anubi on Tuesday January 30, @07:02AM (8 children)
Personally, I wish they would hash the password strings... so I could enter literally anything of anything, maybe up to 4K bytes if I thought it prudent. By running an MD5 or similar hash on what I presented, they will be returned a fixed-length binary string that will be easy to store in their database. If anyone cracked their database... good luck. I know MD5 is broken... maybe another algorithm? I still use MD5 a lot in my stuff ( file integrity verification ), but it probably would not be prudent for mass market stuff.
Now, for me, on my side, I want to log into my bank... I might call up a local text file ( such as a copy of the Bible ), cut a piece of it, then paste it into the password window. My "password" is knowing where to go, and what to cut. Likely its a Bible verse meaningful to me, as I can go to any Bible site and get the exact same text for that particular version of the Bible should I find myself lacking my local copy. I might choose an entire chapter sans the first three words. That's a helluva lotta entropy.
"Prove all things; hold fast that which is good." [KJV: I Thessalonians 5:21]
Reply to This
Parent
(Score: 2) by acid andy on Tuesday January 30, @08:07AM (3 children)
The MD5 string is a fixed length, say, 16 bytes, so why would it be more "prudent" to use a 4K password? Surely beyond a certain point, adding length won't give you more security unless your password is using dictionary words making it more brute-forcible? I mean, you paste in your 4K string, it's hashed down to 16 bytes, but there must be other much shorter strings that would theoretically evaluate to the same hash. Or did I miss something somewhere?
Ah though if it's Bible verses (or other English text) you're pasting in I can see that the entropy would be limited if it was just 3 or 4 words compared to a whole chapter. You'd still have to paste it though unless you have a photographic memory and want to type away for ages, so why not a shorter, random string?
Make hay whilst the intervening mass is insufficient to inhibit the perceived intensity of incoming solar radiation.
Reply to This
Parent
(Score: 1) by anubi on Tuesday January 30, @09:00AM (2 children)
I was thinking of something that was easy for ME to remember... I may remember a lengthy Bible verse much easier than even 16 bytes of something meaningless to me. And, to save typing, cut and paste. And longer, if I deliberately wanted to obfuscate, or it could be just one character.
If I wanted, I could make a "password generator" that predigests a "master password" into the MD5, and base all my "stored passwords" off of that, so even if my password generator was compromised, it has no idea of the "master password" that was digested first - still rendering someone with a lot of work to do. Nothing saying I can't send them my MD5, and they MD5 that again for their database.
I am trying to think of basing my encryption off of little things I know or can recreate.
"Prove all things; hold fast that which is good." [KJV: I Thessalonians 5:21]
Reply to This
Parent
(Score: 2) by xorsyst on Tuesday January 30, @09:44AM (1 child)
I think what you're after is basically supergenpass - it's a javascript applet / phone app that combines the site's domain name and a master password you specify, MD5s them, and generates a 10 character password for the site.
Reply to This
Parent
(Score: 1) by anubi on Tuesday January 30, @10:00AM
Yes... that's the ticket!
"Prove all things; hold fast that which is good." [KJV: I Thessalonians 5:21]
Reply to This
Parent
(Score: 2) by janrinok on Tuesday January 30, @09:18AM (3 children)
I've taken this to the next stage. I have a file containing many megabytes of random data. I also have a python script that accepts my relatively simple passphrase, processes it to provide values for 'START' and 'LENGTH' and it returns the random string from the data based on the 2 values provided. It all lives on an encrypted drive, and I can use it for any number of different passphrases - even the name of the site that wants it e.g. 'www.amazon.fr'. If the site only accepts alphanumerics it can simply convert the random string by hashing or base64 encoding. CopyPasta and the job is done. Took me 15 minutes to write and works perfectly. The whole thing lives on my internal server and is accessible from anywhere on my cabled network - not a wifi connection in sight! If somebody hacks into that I have bigger problems than just losing my passwords.
The script is also is accessible from other machines on the network, and so can get the keys for encrypted drives etc, even at boot time.
Now such a program might be beyond the abilities of many, But anyone could have a copy of the program and provide their own source of 'random data' and the 'processing rules'. I wouldn't want everyone to know each others' processing rules.
Just make sure that you keep a copy of the program and the random data securely in several places. You don't want a single point of failure to negate all your passwords now, do you?
It's always my fault...
Reply to This
Parent
(Score: 1) by anubi on Tuesday January 30, @09:58AM (2 children)
Cool!
My "file" is a copy of a particular version of the Bible, which I can access from nearly anywhere on the internet. Like you say, the main thing is keeping my "processing rules" to myself. With the same goal in mind you just stated... about having a single point of failure negate all my passwords, rendering them unrecoverable, even to me.
Ideally, I would like any password window to be able to accept the output of my MD5 digester. That way I can have different high-entropy passwords for everywhere. But to me, the password for, say here, would simply be "soylent". And the bank is simply "bank". Just something different so that the hashes I generate will be different. The real core of the thing is like you say, the processing rules "ruleset" is the heart of the security mechanism, which everyone makes for themselves.
One would have to code the thing themselves so that no automated script can be made to ferret out the critical heart and send it home.
Scripts correlate code easily to known patterns. Every instance of this thing has got to be unique.
Otherwise, the whole shebang becomes as fragile as monogenomic corn is to a deliberately engineered corn virus.
"Prove all things; hold fast that which is good." [KJV: I Thessalonians 5:21]
Reply to This
Parent
(Score: 2) by janrinok on Tuesday January 30, @02:28PM
I deliberately do not do this although I can understand the convenience that it would provide. I would rather cut and paste; the web page only has access to whatever I paste in the window. I could add a few more lines of code so that it is already in the buffer and a Ctrl-V is all that is required. It cannot discover where I get that data from or how it was generated, indeed I can change the location of the program freely as long as I know how to run it. At home, it isn't even running on the same machine that I use to access the internet.
For example, I have the same program, data and processing rules on a memory stick so that I can travel with it or use another computer other than my own. After I have removed the stick there is nothing on the host machine to compromise it. If the memory stick is lost, stolen or seized by LE it might compromise my random data and processing rules, but without knowing what 'key' I type in to access a specific password it is unlikely to produce the correct data for anyone else. And that is assuming that whoever finds it recognises what it is or what it might be used for.
If you use the output of MD5SUM someone already knows the length of your password and the valid character set, although that is certainly much more secure than a simple passphrase. However, I realise that many websites only accept a very limited character set anyway. I have also found a few sites that only look at the first n characters so any more than that is ignored. Any additional effort on our part will achieve nothing in terms of additional security. I don't tend to use those sites often as I seriously doubt their commitment to keeping my data safe.
It's always my fault...
Reply to This
Parent
(Score: 2) by janrinok on Tuesday January 30, @02:55PM
Giving it a bit more thought, the rule set is nothing more than a sequence of numeric values in my program - how they are generated is the key - and the program knows how to interpret them. However, it would be easy for me to add an 'installation key' facility so that any key specified would automatically generate the rule set and a large random data file. The installation key would only be used once (it would be repeatable given the same key on subsequent installations) but would mean that anyone could install the program, choose an installation key, and be good to go with a unique set of random data and rules. Hiding the rules somewhere in the random data set would make them unrecoverable unless one knew where to look for them.
I might kick this idea around a bit but, for my current needs, it is not necessary.
It's always my fault...
Reply to This
Parent
(Score: 2) by c0lo on Tuesday January 30, @01:47PM
1. Have a password that you trust is good enough and has all the symbols/digits/caps etc.
2. each time you are required to change the password. form the new password from your trusted password to which you prepend/append the month-year of the change
Like 'welcome-2018jan' then 'june-welcome2018'
Reply to This
Parent
(Score: 4, Insightful) by stretch611 on Tuesday January 30, @08:06AM (1 child)
Biometrics are a good replacement for userids. They are horrible for passwords; they are too easy to fake, and impossible to alter even when compromised.
Multifactor sadly is questionable in most cases and more often than not used to get more personal information about you that companies do not need to know. Companies don't give a damn about your private information... they only want the cheapest "security theater [wikipedia.org]"
-- many ask for personal questions for authentication or password resets. However, many of these questions can be answered by anyone who can read your facebook or other social media. This makes them like a second password only worse because they are much easier to guess. Why try to crack a password when you can figure out the name of the person's hometown and reset their password for them?
-- (non)Random number generators, like SecurID and others are a good thought... However, a few years ago they were hacked making their devices useless. And that will always be the case... once the company providing it has the authentication for a good number of users, it becomes a prime target and it becomes a question of when, not if they will be hacked.
-- Steam and Gmail want to text you via your cell phone a "random" auth code. Personally, my game library is not worth the effort, and I would rather not give my cell phone out to every f-ing company in the world that I do business with. They have my home email... they can send the code there... just as valid and I can cut and paste the code which makes it easier for me than to type it. Especially if it is small type or uses 0/O, 1/l, S/5 or many of the other combinations that are hard to determine on a small screen or small font.
Password Managers are the best option... but only if you don't do it half-assed. LastPass(and others)... hell no... Any online password manager is only one hack away from you losing everything. And trust me, any server with that number of users and that many passwords is constantly under attack. Browser based storage is just as bad if not worse. Every modern browser is updated monthly with security fixes... Good that they are working on it, but it just proves how insecure they are.
I use KeePassX [keepassx.org]. Stored on a local drive. Requiring a 4096 byte key file AND a password. (Mine is over 15chars, with numbers, upper, lower, and symbols.) No chance in hell of me using any type of plugin to automate the process. A backup is stored on a flash drive and the key file separately.
Reply to This
(Score: 0) by Anonymous Coward on Tuesday January 30, @01:20PM
Not even remotely, or at least not if you care about privacy. I like the ability to enter random, different userids on sites that I register on.
Reply to This
Parent
(Score: 0) by Anonymous Coward on Tuesday January 30, @10:53AM (1 child)
Never really understood why OpenID didn't catch on... even for us techies you could setup your own service at home. Identify on your own system (with your own methods) and have access to any site that supports it.
Reply to This
(Score: 2) by janrinok on Tuesday January 30, @03:03PM
I wonder if this is back to the 'convenience' problem again?
You and I might not have a problem with using OpenID but the average user doesn't seem to care too much about security, especially if one looks at how they use social media! Unless everything is set up when they purchase the device they don't seem interested.
It's always my fault...
Reply to This
Parent