Poll

Should they

Drop all passwords?
3 (7.9%)
Use it in multi factor authentication?
11 (28.9%)
Require everybody to use biometric authentication?
2 (5.3%)
Signed challenge (certificate based)
4 (10.5%)
Refuse to answer
4 (10.5%)
Regulate Biometric authentication from being used to restrict access to services and jobs
2 (5.3%)
Keep passwords for those who want it but enforce/make them more stricter
2 (5.3%)
Keep it the same and make no changes
10 (26.3%)

Total Members Voted: 36

Author Topic: People should drop passwords altogether  (Read 12297 times)

0 Members and 1 Guest are viewing this topic.

Offline Simon

  • Global Moderator
  • *****
  • Posts: 17814
  • Country: gb
  • Did that just blow up? No? might work after all !!
    • Simon's Electronics
Re: People should drop passwords altogether
« Reply #75 on: May 09, 2022, 06:10:24 pm »
Actually, in cryptocurrencies, there is a concept, called "zero knowledge proof" which you can use to provide proof that you know the solution to a problem, without giving away the solution.
This problem can be used to verify your identity.

In practice that means a public key encryption exchange or similar which at best becomes "something that you have", because nobody is doing to memorize their private key and do the math by hand.


I thought this was a rather old concept that a government employee in the mostly secret section came up with one night and had to memorize as he was forbidden to write any of it down outside of work. It now forms the basis of most encryption. I send you a key and encrypted key, you unencrypt it and send it back re-encrypted and I verify,  or something like that. The principle is that the math is reversable and at no time is the actual key transmitted.
 

Offline madires

  • Super Contributor
  • ***
  • Posts: 7754
  • Country: de
  • A qualified hobbyist ;)
 

Online David Hess

  • Super Contributor
  • ***
  • Posts: 16607
  • Country: us
  • DavidH
Re: People should drop passwords altogether
« Reply #77 on: May 09, 2022, 06:51:14 pm »
Actually, in cryptocurrencies, there is a concept, called "zero knowledge proof" which you can use to provide proof that you know the solution to a problem, without giving away the solution.
This problem can be used to verify your identity.

In practice that means a public key encryption exchange or similar which at best becomes "something that you have", because nobody is doing to memorize their private key and do the math by hand.

I thought this was a rather old concept that a government employee in the mostly secret section came up with one night and had to memorize as he was forbidden to write any of it down outside of work. It now forms the basis of most encryption. I send you a key and encrypted key, you unencrypt it and send it back re-encrypted and I verify,  or something like that. The principle is that the math is reversable and at no time is the actual key transmitted.

There is nothing inherently wrong with it for authentication, but relying on using a phone for it which has its own security vulnerabilities can compromise it.  At least it would be better than using a phone as a side channel which is so easily compromised.  I would have no complaints about a USB security key fob but for instance Google's recent requirements exclude them.  I wonder why Google would exclude something more secure, but I know the answer; Google is not interested in security for others.

A security key fob has all of the disadvantages of a physical key.  It can be lost, stolen, or broken.  At least it should be much more difficult to copy.
 

Offline Simon

  • Global Moderator
  • *****
  • Posts: 17814
  • Country: gb
  • Did that just blow up? No? might work after all !!
    • Simon's Electronics
Re: People should drop passwords altogether
« Reply #78 on: May 09, 2022, 08:51:58 pm »
Companies will only be interested in their own security and making it your fault. People who are not actual expects will probably make such policy decisions based on their own biased misunderstandings rather than trust experts who advise them.
 

Offline SiliconWizard

  • Super Contributor
  • ***
  • Posts: 14440
  • Country: fr
Re: People should drop passwords altogether
« Reply #79 on: May 09, 2022, 09:22:31 pm »
Companies will only be interested in their own security and making it your fault. People who are not actual expects will probably make such policy decisions based on their own biased misunderstandings rather than trust experts who advise them.

Yes.
And "experts" is a vague term. If said "experts" are paid by those companies only interested in themselves, their biased expertise has little value.
Independent experts are few and far between.
 

Offline tooki

  • Super Contributor
  • ***
  • Posts: 11473
  • Country: ch
Re: People should drop passwords altogether
« Reply #80 on: May 10, 2022, 08:38:31 am »
I think the point most people here are missing is this: nobody is claiming these alternatives provide flawless security. The point is that they do provide better security than passwords do in practice. Passwords aren’t bad when everything is done perfectly, from back end to end user. But it rarely is, so the real-world security of them is miserable. That’s the bar we’re seeking to exceed.
 
The following users thanked this post: gmb42

Offline Simon

  • Global Moderator
  • *****
  • Posts: 17814
  • Country: gb
  • Did that just blow up? No? might work after all !!
    • Simon's Electronics
Re: People should drop passwords altogether
« Reply #81 on: May 10, 2022, 12:04:28 pm »
Yes, things like 2FA are just to solve poor password and human error problems. Often it is forced on users unnecessarily. My university forced 2FA, I mean reaslly, what does a hacker want to do? upload my assignments for me?
 

Online David Hess

  • Super Contributor
  • ***
  • Posts: 16607
  • Country: us
  • DavidH
Re: People should drop passwords altogether
« Reply #82 on: May 10, 2022, 12:32:24 pm »
The point is that they do provide better security than passwords do in practice. Passwords aren’t bad when everything is done perfectly, from back end to end user. But it rarely is, so the real-world security of them is miserable.

My experience is that existing 2FA is less secure than passwords.  I have lost access to several accounts because of 2FA which was compromised, but never because a password was compromised.  I can make any effort to secure my own passwords, but can do nothing to secure 2FA which relies on third parties for security.
 

Offline madires

  • Super Contributor
  • ***
  • Posts: 7754
  • Country: de
  • A qualified hobbyist ;)
Re: People should drop passwords altogether
« Reply #83 on: May 10, 2022, 01:56:21 pm »
2FA can be easily messed up with stupid things like sending codes via SMS to a cell phone. SIM swapping has become a mass sport in the US.
 

Offline PKTKS

  • Super Contributor
  • ***
  • Posts: 1766
  • Country: br
Re: People should drop passwords altogether
« Reply #84 on: May 10, 2022, 02:19:53 pm »
The point is that they do provide better security than passwords do in practice. Passwords aren’t bad when everything is done perfectly, from back end to end user. But it rarely is, so the real-world security of them is miserable.

My experience is that existing 2FA is less secure than passwords.  I have lost access to several accounts because of 2FA which was compromised, but never because a password was compromised.  I can make any effort to secure my own passwords, but can do nothing to secure 2FA which relies on third parties for security.

2x Me too.

To say the least ... I could not authorize email clients like Claws and Mutt..

The interface (CLOUD)  is obviously meant as enforcement to sign in every user and force the use of own API and applets..

Never saw such a waste of time and effort to just set a email polling..

"THE" worst   piece of shit I ve seen  last 30y  to access POP/IMAP services...

They have brain damaged people on this..

Paul
« Last Edit: May 10, 2022, 02:21:50 pm by PKTKS »
 

Offline tooki

  • Super Contributor
  • ***
  • Posts: 11473
  • Country: ch
Re: People should drop passwords altogether
« Reply #85 on: May 10, 2022, 07:15:20 pm »
The point is that they do provide better security than passwords do in practice. Passwords aren’t bad when everything is done perfectly, from back end to end user. But it rarely is, so the real-world security of them is miserable.

My experience is that existing 2FA is less secure than passwords.  I have lost access to several accounts because of 2FA which was compromised…
…which is precisely the point of creating industry-wide standards for it, so people stop rolling their own, which is far more likely to be shit.
 
The following users thanked this post: gmb42

Offline gmb42

  • Frequent Contributor
  • **
  • Posts: 294
  • Country: gb
Re: People should drop passwords altogether
« Reply #86 on: May 11, 2022, 05:12:47 am »
…which is precisely the point of creating industry-wide standards for it, so people stop rolling their own, which is far more likely to be shit.

Time to give up beating this dead horse, some folks just don't get it.  :horse:
 
The following users thanked this post: tooki

Online tggzzz

  • Super Contributor
  • ***
  • Posts: 19467
  • Country: gb
  • Numbers, not adjectives
    • Having fun doing more, with less
Re: People should drop passwords altogether
« Reply #87 on: May 11, 2022, 08:48:15 am »
The point is that they do provide better security than passwords do in practice. Passwords aren’t bad when everything is done perfectly, from back end to end user. But it rarely is, so the real-world security of them is miserable.

My experience is that existing 2FA is less secure than passwords.  I have lost access to several accounts because of 2FA which was compromised…
…which is precisely the point of creating industry-wide standards for it, so people stop rolling their own, which is far more likely to be shit.

... thus creating a single point of failure for all malefactors to attack :)

It is all shades of grey; choose your poison :(
There are lies, damned lies, statistics - and ADC/DAC specs.
Glider pilot's aphorism: "there is no substitute for span". Retort: "There is a substitute: skill+imagination. But you can buy span".
Having fun doing more, with less
 

Online magic

  • Super Contributor
  • ***
  • Posts: 6758
  • Country: pl
Re: People should drop passwords altogether
« Reply #88 on: May 11, 2022, 10:48:09 am »
Trust experts to choose your poison - that's the 21st century version :D
 

Online tggzzz

  • Super Contributor
  • ***
  • Posts: 19467
  • Country: gb
  • Numbers, not adjectives
    • Having fun doing more, with less
Re: People should drop passwords altogether
« Reply #89 on: May 11, 2022, 10:56:46 am »
Trust experts to choose your poison - that's the 21st century version :D

Not quite :(

Trust self-proclaimed experts to choose your poison - that's the 21st century version.

Alternatively, trust Dunning-Kruger sufferers to choose your poision, while they decry experts.
There are lies, damned lies, statistics - and ADC/DAC specs.
Glider pilot's aphorism: "there is no substitute for span". Retort: "There is a substitute: skill+imagination. But you can buy span".
Having fun doing more, with less
 

Offline madires

  • Super Contributor
  • ***
  • Posts: 7754
  • Country: de
  • A qualified hobbyist ;)
Re: People should drop passwords altogether
« Reply #90 on: May 11, 2022, 12:49:05 pm »
…which is precisely the point of creating industry-wide standards for it, so people stop rolling their own, which is far more likely to be shit.

Time to give up beating this dead horse, some folks just don't get it.  :horse:

Good standards are great! But who wants to establish a specific standard? And for which purpose (the 2FA could be just the shiny wrapping paper)?
 

Online xrunner

  • Super Contributor
  • ***
  • Posts: 7513
  • Country: us
  • hp>Agilent>Keysight>???
Re: People should drop passwords altogether
« Reply #91 on: May 11, 2022, 12:54:33 pm »
From The Register

Quote

Yahoo Japan strives for universal passwordless authentication


Wed 11 May 2022 // 08:19 UTC

Yahoo Japan has revealed that it plans to go passwordless, and that 30 million of its 50 million monthly active users have already stopped using passwords in favor of a combination of FIDO and TXT messages.

A case study penned by staff from Yahoo Japan and Google's developer team, explains that the company started work on passwordless initiatives in 2015 but now plans to go all-in because half of its users employ the same password on six or more sites.

The web giant also sees phishing as a significant threat, and has found that a third of customer inquiries relate to lost credentials.

“From a security perspective, eliminating passwords from the user authentication process reduces the damage from list-based attacks, and from a usability perspective, providing an authentication method that does not rely on remembering passwords prevents situations where a user is unable to login because they forgot their password,” the case study states.

Yahoo Japan's replacement is either authentication by one-time codes sent by SMS, or the Fast Identity Online (FIDO) standard.

When using SMS, the company is fond of using techniques that allow Apple’s iOS and Google’s Chrome browser to read and enter incoming one-time passwords so that users have nothing to do to arrange authentication.

Users are encouraged to use authenticator apps that work with FIDO and WebAuthn, with one-time codes generated on the device used to access Yahoo Japan.

“The greatest difficulty for offering passwordless accounts is not the addition of authentication methods, but popularizing the use of authenticators,” the case study states. User experience is therefore paramount.

Yahoo Japan has therefore used tricky moments to promote adoption – when users sign up for services like e-commerce that have high fraud potential, or reset forgotten passwords, they receive suggestions to adopt authentication methods that are more secure and easier to use.

Users are encouraged to use the same authentication method on all their devices, but Yahoo ! Japan recognizes that’s not easy or possible for all, and so will tolerate mixed methods. The company also envisages operating multiple methods for the foreseeable future.

The company’s efforts have worked, in two dimensions.

“The percentage of inquiries involving forgotten login IDs or passwords has decreased by 25 percent compared to the period when the number of such inquiries was at its highest,” the case study explains. Yahoo Japan has also seen a decline in unauthorized access as its number of passwordless accounts rises.

https://www.theregister.com/2022/05/11/yahoo_japan_goes_passwordless/
I told my friends I could teach them to be funny, but they all just laughed at me.
 

Offline madires

  • Super Contributor
  • ***
  • Posts: 7754
  • Country: de
  • A qualified hobbyist ;)
Re: People should drop passwords altogether
« Reply #92 on: May 11, 2022, 01:25:24 pm »
When you go for hardware tokens or apps (or have to) make sure that you have spares and that they are registered with all the websites. If you have just one and something goes wrong, you'll have a nasty surprise. It's like losing the only key for your front door.
 
The following users thanked this post: Someone, MrMobodies

Offline Bassman59

  • Super Contributor
  • ***
  • Posts: 2501
  • Country: us
  • Yes, I do this for a living
Re: People should drop passwords altogether
« Reply #93 on: June 10, 2022, 05:37:51 am »
Password managers, anyone?

Let the password manager create and store the different random passwords used for each website and be done with it.

Oh, yeah, web sites that ask the usual "easily guessed personal information" like "name of first dog" really need to die in a fire.
 
The following users thanked this post: tooki

Offline BradC

  • Super Contributor
  • ***
  • Posts: 2106
  • Country: au
Re: People should drop passwords altogether
« Reply #94 on: June 10, 2022, 08:31:00 am »
Oh, yeah, web sites that ask the usual "easily guessed personal information" like "name of first dog" really need to die in a fire.

Yes, they do. The notes field in the password manager is a great place to store the questions and respective random keyboard mashing that you put in for an answer to each question.
It's also a great place to note down your "date of birth" and other fictional information you use to complete the mandatory sign-up questions.
 

Offline madires

  • Super Contributor
  • ***
  • Posts: 7754
  • Country: de
  • A qualified hobbyist ;)
Re: People should drop passwords altogether
« Reply #95 on: June 10, 2022, 10:10:06 am »
Password managers, anyone?

Of course! How could you manage all the passwords without one?
 

Offline tooki

  • Super Contributor
  • ***
  • Posts: 11473
  • Country: ch
Re: People should drop passwords altogether
« Reply #96 on: June 10, 2022, 01:59:16 pm »
Password managers, anyone?

Of course! How could you manage all the passwords without one?
Most people’s solution is a combination of reusing the same 2 or 3 passwords all over the place, often combined with a sheet of paper, notebook, or Word document listing them all. They adamantly refuse to use password managers even if told to do so. Which of course is precisely why the industry is trying to get away from passwords: humanity has proven that truly strong security using passwords is impossible at population scale. Secure, non-reused passwords are impossible to remember, and most people simply won’t use a password manager, which is the only good way to store secure passwords.
 
The following users thanked this post: gmb42

Offline madires

  • Super Contributor
  • ***
  • Posts: 7754
  • Country: de
  • A qualified hobbyist ;)
Re: People should drop passwords altogether
« Reply #97 on: June 10, 2022, 03:11:56 pm »
And you can't fix stupidy by replacing passwords with something else. Neither should you force users with a password manager to use a different method, just because you think it's idiot-proof.
 

Online tggzzz

  • Super Contributor
  • ***
  • Posts: 19467
  • Country: gb
  • Numbers, not adjectives
    • Having fun doing more, with less
Re: People should drop passwords altogether
« Reply #98 on: June 10, 2022, 04:19:28 pm »
And you can't fix stupidy by replacing passwords with something else. Neither should you force users with a password manager to use a different method, just because you think it's idiot-proof.

And you shouldn't use biometric certificates, because when (not if) they become compromised, the user has zero alternatives and becomes disenfranchised!

It is worth noting that the retailers and card settlement industries don't attempt to authorise based on identity and entitlement, because it it so damn difficult to get right. They do authorise individual transactions.
« Last Edit: June 10, 2022, 04:22:21 pm by tggzzz »
There are lies, damned lies, statistics - and ADC/DAC specs.
Glider pilot's aphorism: "there is no substitute for span". Retort: "There is a substitute: skill+imagination. But you can buy span".
Having fun doing more, with less
 

Offline golden_labels

  • Super Contributor
  • ***
  • Posts: 1208
  • Country: pl
Re: People should drop passwords altogether
« Reply #99 on: June 10, 2022, 10:28:31 pm »
It should also be noted that card payment authorization is a bit different than authentication, as it serves somewhat opposite purpose. Authentication protect a person against other parties. Payment authorization protects other parties (merchants, acquirers, issuers) against the person authorizating the transaction. Of course the security mechanism employed may stay similar, but finer details differ.
People imagine AI as T1000. What we got so far is glorified T9.
 
The following users thanked this post: tooki


Share me

Digg  Facebook  SlashDot  Delicious  Technorati  Twitter  Google  Yahoo
Smf