People should drop passwords altogether

[David Hess]

Actually, in cryptocurrencies, there is a concept, called "zero knowledge proof" which you can use to provide proof that you know the solution to a problem, without giving away the solution.
This problem can be used to verify your identity.

In practice that means a public key encryption exchange or similar which at best becomes "something that you have", because nobody is doing to memorize their private key and do the math by hand.

[rsjsouza]

From what I understood from the press release, FIDO seems to be a "login once" system that creates one or more tokens for the various websites that require authentication - something functionally similar to what browsers do with cookies and "password wallets", but perhaps across several apps.

Given the severe overreach of the last years and eagerness to track anyone's movements on the digital highway, I can't say that exchanging the insecurity of passwords with this digital footprint is a fair exchange.

[Simon]

Your survey is a waste of time as it does not include keeping passwords or enforcing secure passwords. I use 16 character passwords individually generated for each site. If your stupid enough to use insecure ones then more fool you. I believe there are 64 characters available but lets say it's 32, 32^16 = 1.2 E24..... I rest my case.

[MrMobodies]

Your survey is a waste of time as it does not include keeping passwords or enforcing secure passwords. I use 16 character passwords individually generated for each site.

Added to survey.

I can now see now that I poorly though out the survey.

[tooki]

Omg, the stupid, it hurts…

I'm not the one suggesting a free service from an advertising company (which makes you the product) makes for a better login method than a good password or other 2FA method.

Nor am I, which you’d understand if you actually looked at the information I posted.

[tooki]

So we should replace passwords which *may* be insecure, with something that *is* insecure.

An individual password may or may not be secure. A secure password, used in an insecure system, still means an insecure system. But a truly secure password from the point of view of a password cracking system is a password a human is categorically incapable of remembering. That is, every password a human can remember is trivial for a modern computer to break, if given half a chance.

The whole point of non-password logins is to take a weak security system and replace it with a less weak one.

Biometrics spam a wide range of technologies and security levels, but for the umpteenth time, they’re not the only option!

[tooki]

Your survey is a waste of time as it does not include keeping passwords or enforcing secure passwords. I use 16 character passwords individually generated for each site.

Added to survey.

I can now see now that I poorly though out the survey.

You still are lacking a “keep the status quo” option, as you’ve only added the option to use stricter passwords.

But paradoxically, requiring stricter passwords results in overall worse security, because as soon as passwords become too difficult to memorize (including too-frequent changes), people start writing them down or storing them in a Word file. (Most people won’t use password wallets, even if told to do so.)

This is why things are moving towards biometrics (which are imperfect but better than passwords on the whole), or 2FA, often using a simple PIN instead of a complex password.

[magic]

But a truly secure password from the point of view of a password cracking system is a password a human is categorically incapable of remembering. That is, every password a human can remember is trivial for a modern computer to break, if given half a chance.

Could you elaborate what do you even mean by "being able to crack a password" and why should it be so trivial and what would make a password not susceptible to that?

Not hoping for much, but...

[Simon]

But a truly secure password from the point of view of a password cracking system is a password a human is categorically incapable of remembering. That is, every password a human can remember is trivial for a modern computer to break, if given half a chance.

Could you elaborate what do you even mean by "being able to crack a password" and why should it be so trivial and what would make a password not susceptible to that?

Not hoping for much, but...

A memorable password means words, there are only so many words around so the first thing a hacker tries is a "dictionary" attack. That has less combinations than the 1200000000000000000000000 combinations available in a 16 character random string. Also humans have habits when they use words so that reduces the pool further.

Yes I have my passwords written down, but they are on encrypted media. There are no unsecure copies, you have to have access to my computers to get them.

[tooki]

Precisely that. Anything even remotely human-memorable is what the dictionary attacks go for first. (And yes, they’re smart enough to substitute “!” for 1 and all the other common substitutions. They know we append sequential numbers or years to words. They know all the tricks we use to meet “strong” password criteria while still remaining even vaguely memorable.)

If you care, you can Google for explanations by security researchers as to why password security is so much lower than people think it is. Even most supposedly tech-savvy people who think they’re using “strong” passwords don’t realize they’re weak passwords in reality. (The password strength indicators on some websites are absolutely dumb, and think adding some punctuation and numbers makes it “strong”. It doesn’t.) I’m not a mathematician, security expert, or computer scientist, but I have read up enough to understand that passwords are like standard 5-tumbler domestic door locks: enough to stop a typical passerby, and to tell your insurance “I wasn’t negligent, I locked my doors”, but completely useless against even a moderately skilled attack.

[madires]

There are some very useful tools called password managers. They even generate complex and long passwords.

[Marco]

In principle I like the concept of a dongle, but the actual implementation of FIDO not so much. Not exposing private keys even to the user rubs me the wrong way, I want to make a paper backup. I know it compromises their idea of security, but their idea is not mine.

Generate all the keypairs (or passwords for non webauthn sites) from a combination of rootkey/domain (and login for non webauthn sites) and on a special keypress combo on the dongle let me read out the private key so I can make a paper backup. Then I'll consider using it.

[magic]

Dictionary attacks are not viable against a remotely competently designed system which rate limits login attempts.
Even offline attacks against leaked hashes can be effectively rate limited by making the hash hard to verify.
Search space grows exponentially with the number of words, like it does with the number of letters.

So yeah, do elaborate how you envision "cracking" someone's bank account password or stuff like that.

Competent hackers use phishing.

[magic]

In principle I like the concept of a dongle, but the actual implementation of FIDO not so much. Not exposing private keys even to the user rubs me the wrong way, I want to make a paper backup. I know it compromises their idea of security, but their idea is not mine.

Generate all the keypairs (or passwords for non webauthn sites) from a combination of rootkey/domain (and login for non webauthn sites) and on a special keypress combo on the dongle let me read out the private key so I can make a paper backup. Then I'll consider using it.

These aren't systems to protect you. They are systems to reduce your service provider's customer support and insurance costs.
Your service provider will not consider a dongle which lets you take the keys out of it because they consider you an idiot (and, statistically, in 90% of cases they aren't even wrong).

[golden_labels]

Breaking most human-generated passwords is feasible. But not every human-memorizable. A 5-word password chosen randomly from a 8k word list is over 64 bits. Currently there aren’t many actors capable of even iterating over that, much less calculating a KDF for even local attacks. Remote attacks have even higher price tag attached.

64-bit keys become an issue when a threat can be considered at a mass scale. That is: when the question turns from “can one attack a pre-selected target” to “can we be successful at attacking at least one of targets”. That is a valid concern then. But it is not just for any attack scenario.

And now, the continuation of the story I delivered earlier! Mother failed to enter the password (reasons unknown) and asked me for help. But I was lazy, so instead of searching for her PESEL number in documents I just pdfcracked it. Seriously: if entering a valid password by a person that has legal access to it takes more effort than actually breaking it, someone has failed hard at security.

[Simon]

If you are paranoid just use a "password" as a username where it does not have to be publicly visible or your email address or use an email address that has a random string as the username. Most systems will stop you attempting more than a certain amount of logins at a time, this make guessing a proper password not even worth the effort which as mentioned above is why phishing and other email related attacks are common, instead of trying to attack the system, they go for the weakest link - you - the human.

[tszaboo]

Actually, in cryptocurrencies, there is a concept, called "zero knowledge proof" which you can use to provide proof that you know the solution to a problem, without giving away the solution.
This problem can be used to verify your identity.

In practice that means a public key encryption exchange or similar which at best becomes "something that you have", because nobody is doing to memorize their private key and do the math by hand.

You need a crypto wallet, write down the 12 word mnemonic, and when logging in on a website, the website verifies the wallet.
This is like 100% solved when it comes to cryptocurrency. There is only one person who can sign transactions to it.

[madires]

A news article with some hints about potential issues:
Your Phone May Soon Replace Many of Your Passwords: https://krebsonsecurity.com/2022/05/your-phone-may-soon-replace-many-of-your-passwords/#more-59727

Your life will depend on a smartphone!

[cdev]

Statement on three nuclear accidents

All three of those accidents were caused by loss of the ultimate heatsink.. which in those cases was provided by water in those fission reactors.. So they need continuous cold water to be provided, and then power for cooling. Or they "melt down" Thats what caused the big problems. It hasnt been fixed in any other technology. Fusion, not fission, may be cleaner when its developed. But right now I don't trust them. I'd rather pay less for gas generated electricity. And get rid of nuclear fission plants. Until they have better ways to store waste.I don't want them to lie to us any more. Stop the corporate bait and switch.

[cdev]

A news article with some hints about potential issues:
Your Phone May Soon Replace Many of Your Passwords: https://krebsonsecurity.com/2022/05/your-phone-may-soon-replace-many-of-your-passwords/#more-59727

Your life will depend on a smartphone!

They can only do that if they make the phone free or where is democracy, its gone.. But then they will track your every move.

Considering how Uruguay Round effectively ended democracy one can see why they are accusing everybody else of malfeasance.. Its actually them who are taking over the world.
  -- This should be a crime.
"Trust us we're experts!"  Ha!  Experts at ripping humanity off!

Read Shoshanna Zuboffs new book on "surveillance capitalism"
 Eliminate cash for total surveillance over everybody for their coup. (Their test demonetization/test project in India stripped poor people of billions..).

[cdev]

The chance of somebody randomly guessing an assword should be trillions to one. Simon had he right idea. Make your password very long and utterly random. Learn about and use real cryptography all the time. A lot. Not just on importnt messages.

This is why I am perpetually interested in random number generation. All passwords should come from random sources for example, RF noise. You can use it to generate your keys. Make them insanely long. They will be virtually impossible to guess.

You're not a criminal for wanting privacy. They are for trying to end it.

Not hoping for much, but...

Come on tooki, you are smarter than that.

You should download and learn to use GnuPG on whatever platform you use. I do and in fact Ive used it since literally when it first came out. I think that everybody should. Could you imagine only sending post cards for everything?  Thats what most email is today.

[TimFox]

Normal software random number generators start from a "seed".
In order to test the overall software, it is common to freeze this seed to allow verification of the computation, and then use something sort-of-random, such as time of day, to generate a seed for the pseuco-random process.
Many years ago, I saw someone use a Lava Lamp^TM as a physical random process to generate the seed, but I don't remember how it was encoded.

[cdev]

Actually, in cryptocurrencies, there is a concept, called "zero knowledge proof" which you can use to provide proof that you know the solution to a problem, without giving away the solution.
This problem can be used to verify your identity.

In practice that means a public key encryption exchange or similar which at best becomes "something that you have", because nobody is doing to memorize their private key and do the math by hand.

You need a crypto wallet, write down the 12 word mnemonic, and when logging in on a website, the website verifies the wallet.
This is like 100% solved when it comes to cryptocurrency. There is only one person who can sign transactions to it.

You can make a wallet card , and use a simple cipher to encode the keys you write on that card. Put the key somewhere safe, elsewhere, so if you lose the card, some finder wont be able to use them. Or you can use gnuk. And an STlink 2 clone dongle
https://nx3d.org/gnuk-st-link-v2/
People should drop some Internet companies altogether.

The company you mentioned was the late and great SGI company, of Mountain View, CA.
 Indeed they did use lava lamps. Because they are random. Lets see you try to predict the motion of them? The photo is not of SGI, its years later at a cloudflare vendor. What a great publicity stunt.

What would be a better VID and similar when you build the gnuk software!?

[tooki]

You should not eliminate passwords, nor should you use a browser to manage passwords. Search engines and Internet companies make their money from selling information on you. Its called surveillance capitalism. Keep that in mind. Its not a good deal for humanity. Be aware corporations are only in it for themselves, (who else would they be in it for?) so now they often give bad advice.

To anyone else reading this, please note that the bold text above is absolutely TERRIBLE advice. A password manager is arguably the best thing you can do to get the most out of password security. (And if you’re paranoid/delusional like cdev, you can still get a password manager from a third party that’s not your browser developer. I’m pretty sure there are open source ones, too.)

cdev, you need to take off the tinfoil hat, seriously.
1. If browsers sent our passwords to the browser developers, security researchers would have noticed long ago.
2. What would they even want with your passwords? They’re not useful for tracking and advertising. Furthermore, only one of the major browser developers (Google) has a significant interest in advertising. For the others (Microsoft, Apple, and Mozilla), advertising is either an insignificant business area, or not one at all, while privacy absolutely is. So there’s no incentive for any of them to gather your passwords.

[tooki]

Your survey is a waste of time as it does not include keeping passwords or enforcing secure passwords. I use 16 character passwords individually generated for each site.

Added to survey.

I can now see now that I poorly though out the survey.

You still are lacking a “keep the status quo” option, as you’ve only added the option to use stricter passwords.

But paradoxically, requiring stricter passwords results in overall worse security, because as soon as passwords become too difficult to memorize (including too-frequent changes), people start writing them down or storing them in a Word file. (Most people won’t use password wallets, even if told to do so.)

This is why things are moving towards biometrics (which are imperfect but better than passwords on the whole), or 2FA, often using a simple PIN instead of a complex password.

Companies want to data mine everything, to separate the rich from the poor.
thats what it is. They cant be trusted.

Please, get professional help. Paranoia is not healthy.