

Forget passwords - rajarcsp
http://www.scientificamerican.com/article.cfm?id=computer-game-for-security

======
david_shaw
Okay, let's get the first part out of the way really quickly: this would be an
amazing piece of technology, if it were to be implemented successfully. Having
a password that even _you_ don't consciously know would be a huge leap in
security, and would presumably make password guessing all but impossible--
after all, if you don't need to _remember_ your password in the traditional
sense, it could be significantly more complex than traditional
"Pa55w0rd1!"-style passphrases.

I, personally, don't know enough about the science behind this to comment on
its feasibility.

I do, however, know a lot about security in general. Every time there is a
leap in "password technology," meaning public key authentication, or password-
keepers, or xkcd's "let's use several words instead of random characters,"
people seem to think that it would protect all their online assets. That if
the password is secure, so is their data that's stored somewhere on the
Internet.

On one hand, yes, this technology would easily protect you from brute-force
and dictionary-based attacks. After all, if there's no dictionary (because no
words are used in the secret "pattern,"), how could a dictionary be used to
attack the protected account?

What isn't factored into this example is the service you're protecting
_itself_. If you look at high profile breaches over the last year, you'll
notice that few, if any of them are straightforward password-guess breaches.
Sure, some (like the Wired journalist) could have been prevented with strong
and unique passphrases. Most of the attacks could not.

If there is, for example, a buffer overflow in a service that is listening on
the Internet, remote code execution may be possible. If you can execute
arbitrary code on a remote service, you are able to effectively take over that
machine. Combine this with privilege escalation, and it's pretty much game
over for most data stored there. Proper database security like unique salts
per user account can minimize the damage, but the fact is that the compromise
still happened and the data--like your personal photos, or documents uploaded
to cloud storage--are probably in the hands of an attacker.

It's always great to see cutting edge research in any field related to
computer security, but don't think that "passwords even _you_ don't know!" are
going to protect anything behind them. Passwords are just the front door to
the mansion, and there's a whole lot of other ways to break in.

The short version is that there will always be a difference between _account_
security and _application_ security.

~~~
B-Con
> On one hand, yes, this technology would easily protect you from brute-force
> and dictionary-based attacks.

I highly doubt that.

There will be a finite number of possible patterns. So brute force will be
possible. There will likely be some types of patterns or some pattern
components that do not follow an even distribution, so dictionary attacks will
still exist. (Really, a dictionary attack is simply a brute force attack that
takes advantage of the non-uniform choices of passwords.)

My guess is that such games would be chosen based on techniques that produce
the best (aka, most uniform) distributions of responses from users, but I
doubt that it will be perfect. A brute-force attacker would probably be able
to do noticeably better than blind brute-force.

------
B-Con
This would be awesome, but I feel skeptical of how practical it would be.

First, the biggest problem today isn't password quality, it's protecting them.

1) Hack the password verification/storage database. If you can do that and
recover the user-provided input, who cares what type of data it was?

2) Be the man in the middle. Convince the user to give you their password. No
password is immune from being entered into, for example, a false bank website.

That said, this type of password input opens up a new set of side-channel
password attacks:

* What about people who can record the audio of you pressing keys? If you share an office with a co-worker, could he set his cell-phone to record when you enter your "password" a few different times and learn to copy your rhythm?

* What about extenuating circumstances? Stress, unfamiliar "password entry" layouts, or personal injuries may cause your "password" entry rhythm to get goofed up (I don't know in detail how resilient these schemes are, but I'm assuming that something as drastic as switching hands would mess it up), so you need a fall-back. If you have a traditional password backup authentication, this scheme simply offers an alternative to passwords and not a replacement of them, so what else do you do? More potential "I can't input my password" problems means that it will be easier for an attacker to con his way through the password work-around process. It's already a weak-point of security infrastructures.

It sounds awesome, but might be better suited for covert agents who need to be
able to not be capable of giving up a password. Not sure how well it would
work as a replacement for passwords in an enterprise or for GMail.

(Also, for the curious, at least one of the authors of the original paper is a
high-profile cryptography researcher from Stanford. So this paper isn't just
another "hey, this might have security uses" after-thought from researchers
outside the field.)

