So I was reading this thread (and actually read the original article out of professional curiosity before knowing the thread existed).
It occurred to me that I have something like 10 work passwords and 20-30 personal passwords to try and keep track of, with each site having their own quirks on what’s allowed for the passwords.
I want to be secure, but I’m not a Mentat, and I don’t really like the idea of letting a 3rd party manage my passwords either.
What’s on the horizon in terms of authentication and/or passwords that will allow me not to have to try and keep track of 30-40 separate passwords, or worse, variants of the same few passwords?
Biometrics coupled with some sort of OS password manager? Something really novel?
For some years I’ve used a password manager called PassWard, which stores passwords, logins, and things like credit card info and addresses in an encrypted file. It’s simple to “use” – logins just require clicking the proper link in PassWard. Credit card purchases and address info are equally simple to “populate” onto a form. I have at least scores, if not more than a hundred, logins and bookmarks (location without password) and other stuff in there. All I have to remember is one “master” password/phrase/alphanumeric. So I can create really strong random-alphanumeric user names AND passwords, individually with no repeats, for every login I need, because I don’t have to remember them, catalog them, or type them. PassWard has a password generator that performs that work for you, you merely choose the length (from a couple to 25 characters or so). Log in once to an existing site or new registration and the software pops up and asks if you want to store the information, including URLs, username, and password. You may edit these things at any time too. There’s a note field for storing those silly added security features like “city of birth” or “first pet”.
Sadly (to me) PassWard seems to have disappeared – no support, no web site – POOF! gone. Anybody out there know what happened? My software still works, and via USB thumb drive is easy to keep backed up, and transferrable to any other computer, anywhere. But it had/has no facility for mobile devices. For that reason, after quite a lot of research and trial of available alternatives, I’m converting to RoboForm. Their “anywhere” plan is closest to my ingrained work flow from PassWard, and has similar capabilities plus a mobile ap.
Whether or not this is futuristic enough to answer your question, I cannot know. It seems to at least be state of the present, and I suspect their marketing people believe it should also retain some share of the future too .
I’m still using an older version (because I cling to a dinosaur of a smartphone - a Palm Centro), so what I’m used to may lack some features that the most current version has. But the main point is that I can keep the info on my desktop synchronized with my phone, and I can always get to my login information.
I once heard about an alternative login system that sounded good to me, but it doesn’t seem to have caught on. In this system, your password is something simple, like “yellow” or “hat” or “jump.” When you enter your user name, a grid of images appears on the screen, and you have to click on the three images that include whatever your password is. The images are different every time you log in.
This system has three advantages that I can think of. (1) Passwords are easy to remember. (2) Even if someone is watching over your shoulder, they can’t tell what your password is. (3) If someone is using a keystroke-capturing program to gather passwords, it won’t help them, because you’re not using the keyboard. Even if they capture the screen positions of your mouse clicks, they don’t know what images were on the screen when you clicked.
The big disadvantage is having to go through a library of hundreds of images to tag the ones that fit your password.
PassWard synced everything via a USB thumb drive. And that drive could serve as a standalone, without transferring anything to the computer, for occasions when you might be traveling and have access to someone else’s, or a library’s, computer. You could have all your passwords, logins, extra info, and all the same functionality, just by plugging it into that ‘foreign’ machine. But if you plugged it into one of your machines (as many as you want) it would synchronize the data.
The only thing it lacked (for my desires, anyway) was that mobile ap. So I was researching alternatives even before PassWard disappeared from the internet. I don’t remember why I picked RoboForm over 1password. Something idiosyncratic to me, I suspect.
We use Common Access Cards - redundantly called CAC Cards - at work. It’s the size of a credit card and must be plugged into the computer usually through a USB device or as part of the keyboard. It contains all kinds of information about the user and has public/private key data.
It still requires a PIN which is 6 to 8 numerical characters so just stealing the card doesn’t help.
More and more of our work systems are enabling CACs so the number of passwords needed are dropping.
I recommend KeePass (keepass.info) coupled with Dropbox or Google cloud. It’s free, open source, and doesn’t rely on someone else managing your PW file. I’ve set up KeePass to save a local copy every time I save. There are ports for all the OS’s you might have (although I’ve found the OS/X version isn’t real smooth). It’s a bit of a pain to set up (e.g. you’ll want to install some plug-ins for Firefox/Chrome/etc) but once you get it running you’ll wonder how you did without it.
Biometrics is frowned upon by cryptographers. The problem is once you use biometrics it becomes difficult to change your “password”.
I suppose it depends on how much confidential stuff you do, and how paranoid you are.
I have a fairly complex pass phrase which I use for all sites that I consider unimportant, mostly forums like this one. Then I have another one that I use for more important stuff like facebook and games. The confidential stuff like my bank and credit cards have multi layered security anyway. For example. to get into my bank, I have a 9 digit number memorised, a pass phrase with a number of nonsense keystrokes in it, and then four digits from a further password.
Now, I do recognize that there are several ways that my security can be breached. On the other hand, I use this stuff every day and I don’t see myself as an obvious target for anyone. It is a bit like my car - It is not very valuable so not an obvious target. I still lock it up and assume that anyone who has the skill to get [past the physical lock (pretty easy) and then the electronic immobiliser (not easy at all) will not waste time on my car.
I simply do not see the need for 30 passwords, and it seems to me that keeping them all in a safe with a single lock, rather defeats the object.
I don’t know why cryptographers would have anything to say because biometrics as a security key is only tangentially related with cryptography.
At any rate. I have seen news that a fingerprint reader can be fooled by a sort of photocopy of the fingerprint so I wouldn;t put much confidence in that. Or you need to use gloves all the time so no one can copy your fingerprints.
It seems to me smartcard and password is the way to go but I think smartcard protocols are not really standardized yet so each vendor has their own thing. I suppose with time it will become easier and cheaper.
There are a few reasons for doing this:
[ol]
[li]I use a long password for my single lock which makes it more secure but would be a PITA to type in all the time. With KeePass I only need to type it in when I first open it.[/li][li]Nobody owns the single lock except me. I’m not required to change it every 3 months (like my work PWs).[/li][li]Likewise, I can occasionally change the PWs for important sites (like my banking) and I don’t have to remember them all.[/li][li]Depending on how one sets up their password vault, nobody* can get access to the password file to try and crack the single PW. When a single PW is used in multiple places there are multiple vectors for getting access to your PW.[/li][/ol]
Well, almost nobody.
One thing people need to keep in mind is that if a large entity (like the NSA) wants to get access to your files they will eventually do so, no matter what system you use for keeping PWs safe; even some leaders of Anonymous got caught. However, this is negligibly small unless you’re involved in serious crime–for most hackers, going after a single person isn’t worth the effort. Instead, they try to hack a system that contains millions of passwords with the hope that they’ll crack 100 of them and then use those 100 to gain access somewhere else.
Using a vault like KeePass makes it much less likely that a hacker can gain access to something important.
Yeah, I knew someone would point this out when I typed it up. =P It’s just easier to write “cryptographer” (who do have some expertise in password sources) than the alternative. I think people get the idea.
The problem with passwords is that people have to know them for them to be useful. People are the biggest security issue that any company faces. No matter how much training you give them, and most companies spend a lot of time and effort ensuring that their staff are trained to recognize attempts to breach their networks people are trained more strenuously to trust those who establish either an emotional connection or an authoritative one.
This is an awesome example. The video is 9 mins log but the key is from 5min to 8:30. In under 3 mins the guy on the phone convinces an employee to click a link that grants them, through a technical hack, complete access to their network. Now this was a penetration test that the company had sanctioned (they covered that in the first 4 mins) but it demonstrates where the key failure of security lies and it’s not the ability of hackers to use programs to crack long complex passwords. The key failure of modern security is people, the same key failure of most ancient security (See horse, trojan)
You must have missed upthread that I mentioned seeing in the news recently that they had managed to reproduce someone’s fingerprint in some kind of plastic and fool the fingerprint reader. A password you can keep in your head but you go around leaving fingerprints everywhere and what they have shown is that it is possible to fool the reader while you get to keep all your fingers.
.