A lot of security myths have acquired lives of their own and taken as facts. Dr. Andy Farnell over at the Cyber Show's blog has posted an item about where passwords can still fit in as a part of general authentication despite what fleets of salesmen selling authentication gimmicks tell us.
Security models: password or tracker?
Indeed people do not discriminate two vastly different security models that should really be obvious with a moments thought. The question is, "who is the security for?"
Security schemes that ask that you carry around a device which is connected permanently to a network and uses a mechanism that is entirely opaque to you is a different kind of security. It is more than a mere access control. It is not security for you.
It may pass for "something you have" but also has a function to act as a location or close proximity biometric remote sensor for an observer elsewhere. It's a tracking device.
[...] Partly it's because we've been using passwords wrong for about the past 40 years. The new NIST document partially puts that right. It's also because there's a massive "security industry" that sells things - and you can't sell people the ability to think up a new password in their own head. Where's the profit in that?
Instead they'll tell you that you need a fangled security system of gadgets and retina scans, and that you're too stupid to be trusted with your own security. They are wrong. In most cases passwords are just fine if not better than alternatives, and in this post we're going to explain why.
Thus another theme of this essay is personal responsibility and the crux of the argument is that all security solutions which are not passwords solve problems that are not yours.
Like self-service checkouts at the supermarket that make customers into employees, they are a way of passing blame, liability, and work onto you in order to solve someone elses security problem. As Prof. Ross Anderson bluntly puts it;
"If Alice guards a system but Bob pays the cost of failure, you can expect trouble."
Cybersecurity has become more harmful than helpful in many cases and biometrics are more of a user name than a password despite the constant misuse as the latter.
Previously:
(2024) NIST Proposes Barring Some of the Most Nonsensical Password Rules
(2024) VISA and Biometric Authentication
(2023) A Fifth of Passwords Used by Federal Agency Cracked in Security Audit
(2020) Here's Yet Another Reason Why You Really Should Start Using Better Passwords
(Score: 5, Insightful) by Rosco P. Coltrane on Tuesday October 08, @10:46AM (3 children)
the time it takes to devise a safe and convenient way to dream up and remember secure passwords. It's not that complicated and it avoids the following solutions and their pitfalls:
- Password managers: do you trust the software / software vendor? I don't. And even if you do, one technical screw-up and all you passwords are gone.
- Hardware-based primary FA: lose the device, lose access.
- Hardware-based 1FA or 2FA when the hardware is some proprietary app: you're at the mercy of the app's vendor. If your cellphone is too old, the app might fail to work and you need a new cellphone. If you run a deGoogled OS, the app may bitch and moan and you're SOL.
- Tracker- or location-based: I don't want to be tracked. Fuck you.
Also, any form of authentication that lives outside your head can be subpoenaed / cracked by the authorities. Something that lives in your head can never be prized out of it - at least not if you live in a country where torture is illegal, and last I checked, nominally it still is in the US.
And passwords are trivial to change and if you care to remember them, they can be reliably used for a lifetime without fear of technical failure.
Don't be lazy and take the time to dream up a secure password creation "recipe" in your head, and you'll never need to remember any password - just the recipe - and your passwords will be perfectly secure.
(Score: 4, Touché) by Rich on Tuesday October 08, @12:57PM (2 children)
Don't underestimate the power of statistics. One compromised password and some background info (domain names etc.) fed into an LLM trained for the purpose will likely break the scheme, two compromised passwords will break it for sure, unless your head does salted hashing or something close to it.
(Score: 0) by Anonymous Coward on Tuesday October 08, @11:17PM
> unless your head does salted hashing or something close to it.
Like this?
https://www.youtube.com/watch?v=WTLsNRpxcuk [youtube.com]
(wait for the end for the lyrics)
(Score: 1) by shrewdsheep on Wednesday October 09, @06:55AM
The recipe is the (simple) password for a password manager.