
Google Declares War on the Password - tonfa
http://www.wired.com/wiredenterprise/2013/01/google-password/
======
belorn
There is an old RFC that explains the problem in very simple terms. Security
need to be transparent, or it fails. If the user need to see and use security
in order to be secure, the user will eventually do something to render the
security ineffective.

If you got passwords, users either pick easy ones or write them down next to
the device that needs them. If you require physical "key" items, user leaves
the key next to the computer that needs it.

When designing a security system you need to acknowledge this limitation, and
design the system with it in mind. Running between "something you know"
(passwords) to to "something you know and has" (Two-factor authentication like
password and phone), and now back to only "something you have" (an USB key)
won't solve the problem.

~~~
mattmanser
I have known a fair few people over the years who have had security tokens to
be able to login at work.

They all keep them on their key chain so I don't agree with your premise.

The only thing I never understand is why, like the device pictured, they're
designed with strings and thin plastic instead of chains and a beefy case.

~~~
archangel_one
Because they're expected to be kept on a keychain which is commonly kept in
one's pocket and which you'd rather not have filled up with chains and bulky
cases?

------
meaty
Used one of these before (YubiKey) - they are an utter pain in the arse.

The contacts get dirty, they dont fit some USB ports properly, they die
regularly, are absolutely no good if you don't have a USB port handy (my
desktop for example doesn't have a USB hole in the front or on the keyboard or
monitor, resulting in crawling around under my desk to authenticate) and to be
honest quite fragile.

All it does is act as a USB HID keyboard and pump some text down when you
press the button on it. It's basically about as secure as an RSA key but
requires physical electrical contact with the machine.

No thank you.

(For reference <http://bigv.io/> uses these).

~~~
archangel_one
FWIW, I've had one at work for a year now and I've had nearly none of the
problems you've mentioned. It's fit into all USB ports I've tried, the
contacts are still fine, it hasn't died, it doesn't seem fragile (or at least
hasn't broken yet) and I haven't had to crawl anywhere to plug it in. The most
annoying thing (apart from the general annoyance of a second authentication
step) is that I can't use it via my phone; a screen on it would be handy for
that.

~~~
meaty
I'm glad you've had success. You must look after yours better than our clients
did!

~~~
DannoHung
Man, I've just got it on my keys and shove them in my pockets... I wonder what
your clients were doing with the things...

~~~
meaty
They're in the financial services industry so they are the manifestation of
the infinite monkeys theorem.

------
reidrac
This reminds me to RSA SecurID:

"In a 21 March 2011 email to customers, RSA essentially admitted that the
information stolen from their internal network could allow an attacker to
compromise a SecurID-protected system without having physical possession of
the token."

[http://en.wikipedia.org/wiki/RSA_SecurID#March_2011_system_c...](http://en.wikipedia.org/wiki/RSA_SecurID#March_2011_system_compromise)

So passwords are a bad idea, but I'm not sure if I want to replace a problem
with a different one.

~~~
majelix
This is actually why two factor authentication is great. In this instance,
users were still protected (at the least) by their PIN.

This is somewhat equivalent to losing your ssh private key. Yes, it's bad, but
your passphrase should ("should" -- at least it's not an immediate breach like
losing a password or clear text private key) buy you enough time to revoke and
replace the key.

~~~
TheCapn
Exactly. Until we can come up with a better system the rule of thumb is:

1) Know something

2) Have something

Its somewhat easy for a potential cracker to gain access to either one of the
two, but extremely difficult to have both.

Hell, when I used SecurID at one of my first jobs you had a PIN to go with the
token number, almost like a salt to your password. Even if they had the key
they wouldn't be able to access my accounts.

------
ComputerGuru
Google already has the two-factor authentication with Google Authenticator for
iPhone and Android. I use it for my Google account and (this is the awesome
part) other websites that use their API to add their auth keys to the Google
Authenticator app on my phone.

~~~
mattmanser
I'm actually not a fan at all of the OAuth craze.

What happens when you want to leave Google services?

You will be locked in. I remember the days when everyone had hotmail. At some
point you will want to leave gmail or google apps. Genius move on their part
though.

~~~
bitdestroyer
I understand your point, but I do think Google may be a bad choice of
examples. If I'm not mistaken (correct me if I am), they have or are
implementing some data liberation functionality to download your data from
their systems.

My work blocks Google Account access so I can't quite verify this for you, but
I believe it's there. I'm not sure how far it spreads across their product
offerings though at this point.

~~~
takluyver
Their information site on exporting your data:
<http://www.dataliberation.org/>

The tool to export data from some of their services:
<https://www.google.com/takeout/>

You can set up an IMAP/POP connection to GMail and copy your emails out.
gmvault (a third party tool) uses that to make backups.

------
gbog
Many "middle-brow" dismissals here.

I think if a mammoth like Google pushes forward strongly enough, it might
achieve some results. And it probably takes all its mass to push this
particular piece - the almighty and alstupid password, away.

I'll bet that human beings in 20 years, looking back at our times, will point
fingers and say "How we have been so silly! Passwords are the worst
authentication mechanism, and so obviously flawed! How come did we not use x
or y?"

I see another thing that they will point fingers at: the human driven cars:
this is so frightening, when you think about it. You have this thousands
kilogs wheeled machine, driven by almost anyone including drunkyards,
grannies, people who just married and people who just divorced, and a sec of
inattention and you send families to the grave.

~~~
kijin
Actually, I think passwords are a brilliant authentication mechanism that will
continue to have a place in computer security for many years to come. When
used correctly, a password implies the presence of the correct _brain_. Not a
device that can be lost or stolen, not even a fingerprint that can be lifted.
Authentication based on information stored in your neural network might not be
suitable for everyone, but at least among competent professionals, I don't see
mobile phones or USB dongles replacing the passphrase on my PGP key anytime
soon.

~~~
3JPLW
I agree with your statement with one minor change: _a_ password (or better,
passphrase) is a brilliant authentication...

Passwords (plural) are just about the worst authentication mechanism. While
brains are good at remembering one such token, needing to remember many for
many different sites (and which ones go to which) is simply untenable.
Additionally, the ability to easily compromise them through phishing makes
them awful.

I wonder if there'd be a way to cleverly move the hashing (that all servers
_should_ be doing) to the client side such that all of the above problems
could be solved. It would confound password changes, however...

~~~
Groxx
There is. Or, a variety of ways, really. Two major ones:

Option 1: your passphrase as a salt + the domain name + bcrypt = password.
Lots of detailed schemes exist for this, including ones you can do on a piece
of paper with a little math so you don't have to trust your computer.
Inventing them seems to be a hobby for crypto people, or something - I've seen
many dozens.

Option 2: you use random passwords, and store them behind your passphrase
somewhere. Password managers.

At no point does your _single_ , secure password enter anyone else's hands, so
you don't need to trust them to hash it. If one is compromised, none of the
others are.

~~~
3JPLW
Yup, exactly option 1. But browsers need to support this intrinsically and
universally. By salting with the domain name, you remove phishing.

Password managers (especially in terms of built-in browser support) are
generally a one-machine solution. Yes, there are ways to sync them to mobile
devices and the cloud and such, but there's a lot to be desired in terms of
portability. I currently use 1password, and it works great for me. I set my
mother up on it, too, but it's only a 90% solution for her as she's not quite
technically proficient enough to ensure it works all the time.

My question was more if there'd be a smart way you could add one more level of
indirection such that: 1) individually compromised passwords could be changed
and 2) the master password could be changed without affecting every single
site.

Ideally neither situation would be necessary, but servers will be compromised.

~~~
Groxx
I'm personally not a fan of 1, and I don't know that it can ever work to
complete satisfaction. Two reasons:

1) domain names change sometimes. especially with the current trend of weird
ending domains, and "www.getx.com" which later becomes 'x.com' when they
finally pay the squatters. Or a rebranding, or subdomains, etc. How do you
handle changes, without recording them? Proactively you can change your
password when such a thing occurs, but that's not a reliable assumption.

2) versioning. If you have to change a password every X time periods, how do
you track which version you're on? without a database? you could salt it with
the time the last password was created, but what about time zones? different
calendar systems (did I set that password in china, or jerusalem, or
canada...?)?

All of which leaves you with a database of some kind in some (fairly likely to
occur) situations, which means you essentially have a password manager. As you
point out, a 90% solution simply isn't good enough.

------
sergiotapia
I wish for a future in which I can just sit down and my computer uses all
sorts of heuristics to determine whether it's me or not, and authenticate.

* Checks my posture.

* Checks the sounds I make while sitting neutrally.

* Checks the positions of my hands.

* Checks my overall frame.

* Checks my eye and shape of face.

\---

Hopefully, all of these little things add up and in the end it can determine
quite easily whether it's "me" or not.

I hate typing in passwords, it's a pain in the ass.

~~~
meaty
That's ok until you fuck your back up one day or hurt yourself in some other
way.

"What do you mean access denied - I've just got a back ache!"

~~~
sergiotapia
I don't see way I can't update this hypothetical heuristic collection. :)

~~~
krapp
If you can update it, trivially, presumably without using the heuristics
themselves, someone can update it for you. Now you have a new problem
(securing the method for updating the heuristics.)

Although a counterpoint to this would be using more unique points of reference
like the iris, fingerprints, etc, things not likely to change.

~~~
sergiotapia
We can secure that using the current heuristics.

~~~
tedunangst
Your solution to not being able to login is to login and change settings?

~~~
biot
Think of it like Paxos. As long as a majority of unique data points agree,
allow access. That way if your back is out which results in your posture being
unrecognized, the other factors can still form a quorum and grant you access.
There could be 20 such factors weighted by "difficulty to forge", so that a
fingerprint counts 15x as much as posture for example. Then if you
successfully authenticate with, say, 80% on all data points then the system
can allow you to train a new factor.

~~~
b_emery
Exactly! It becomes a machine learning problem. There was a post about this a
while back ..

------
zawaideh
How about collaborating with Mozilla on BrowserID?

~~~
andybak
Isn't that solving an orthogonal problem

------
kijin
> _They see a future where you authenticate one device — your smartphone or
> something like a YubiKey — and then use that almost like a car key, to fire
> up your web mail and online accounts._

> _That means that if someone steals your card or your smart-ring, you’d
> better report it stolen pretty quickly._

I won't be surprised if thieves devised a method to extract online credentials
from a stolen device in a matter of minutes, if not seconds. Since any
password you have on your mobile device is unlikely to be strong (the article
specifically mentions that you won't need a strong password on your device),
it will also be a piece of cake to brute-force it. Meanwhile, you're without a
phone, desperately looking for a payphone or Internet cafe where you can
contact Google. Too slow.

~~~
brennenHN
This isn't necessarily true.

At Clef(clef.io) we're storing keys on your smartphone and they're protected
by a PIN wall. We used PIN-based encryption to keep a rooted device from being
vulnerable to attackers. Generating the keys from the PINs take long enough to
make a brute force attack time consuming. Since users can deactivate their
devices remotely if they're stolen (so the public side of the key pair is
deleted and the private side is worthless), even in cases of device theft,
their identity is protected.

------
chayesfss
They don't currently provide ways to force password age rules for corporate
google users. So corporate clients that want to use google apps are currently
forced to use an IdP that does this for them. They have the tools to allow for
it, we even give corporate customers a way to use Google Apps accounts and
force 2-Factor auth and password aging without things like Active Directory.
Also not providing the ability to change session information is, well, a
little off putting for some. It's not that it's a war on the password it's
just that they don't want their services to be something you actually have to
log into (chromebook experience).

------
harshaw
Part of this discussion should be how a very large organization called the US
Military solved this problem with smart cards. see
<http://en.wikipedia.org/wiki/Common_Access_Card>.

Those of you how own Dell or HP Computers - you may notice that most of the
professional grade laptops have smart card readers built in. My guess is this
is due to DoD purchasing requirements. Of course, the MacBook doesn't have a
smart card reader and thus you start to look for solutions like the YubiKey.

~~~
dpark
The military didn't solve the problem. They solved an easy variation. The
problem is not just "How do I make it easy and secure to access the systems I
control?" but "How do I make it easy and secure to access all systems?" The
military implemented 2-factor auth and unified their systems to support it.
This is very nice, but doesn't solve the broader problem. Military employees
are still struggling with the same "million not-very-secure passwords I can't
remember" problems as civilians, because they military does not control all or
even most of the systems they interact with.

------
stevenameyer
This seems like an interesting solution to me. Obviously we have gotten to a
point where our computing power has rendered the kind of passwords that most
people can easily remember and use fairly trivial for many password cracking
methods, and so there is a clear need to develop a convenient method of using
more complex methods of authentication.

The idea of using a smartphone as a central area for things such as
identification and payment(Google Wallet) has been something i've been
interested in for a while, and something I think could be amazing if we manage
to work out a few kinks that are in the way of making it a viable option.

For this to become a reality i think there are 3 main things that would need
to happen: 1) Battery life on smartphones would have to become a lot better, I
don't want to have to worry about if I'm going to have enough battery at the
end of the day to pay for dinner, get into my car, etc. 2)The ability to
remotely clear data on a device that may have been stolen need to become a
standard. 3)There need to be some sort of authentication between the user and
the device in order to approve the use of stored authentication.

------
rficcaglia
In 1998 Bill Gates (American Banker article, and elsewhere) said that the
future of ecommerce was based on replacing passwords with smart cards....hmmm
how did that work out :)

Remember AMEX Blue? they stopped sending out card readers almost immediately,
but continued sending the smart cards out and running TV ads with all sorts of
Terminator like special effects to promote how secure its smart cards were.

It was a huge marketing success, but the smart card part was never used.

Security is an illusion.

Actual conversation.... Naive dev: Hey Big Bank, we invented this
revolutionary perfect authentication technology! no more hacks! Big bank: why
would we want to redirect the hackers to a new attack that we don't
understand, cannot model, cannot assign a stable cost to, and would almost
certainly expose even worse flaws in other parts of our systems? as long as
fraud is between X and Y %, we WANT the attacks to use the current vector.
Naive dev: ooooooooooooooohhhhh (world view changes)

~~~
martinced
_...said that the future of ecommerce was based on replacing passwords with
smart cards....hmmm how did that work out :)_

You're totally wrong. Probably because you're living in the U.S., where it's
still the stone age from that standpoint.

<http://en.wikipedia.org/wiki/Smart_card>

Here in several european countries people are doing just that:

\- using a Java SmartCard (your identity card) + a card reader (not hooked to
the computer) + a PIN to connect to your online bank but _ALSO_ to
challenge/response any VISA/credit card transaction.

If I'm not mistaken there are about 200 millions citizen in Brazil who have a
Java SmartCard as their identity card (as a medical care card I'm sure,
identity I don't know for sure).

I think it's a bit early to decide that it failed and that it's an illusion.
There are probably hundreds of millions of people who are carrying daily a
Java SmartCard and using it to perform kinda safer online transactions.

MITM attacks over unsuspecting users are still possible using "mocking birds",
but it's becoming harder and harder to game the system.

~~~
rficcaglia
Well since it was an article in American Banker, yeah, I'd say that he was
referring to the US.

Also, thanks for the down vote based on hard facts: "probably hundreds of
millions", "kinda safer". [http://www.techspot.com/news/51037-trojan-bypasses-
two-facto...](http://www.techspot.com/news/51037-trojan-bypasses-two-factor-
authentication-steals-465-million.html)

An identity card is not a commerce solution -- there is no cost/benefit
analysis for governments, they just decide which vendors should get lots of
money (I know, I was one of them! Thanks governments!) We did this in the US
and now there are no fake passports here in the US, we win! Ooops...
[http://www.schneier.com/blog/archives/2006/08/hackers_clone_...](http://www.schneier.com/blog/archives/2006/08/hackers_clone_r.html)

A card reader not hooked to the computer --- nah ,that can't be hacked:
[http://media.blackhat.com/bh-
us-12/Briefings/C_Miller/BH_US_...](http://media.blackhat.com/bh-
us-12/Briefings/C_Miller/BH_US_12_Miller_NFC_attack_surface_WP.pdf)

smart card PINs, those can't be hacked: [http://blogs.gartner.com/mark-
diodati/2012/01/15/deja-vu-%E2...](http://blogs.gartner.com/mark-
diodati/2012/01/15/deja-vu-%E2%80%93-the-sykipot-attack-on-smart-cards/)

For a thoughtful presentation of both sides, try:
[http://www.kansascityfed.org/PUBLICAT/econrev/pdf/3q08sulliv...](http://www.kansascityfed.org/PUBLICAT/econrev/pdf/3q08sullivan.pdf)

I think you'll see that it concludes much the same thing as I mentioned the
banks (here in the US anyway) conclude: the costs are not worth the
theoretical "kinda safer" gains in security.

Security is a nuanced, no-one-solution-fits-all, dynamic, evolving systems
engineering problem. The adversaries are smart, but more importantly have
common sense (unlike governments and consumers) - they will exploit weaknesses
in the weakest link. Replace passwords with smart cards, no problem - they
will go after the next link. The (US and EU) banks know this -- they all
employ layered fraud and security measures --- despite consumers who may have
unquestioning faith in the perfect security of smart cards.

And when you come back in 5 years and payment cards are still NOT being used
in the mainstream (US anyway where cost vs. benefit is important), please have
the courtesy to up vote.

------
primitur
Why can't we just all get along, and say, for example - instead - that
"rsa_key.pub" is all we need, and if we ever get a logon prompt, look for that
file on USB media instead ..

I mean, that would work, wouldn't it? I suppose for it to work, though, we'd
have to have an actual .. you know .. OS Company .. again.

------
zobzu
Note that <http://www.mozilla.org/en-US/persona/> uses public/private keys for
authentication.

The password is used to access those keys at the identity provider.

Replace the identify provider (idp) by a token. Bang. Much easier than rolling
out yet another standard.

------
antihero
The Yubikey would only work if there was an absolute guarantee that a hacked
kernel/drivers would not be able to access the memory.

The way I can see it working is if there is a private key on the device,
inaccessible to the host hardware, and the crypto stuff is done _on the
device_ \- so the Yubikey was effectively the client. Auth service sends
challenge to the browser which sends it to the driver which asks the yubikey
wtf, the yubikey responds to the challenge, and the response is sent to the
browser and back to the host.

But this would all fall down if there was even the slightest chink and your
host hardware could be modified to access/save the keys on all of the Yubikeys
when they are plugged in.

~~~
wmf
I think it already works that way.

------
aluhut
As long as it is not implanted somewhere into my body, I will lose it at some
point.

I would love to have some other solution but I don't see this as one. I grew
up remembering passwords and I'm pretty good at it now.

But if you have something for under my skin, we can talk again.

------
mistercow
The biggest problem I see with all of these proposed ideas is that people
often need to be able to share access to accounts with others. Yes, sharing a
password is the wrong solution to that, but usually it's the _only_ solution,
and it will be until there's an accepted standard procedure for providing
limited access to your account via somebody else's key.

------
moondowner
I hope that this will not be only Chrome-ready, and will work on all Desktop
operating systems.

~~~
FourthProtocol
Whatever shape it takes on, it's a Google-only thing. Being a Google-only
thing means that it will ( _maybe_ ) solve the password problem... _for
Google_.

So which desktop is runs on, or even phone, tablet or any other form factor,
is irrelevant.

~~~
tonfa
From the article, it seems google-agnostic:

So they’ve developed a (as yet unnamed) protocol for device-based
authentication that they say is independent of Google, requires no special
software to work — aside from a web browser that supports the login standard —
and which prevents web sites from using this technology to track users.

~~~
FourthProtocol
So... change "Google" to "web browser". That is still a scope constraint.

------
DanBC2
> _That means that if someone steals your card or your smart-ring, you’d
> better report it stolen pretty quickly._

Well, yes. But you'd hopefully have a master passphrase to open the "smart-
ring" device, making theft less of a problem.

------
zobzu
"passwords dont work"

then...

"we'd use the token, but for important operations, a password would be asked"

people just don't understand what they write ;)

------
allbombs
the blog comments by 'TopicalSquirrel' are pretty awesome

------
OGinparadise
On top of my head I can think of it being stolen. Unless you need a password
on top it (ironic, no?)

and then ... _" Under threat of a boycott, Intel Corp. backed down slightly
yesterday from a controversial plan to add a security feature to its computer
chips, but privacy advocates said the change doesn't go far enough to ease
their concerns.

Privacy groups fear that the new feature, sort of a Social Security number
hard-wired into computers, would be used to monitor Internet users' activities
online, allowing companies to collect marketing data on them. "_
[http://news.cnet.com/8301-27080_3-20126770-245/intel-
chips-l...](http://news.cnet.com/8301-27080_3-20126770-245/intel-chips-let-
web-sites-check-your-computers-id/)

Personally I'll stick to passwords, little by little they will add code and
"features" to that usb stick. Call me paranoid but Google has more than enough
info on me and what I search /ed for.

------
martinced
Before everyone just on my throat saying I'm a naysayer I'll state that I love
the idea.

However why oh why on earth is the YubiKey challenge/response optional?

Why can that thing work in a mode where it simply "dumps text"?

It's terrible that it's optional because it means that I cannot be sure in
which mode that thing is operating right!?

But I love the idea: we need more physical tokens doing challenge/response and
less "let me store this in my phone's 'master app of all the passwords'" snake
oils.

------
LatvjuAvs
ID person by his bio-field/magnetic field who should be pretty unique. Any
other password management and external devices will come and go.

