Poll

Should they

Drop all passwords?
3 (7.9%)
Use it in multi factor authentication?
11 (28.9%)
Require everybody to use biometric authentication?
2 (5.3%)
Signed challenge (certificate based)
4 (10.5%)
Refuse to answer
4 (10.5%)
Regulate Biometric authentication from being used to restrict access to services and jobs
2 (5.3%)
Keep passwords for those who want it but enforce/make them more stricter
2 (5.3%)
Keep it the same and make no changes
10 (26.3%)

Total Members Voted: 36

Author Topic: People should drop passwords altogether  (Read 12229 times)

0 Members and 1 Guest are viewing this topic.

Offline DiTBho

  • Super Contributor
  • ***
  • Posts: 3898
  • Country: gb
Re: People should drop passwords altogether
« Reply #25 on: May 07, 2022, 07:21:36 am »
rfid glass capsules with crypto channel implanted under your skin
Basically this kind of capsules provides a password of 196 byte.

is it good? let's check it out

It can uniquely identify a human around the world.
It's time stable, doesn't react with the immune system, and doesn't cause cancer.
It is chemically inert for humans, plants and animals
Doesn't need any battery, it's a true rfid low power system.
It is not based on the physical characteristics of a human being.
It can be easily applied with a pressure gun without anesthesia.
Cannot be spoofed and cannot be cloned (not easily).
You cannot forget it at home, it's always with you.
It is more secure than fingerprint, facial recognition.
It cannot be exploited to track your position.
It's a contact-less device but antennas need to be at mm of distance rather than meters.


But, where to implant?  :o :o :o
And ...
... can it be damaged by XRAY or by computed axial tomography?
mumble  :o :o :o

Implanting sounds easy, but for sure replacing such a device requires mini-surgery.
Nothing more serious than what a dentist does, anyway.

(
Ummmm, no, implanting such a rfid-capsule inside one in a dental capsule is probably not a good idea, even for how you would later authenticate, unless you like swallowing your smartphone and push it to the last molar tooth  :-//
)
The opposite of courage is not cowardice, it is conformity. Even a dead fish can go with the flow
 

Offline hans

  • Super Contributor
  • ***
  • Posts: 1636
  • Country: nl
Re: People should drop passwords altogether
« Reply #26 on: May 07, 2022, 07:47:19 am »
... and I can steal your digital identity/passwords on the next handshake we give.

Also, I think we should investigate how reliable do we want our locks to be. Some people put a photograph online of their physical keychain with housekeys etc. not realizing that those tooths are measurable, and someone skilled can replicate that key. What would you do if think someone then has access to one of your keys, but you can't reasonably ask them to hand them over? Obviously, you change out all the locks.

Good luck changing out bio-metric scans or RFID tags under skin. Or sometimes even phone numbers for 2FA verification (if you first need that number to login).
Even though you physically need to "scan" you finger.. in the end that scan is all a bunch of 1s and 0s. You must then presume the platform is properly secured for some hacker not to just make a raw dump of your scan data, which he could use as a dummy to repeatedly keep using your biometrics. Good luck changing it.

I honestly think virtually all the downsides to authentication nowadays are down to the users. Imagine if we lived in a world where everyone had a keypad doorlock with a 5 digit code to get in. What if half of the users had chosen "12345" or "00000" as their entry code? Or perhaps even "15951". Though luck you got hacked, but   also don't choose a simple to guess code. I think no insurance company would pay out to any of those codes.
 

Offline magic

  • Super Contributor
  • ***
  • Posts: 6751
  • Country: pl
Re: People should drop passwords altogether
« Reply #27 on: May 07, 2022, 09:02:34 am »
Passwords must go. But the main reason is not their inherent weakness. It’s because of the users.
The users must go.

Everybody who thinks otherwise is setting oneself up for a neverending game of whack-a-mole.
Some of them are paid money for playing it, hence articles like the one found in the OP.
« Last Edit: May 07, 2022, 09:05:51 am by magic »
 

Offline DiTBho

  • Super Contributor
  • ***
  • Posts: 3898
  • Country: gb
Re: People should drop passwords altogether
« Reply #28 on: May 07, 2022, 10:34:22 am »
... and I can steal your digital identity/passwords on the next handshake we give.

the human wrist is not the best place to implant rfid capsule, not only because you could try to steal the digital identity on the next handshake, but also because the wrist itself is anatomically the worst place, especially in the metacamus area.

I think the best place where to implant is the skull, under the ear, there is a dimple of adequate size, and the gesture you would make is of adequate size, and the gesture you make to identify yourself is the same as you do to answer the phone.

Science fiction for now, but it makes sense for me.
The opposite of courage is not cowardice, it is conformity. Even a dead fish can go with the flow
 

Offline Gyro

  • Super Contributor
  • ***
  • Posts: 9474
  • Country: gb
Re: People should drop passwords altogether
« Reply #29 on: May 07, 2022, 11:00:58 am »
I have regular MRIs. I can't see them being happy about an RFID capsule being implanted in my head - I can't think of a an area of the body that somebody isn't going to need an MRI on at some point.
Best Regards, Chris
 
The following users thanked this post: hans

Offline Brumby

  • Supporter
  • ****
  • Posts: 12297
  • Country: au
Re: People should drop passwords altogether
« Reply #30 on: May 07, 2022, 11:51:46 am »
  • what happens when you cut your fingertip and it is covered with a plaster, or permanently scarred?
Some years ago I procured a HP laptop for someone - and it had a fingerprint reader.  If I remember correctly, the user could record 3 different fingerprints.  So I said they should do two fingers on one hand and one on the other, to cover this exact scenario.

The concern I have is not so much the fingerprinting - but how reliably sensors can differentiate between the genuine input and fakes.
 

Offline tooki

  • Super Contributor
  • ***
  • Posts: 11457
  • Country: ch
Re: People should drop passwords altogether
« Reply #31 on: May 07, 2022, 01:08:53 pm »
I wish people would actually investigate what’s being done before descending into outrage and hyperbole like so many posts in this thread.


That password authentication (as a system) offers poor security is a fact. Why is both complex and irrelevant. But if it were possible to make passwords into a reliably secure authentication method, you’d think we’d have figured that out over the last few decades. It’s reasonable to conclude that it can’t be done.


So the alternative is to look to other ways of authenticating. But this doesn’t mean it has to be biometrics. (Not that biometrics have proven to be particularly vulnerable. They seem to be proving themselves as superior to passwords. Not perfect, merely superior.) Those are but one option. Mobile phone codes, authenticator apps, and hardware devices are all widespread now. Don’t want to rely on a phone? Get a hardware key.


Anyhow, the actual thing all the big tech companies are getting behind is something called FIDO (which isn’t new, it was established a decade ago). Here’s the big press release about it:

https://fidoalliance.org/apple-google-and-microsoft-commit-to-expanded-support-for-fido-standard-to-accelerate-availability-of-passwordless-sign-ins/

All the big tech companies and all the big security companies are members. So it’s not as though Big Tech is doing something dumb in a bubble, this is something created with the involvement and support of serious security like RSA. The financial industry, which famously uses very tight security (and thus hasn’t relied on password logins for decades for employee logins!) is also involved.
 
The following users thanked this post: gmb42

Offline PKTKS

  • Super Contributor
  • ***
  • Posts: 1766
  • Country: br
Re: People should drop passwords altogether
« Reply #32 on: May 07, 2022, 01:25:32 pm »
You can't get the password out of a dead man.
As to fingerprints or other parts of tge dead body .... :-X

Agreed on that..

You can use fingers eyes and even DNAs of someone else..

Not with good old passwords..

These changes are just excuses to implement a PATENTED BASED API nad security gizmos and chips.

They will come of course..    and very very VERY overpriced we will be forced to have them

Paul
 

Offline PKTKS

  • Super Contributor
  • ***
  • Posts: 1766
  • Country: br
Re: People should drop passwords altogether
« Reply #33 on: May 07, 2022, 01:27:32 pm »
My answer is PUBLIC.

I REFUSE to answer as my option of keeping passwords alive and well is not there..

Reason being is that I will not feel more or less secure having 3 or 4 mega Corporations controlling my life.. my DNA my FACE my fingers..

Just FUCK OFF with these "more secure" methods...  bullshit

Paul
 

Offline tooki

  • Super Contributor
  • ***
  • Posts: 11457
  • Country: ch
Re: People should drop passwords altogether
« Reply #34 on: May 07, 2022, 01:32:24 pm »
My answer is PUBLIC.

I REFUSE to answer as my option of keeping passwords alive and well is not there..

Reason being is that I will not feel more or less secure having 3 or 4 mega Corporations controlling my life.. my DNA my FACE my fingers..

Just FUCK OFF with these "more secure" methods...  bullshit

Paul
They are more secure, and as I said, they are not all biometric. Perfect example of the uninformed hysteria I’m talking about.
 
The following users thanked this post: gmb42

Online ConKbot

  • Super Contributor
  • ***
  • Posts: 1382
Re: People should drop passwords altogether
« Reply #35 on: May 07, 2022, 01:32:46 pm »

Anyhow, the actual thing all the big tech companies are getting behind is something called FIDO (which isn’t new, it was established a decade ago). Here’s the big press release about it:

https://fidoalliance.org/apple-google-and-microsoft-commit-to-expanded-support-for-fido-standard-to-accelerate-availability-of-passwordless-sign-ins/

All the big tech companies and all the big security companies are members. So it’s not as though Big Tech is doing something dumb in a bubble, this is something created with the involvement and support of serious security like RSA. The financial industry, which famously uses very tight security (and thus hasn’t relied on password logins for decades for employee logins!) is also involved.
Ahh yes, the "sign in with Google/Microsoft/etc" buttons.  Aka "sign in and give us even better profile information to sell to advertisers"
Those can fuck right off too.
Email being in one place is bad enough, we don't need the whole logon to be handled by one company, so when the sweet hack goes off, they get the keys to the kingdom.

« Last Edit: May 07, 2022, 01:35:57 pm by ConKbot »
 
The following users thanked this post: Karel

Offline tooki

  • Super Contributor
  • ***
  • Posts: 11457
  • Country: ch
Re: People should drop passwords altogether
« Reply #36 on: May 07, 2022, 01:34:39 pm »

Anyhow, the actual thing all the big tech companies are getting behind is something called FIDO (which isn’t new, it was established a decade ago). Here’s the big press release about it:

https://fidoalliance.org/apple-google-and-microsoft-commit-to-expanded-support-for-fido-standard-to-accelerate-availability-of-passwordless-sign-ins/

All the big tech companies and all the big security companies are members. So it’s not as though Big Tech is doing something dumb in a bubble, this is something created with the involvement and support of serious security like RSA. The financial industry, which famously uses very tight security (and thus hasn’t relied on password logins for decades for employee logins!) is also involved.
Ahh yes, the "sign in with Google/Microsoft/etc" buttons.  Aka "sign in and give us even better profile information to sell to advertisers"
Those can fuck right off too.
Email being in one place is bad enough, we don't need the whole logon to be handled by one company, so when they sweet hack goes off, they get the keys to the kingdom.
And even more uninformed hysteria.

Proving my point more: reacting without looking at what it is and isn’t. FIDO isn’t one company, and it’s not one standard.
 
The following users thanked this post: gmb42

Online ConKbot

  • Super Contributor
  • ***
  • Posts: 1382
Re: People should drop passwords altogether
« Reply #37 on: May 07, 2022, 01:40:53 pm »
Yes, huge companies that sell advertisements also offering a SSO service, definitely won't track users, I'm totally being totally hysterical and unreasonable here. And it definitely doesn't provide a much nicer target for hacking.
 
The following users thanked this post: Karel, PKTKS

Offline PKTKS

  • Super Contributor
  • ***
  • Posts: 1766
  • Country: br
Re: People should drop passwords altogether
« Reply #38 on: May 07, 2022, 01:46:34 pm »
That boils down...

These are just enforcement methods to SIGN IN  everyone..

Privatized API of  services..  and the so called browser..
is now just 80%  a JS engine to track users and sell ADVERTS...

expecting to have 95% of browsing  just to advert buz..

Users forced to render their privacy to these APIs.

Paul
 

Offline tooki

  • Super Contributor
  • ***
  • Posts: 11457
  • Country: ch
Re: People should drop passwords altogether
« Reply #39 on: May 07, 2022, 02:51:45 pm »
 :palm:
Omg, the stupid, it hurts…
 
The following users thanked this post: hans, Bassman59, gmb42, golden_labels

Offline madires

  • Super Contributor
  • ***
  • Posts: 7752
  • Country: de
  • A qualified hobbyist ;)
Re: People should drop passwords altogether
« Reply #40 on: May 07, 2022, 03:14:41 pm »
Passwords have their place. It's hard to change biometrics when compromised. Relying on hardware tokens or apps (worse security than hardware tokens) isn't a good idea either, because they can be lost, be taken by someone (with force?), have a dead battery or simply break. So you need backup tokens/apps and a way to quickly disable lost/stolen tokens/apps (similar to debit/credit cards). MFA is good for critical stuff like home banking, still a bit cumbersome.
 
The following users thanked this post: Karel

Offline BravoV

  • Super Contributor
  • ***
  • Posts: 7547
  • Country: 00
  • +++ ATH1
Re: People should drop passwords altogether
« Reply #41 on: May 07, 2022, 03:49:20 pm »
What they're going after is for you to give up what in the 2FA ... particularly at "what you know/memorize (inside your brain)" as the 2nd part of 2FA on what you have physically (e. phone for OTP ... including your body parts like finger/retina (eye balls) etc) are "easily retrieval-able".  >:D

This idea only makes sense or valid, once "they" have discovered how to retrieve your password from your brain that probably they managed to yank out of your head.  :-DD

Online ConKbot

  • Super Contributor
  • ***
  • Posts: 1382
Re: People should drop passwords altogether
« Reply #42 on: May 07, 2022, 04:46:19 pm »
:palm:
Omg, the stupid, it hurts…
I'm not the one suggesting a free service from an advertising company (which makes you the product) makes for a better login method than a good password or other 2FA method.
 

Offline SiliconWizard

  • Super Contributor
  • ***
  • Posts: 14438
  • Country: fr
Re: People should drop passwords altogether
« Reply #43 on: May 07, 2022, 04:54:37 pm »
That boils down...

These are just enforcement methods to SIGN IN  everyone..

Indeed. =)
 

Online TimFox

  • Super Contributor
  • ***
  • Posts: 7938
  • Country: us
  • Retired, now restoring antique test equipment
Re: People should drop passwords altogether
« Reply #44 on: May 07, 2022, 05:22:44 pm »
Of course, this was all foretold by St John the Theologian, as revealed to him on the island of Patmos.
Revelation, chapter 13: verses 16 and 17.
[16] And he causeth all, both small and great, rich and poor, free and bond, to receive a mark in their right hand, or in their foreheads:
[17] And that no man might buy or sell, save he that had the mark, or the name of the beast, or the number of his name.
 

Online David Hess

  • Super Contributor
  • ***
  • Posts: 16603
  • Country: us
  • DavidH
Re: People should drop passwords altogether
« Reply #45 on: May 07, 2022, 05:31:20 pm »
So we should replace passwords which *may* be insecure, with something that *is* insecure.
 
The following users thanked this post: Karel, james_s

Offline SiliconWizard

  • Super Contributor
  • ***
  • Posts: 14438
  • Country: fr
Re: People should drop passwords altogether
« Reply #46 on: May 07, 2022, 05:54:03 pm »
So we should replace passwords which *may* be insecure, with something that *is* insecure.

Is it really for security reasons anyway? Or, at least, individual security?

Makes me think of the expression: "se jeter à l'eau de peur d'être mouillé". (Roughly meaning: to jump right into the water for fear of getting wet."

 

Offline james_s

  • Super Contributor
  • ***
  • Posts: 21611
  • Country: us
Re: People should drop passwords altogether
« Reply #47 on: May 07, 2022, 05:55:49 pm »
I like passwords, they're just fine if you put some effort into coming up with one that is easy to remember but difficult to guess. Unfortunately many sites have stupid (and often conflicting between sites) requirements that are not conducive to this, and a lot of people are idiots and use the same password for everything.
 

Online tszaboo

  • Super Contributor
  • ***
  • Posts: 7364
  • Country: nl
  • Current job: ATEX product design
Re: People should drop passwords altogether
« Reply #48 on: May 07, 2022, 06:18:20 pm »
Actually, in cryptocurrencies, there is a concept, called "zero knowledge proof" which you can use to provide proof that you know the solution to a problem, without giving away the solution.
This problem can be used to verify your identity.
 

Online Marco

  • Super Contributor
  • ***
  • Posts: 6716
  • Country: nl
Re: People should drop passwords altogether
« Reply #49 on: May 07, 2022, 07:37:43 pm »
This problem can be used to verify your identity.

PKI works fine for that. There's some tangential problems where zero knowledge proofs are useful, Cloudflare uses it for attestation that a token is certified for instance, but that's a separate matter (attestation is not essential, webauthn allows self attestation for instance).
« Last Edit: May 07, 2022, 07:39:52 pm by Marco »
 


Share me

Digg  Facebook  SlashDot  Delicious  Technorati  Twitter  Google  Yahoo
Smf