
Goodbye, Passwords. You Aren’t a Good Defense - nickb
http://www.nytimes.com/2008/08/10/technology/10digi.html?_r=1&oref=slogin
======
maxklein
Passwords are dead, and what really needs to happen is that we all have some
type of software we can download and put on our USB sticks. We stick the USB
stick into a drive, type in a 4 digit pin code and on that PC we are now
securely logged in till we pull that USB stick out. Whenever a site is opened
that requires even more level of security (like a bank page), we have an
additional level 2 security code.

Thank God someone finally sees that OpenID is a waste of time and resources. I
really don't understand why so many tech kids are jumping on this openid
bandwagen when it is:

1\. Difficult to use 2\. Confusing 3\. Has no obvious advantages for most end
users 4\. Insecure by design

~~~
kingkongrevenge
Get rid of ATM pin codes, too. All you should need is the card. And the same
card for all your bank accounts!

Anything that requires physical access to a card or usb stick or a specific
computer to do things on the web is a non-starter.

Given this constraint, passwords work fine. The problem boils down to the
completely unavoidable security vs. ease of use trade-off. I say just get rid
of the complexity requirements. If someone wants to enter a blank password for
all their needs, let them. I personally will keep track of my varied and
complex passwords.

~~~
maxklein
I don't really need to have a USB stick to use this system, as it is just
software. In emergency situations, I can ask another site to act at the USB
stick, and then type in my pin code there. So it's still secure, as people do
not know my pin code.

Sure, keep using your passwords, my grandpa also loves using his walkie
talkie.

~~~
kingkongrevenge
> I can ask another site to act at the USB stick

That's OpenID. I assume you're going to use a password for your StickKey host
provider.

~~~
maxklein
That's not Open ID, because this is just a backup solution, and is not the
main authentification scheme.

------
smanek
I'm a huge fan of 'three factor authentication.'

In my mind, ideally, secure auth. should test:

1\. "something you know" (password)

2\. "something you are" (biometric)

3\. "something you have" (cryptokey, dongle, etc)

I'd heard this idea probably 5 years back, and it's stuck with me

~~~
ars
Of the 3 only the first is actually secure.

All current 'something you are' systems can be fooled - and they can be copied
without you even knowing it (fingerprint is very insecure for example, since
you leave them everywhere, same for dna. Iris systems can be copied with a
telescope.)

'Something you have' system are flawed because it's too easy to loose the
item, or have it stolen. Or the item can be duplicated (often very easily,
sometimes not so easy).

Only 'something you know' is secure because it can never be taken from you or
copied without your knowledge.

Hence we have passwords.

~~~
emmett
The point is that the combination of the three is the most powerful and
secure. To copy something-you-are, they have to have access to you or things
you've touched. To copy something-you-have, they have to steal the object
itself. To copy something-you-know, they have to trick you into revealing it
(phishing) or guess it. Requiring all three makes things that much more
secure.

------
Hoff
Passwords and social engineering go back millennia, and both will continue
forward into the foreseeable future.

What might lead anyone to believe there is a technical solution to this?

Even if the most fearful involved here manage to mass-deploy what they're told
is uncrackable personal remote identification -- and undoubtedly at great
financial cost to all parties involved, and quite probably at great social
cost, too -- it'll (still) get cracked.

Security need be "good enough", "affordable" and "useable." Security that is
unaffordable or unusable will be bypassed.

~~~
sysop073
Public key is a solution, or at least a huge detriment, to social engineering.
The problem with passwords is they're fixed; once an attacker gets it they're
in forever. If we used asymmetric crypto to login to websites people wouldn't
even have to know how it works. Instead of a password text field on a website
there would just be a button, and the site would do a check with your browser
to make sure you have the private key corresponding to the public key they
have for your account. People wouldn't even have to know what a private key
is, let alone where it's stored on the disk to give to somebody asking for it

~~~
sfg
The problem is the lack of convenience when you are away from your primary
computer. Having to take a memory stick everywhere to login to websites is
going to annoy a lot of people an awful lot.

~~~
Hexstream
Also, if you plug that memory stick in a computer you don't own then that
computer can read all the private keys you have on it... and possibly forward
it to an attacker.

------
sysop073
I really thought passwords would be dead by now, I'm amazed they're still the
primary authentication mechanism. Public key is trivial to do these days, it's
done by browsers all the time to secure communications but not to authenticate
who you are. The article focused on the client side hardware, the cards that
hold your private key, but the big issue is websites themselves. Sites need to
switch from "enter a password:" to "upload your public key:"

~~~
maxklein
That's pretty silly! Upload your public key? Most people do not know how to
find stuff to upload, how will they find their public key?

This stuff needs to be built into the browser, and it needs to be on your
keychain. Hence my USB stick idea.

------
gaika
Bad logic: author correctly notices that passwords are not the biggest problem
in computer security right now, and yet somehow they should be eliminated. The
weakest link is the the software running on the computer. Spyware, trojans,
XSS, XSRF, all make your super secure authentication system irrelevant.

~~~
mark-t
The logic is sound if you take the stance that phishing is the biggest threat
to security. I don't know whether it is or not, but XSS and CSRF at least are
under the website developer's control. Malware and phishing are the head-
scratchers for people who know how to build secure websites, and the
information card system does partially address the phishing problem. It
prevents the attacker from being able to log into your accounts, but it
doesn't prevent you from telling him lots of other things.

~~~
stcredzero
If the information card also contained your public profile information, then a
lot of phishing would be curtailed. The problem is that we are constantly
asked for information. If this was largely automated, guarded by
cryptographically secure means of identification, and attached to a physical
device of some sort, then the number of times we're asked for information
would be reduced tremendously.

