I was thinking about password alternatives recently because I was designing a website just for friends and family. I wanted enough security to keep out strangers on the Web, but I didn't want to make people I know memorize a lengthy password.<p>So I came up with a photo that fills up the screen. A small, invisible grid covers the photo, and the user has to click the image in a special sequence in order to unlock the next image. After a few quick rounds, they open up the content.<p>I realize that it isn't the most secure approach, but it's much easier to memorize and use than a traditional password (not to mention more fun). If anyone has any advice or interesting anecdotes about visual login systems, I'd be interested in learning more about them.
Something you know, something you have, something you are. Google may be trying to prefer something you have, but that's hardly going to kill "something you know" forever and ever.<p>I also look forward to the silly "two-factor authentication" that involves having two "something you have"s. It'll complement my bank's silly use of two "something you know"s nicely. (Perhaps they can get together for the true security ultimate, <i>four factor authentication</i>, security so secure that it uses four out of three possible authentication techniques!)
It's funny, but Blizzard's been playing this game for <i>years</i> with their two-factor auth, particularly the part where people's accounts without two-factor would get compromised and the thief would then turn on the two-factor auth, thus making it that much more difficult to recover the account.<p>Blizzard's been doing this for longer than Google has, maybe Google could learn something.
This thread seems like a valid place to ask a long-standing question of mine.<p>Are there any projects aiming for a hardware security token with the following properties?<p>1) Open hardware running open software.<p>2) Support for many and long keys.<p>3) Relatively fast signing on-board - i.e. keys are inaccessible to the host computer. (Obviously, I'm not expecting it to be feasible to sign gigabytes using a USB dongle).<p>4) Some PIN-entry-like low-grade security obsticle to delay an attacker that physically steals the dongle.<p>I am aware of CryptoStick [1], but the current version is sold out and also does not satisfy 3 and 4 (and only partially 2, since it only takes three RSA keys and there's no support for EC, as far as I can tell).<p>I really want to move away from passwords, but it seems very hard to do without a device satisfying 1-4 above.<p>[1] <a href="https://www.crypto-stick.com/" rel="nofollow">https://www.crypto-stick.com/</a>
This is not about passwords per se - its about identity verification providers (as-a-service).<p>There is a fight coming. A few global providers will have the single-sign-on password/biometric/blah of <i>everyone</i> (the UK government is starting to mandate the use of seven such providers.)<p>This is big not just because of the commercial advantages of being the sign-in point of 1 billion people. But because right now my major identity verifier is my own government (passports, NHS number, Social Security, arrest record etc). But it will not be in 20 years - I expect I will visit the hospital and need to verify who I am through GoogleID.<p>The thing is. I expect GoogleID will be a heavily regulated industry by then too.
To be fair, isn't Google a bit disreputable for security problems right now? I mean, the last two Google-related security discussions (Google email-change spoof/phish and plaintext-visible passwords in Chrome) have been kind of embarrassing.
"... she did say the company is experimenting with hardware-based tokens as well as a Motorola-created system that authenticates users by having them touch a device to something embedded, or held, in their own clothing. 'A hacker can't steal that from you,' she said."<p>Something embedded in their clothes? Users have to wear the same jacket or dress every day? Anyone, not just a "hacker" can steal your jacket if you take it off. If it relies on something physical, it's easier for anyone to steal. You still need a password/passphrase.
Passwords are not dead. Simple single factor authentication using short passwords is dead. That's not a new thing either and they're not going away either. Biometric implants are cool but it's a long ways away (<i>and I'm pretty sure I don't want anything inserted into my arm...</i>). Ditto for security rings and other gadgets. Yes they work but the general populace is not going to be using them for a long while.<p>I'd love to see some stats on two-factor usage at large installation like Gmail, preferably plotted against whether the user works in tech (or uses a VPN with two-factor token for work). I'm guessing the market penetration for it is pretty low for the average person. If that's the case then expecting lots of people to use something new/else (which involves getting a new physical device) is unreasonable.<p>Even with the "something you have" category (two-factor TOTP device, key ring, etc) it still makes sense to have a "something you know" category too. It covers the case of losing my phone/keyringer (<i>or having my bio-implanted arm chopped off though I'd assume at that point they could just use a $5 rubber hose to get the in memory one</i>).<p>Since passwords (or more accurately <i>passphrases</i>) aren't going away we at least should use them properly. My suggestions for how folks should handle them varies based on the tech literacy of the person.<p>For tech savvy folks:<p>- Use a password manager (ex: KeePassX)<p>- Long passphrase to unlock the password manager[1]<p>- Individual random passwords per site using using max length the site allows<p>- Use multiple email accounts for different functions (friends, shopping, finance, etc)<p>- Use two-factor auth everywhere that allows it<p>For the rest of folks:<p>- Use a passphrase for your email passwords<p>- Use a site that lets you use long passwords (Google does, Outlook doesn't[2])<p>- Use a separate email account for "important" accounts (ex: finance and everything else)<p>- Don't login to <i>anything</i> from other people's computers (net cafe, shared computer in a hotel, etc)<p>- For the really important ones (ex: your bank) use a very long complicated password and <i>write it down</i>[3]<p>- Learn more about security!<p>I make it a point to educate friends/family about tech security whenever I can. Two-factor auth is a good example of something that is a lot easier to grasp when you've got someone you know explaining it's virtues to you ("So a bad guy needs your phone in his hand to login? That's cool!").<p>In the end, like all security, a lot of it comes down to personal responsibility and hyper vigilance.<p>[1]: <a href="https://xkcd.com/936/" rel="nofollow">https://xkcd.com/936/</a><p>[2]: <a href="http://nakedsecurity.sophos.com/2012/08/02/maximum-password-length-outlook-yahoo-gmail-compared/" rel="nofollow">http://nakedsecurity.sophos.com/2012/08/02/maximum-password-...</a><p>[3]: Yes <i>write it down</i>. People are bad at remembering long random strings but pretty good at not losing small bits of paper. It's the same thing as keeping a key in your pocket (or a spare key in your wallet). Plus it's much easier to explain to them that the paper is the key to unlock the account.
NFC rings for everyone! An NFC Internet-less ring with open source firmware would mean it should be quite protected against NSA backdoors, too.<p><a href="http://www.kickstarter.com/projects/mclear/nfc-ring" rel="nofollow">http://www.kickstarter.com/projects/mclear/nfc-ring</a><p><a href="http://www.technologyreview.com/news/512051/google-wants-to-replace-all-your-passwords-with-a-ring/" rel="nofollow">http://www.technologyreview.com/news/512051/google-wants-to-...</a>
There is an article in NYT on this subject: <a href="http://bits.blogs.nytimes.com/2013/09/10/beyond-passwords-new-tools-to-identify-humans/?_r=1&" rel="nofollow">http://bits.blogs.nytimes.com/2013/09/10/beyond-passwords-ne...</a> , although it is mostly about hardware authentication.
I think Google is being less than transparent here, but I couldn't tell you why. The NSA scandal seems to be the straw that broke the camel's back.<p>How many passwords does Google hold? Maybe a billion? Google has decide it's more cost effective to completely overhaul the password system.<p>How can passwords be the only system available?
Arguably there is a lot of social/technical space for making passwords better and more secure for the average user. But dropping the knowledge factor isn't a clear improvement.
Passwords have been dead for long, so no news. That's exactly why we're using something called shared secret. That's what I'm using with most sites currently.
And still there are "modern" games and services telling me that my password "May only contain letters and numbers" Really? Are you stupid or something?
I'd like to learn more from these spam-bots about how they are making money off my passwords. Perhaps I can quit my (wonderful) day-job and sell v1agra.