Passwords & alternatives?

Unlikely to ever happen - smartcards had their chance and missed it. Their role has been replaced by mobile devices.

Here’s the standard where I work:

  1. Long random passwords, unique for each site, generated by a password manager like 1Password or Lastpass.

  2. Two-factor authentication on sites that support it (Google in particular).

  3. Physical security on computers and mobile devices - login passwords and encryption enabled. I’m told Facebook requires its engineers to power down laptops and never use sleep/hibernate.

Two-factor auth basically means that to log in you need both your password, and a 6-digit code generated by an app on your phone that changes every minute. The apps Google Authenticator and Authy are supported by a number of large sites now.

Simpler than that. Biometric devices scan your fingerprint (palm, retina,etc.) and convert the scan to a string of data, which is your “password.” Someone who gets a copy of your data string can bypass the biometric scanner and feed the data directly to the password-checking software. Your security is broken, and you can’t set a new “password.”

I use (free) Password Corral for this. Works great.

I believe the US Government, specially military, CIA, NSA, etc use smartcards. They are more secure and do not require a smartphone. On the other hand it may well be that for civilians, who are assumed to have a smartphone and do not require the same level of security, a amrtphone application is enough.

Do you have a cite for that? I’m not disputing, just interested.

My impression comes from several clues. I remember some poster here who was in the military, maybe in Iraq, mentioning the smartcard needed to access his laptop computer. I would have a hard time finding it but I remember it was here. I recall several anecdotal instances like this.

Also, I have bought several used Dell laptops on ebay over the years and for several reasons had a feeling they came from government surplus. They all had smartcard readers but it was impossible for me to find the smartcards because they seemed to be specific and proprietary. I never could use the reader.

Good one :slight_smile:

nm

I found this:

Interesting, thanks.

Probably not all that relevant to the OP, since it has no traction in the civilian world. 2FA via phone apps is available today on many major sites.

In Spain the national ID card is a contact Smartcard and can be used for legal identification online but, in fact, it has been slow to spread and, in fact, many people, like myself, use a digital certificate I got before the smartcard ID and I just continue to use that one. I think the main use of the Smartcard ID is for filing taxes and voting. When you vote they take your card and put it in a slot and it registers that you voted. I almost felt like arguing whether that was necessary or could be required to vote but I thought better of it. For online stuff I just use the digital certificate I got and I never use the smartcard even though I have several USB readers.

I’ve used ROBOFORM for a long time now. I also have it on my phone. The security seems high, plus it’s easy to use.

For making unique passwords across multiple sites that are still easy to remember, the trick is to use a formula that includes the url in some (preferably unrecognizable) form.

You start with a word that’s special to you, add in a number (so you can vary your password for places that expire passwords every so often), include some letters from the url (along with some sort of subtitution algorithm (e.g. replace vowels with c, uncommon letters (x,z,w) with e, etc.) to make it non obvious, and figure out a pattern to shuffle the order.

I’ll also throw LastPass into the ring of contenders for multi-platform password managers. I’ve used it for years, and it has a very hardy random password generator.

I go low tech. I have a simple file that contains mnemonics that help me remember what passwords I have used for which locations.
I can write, “John Ford 2nd”. No one except me knows that I am referring to the middle name of a friend I haven’t seen since primary school, the number plate of the car we had when I was 10 and the stuffed zebra I gave my niece on her second birthday.

Elements of the passwords can be repeated if necessary while still maintaining unique passwords for each purpose. I could write, “blue car stripes harpoon” and be referring to two of the same elements by a different memory device.

I could print off this file and leave it lying around because no one can get into my head to interpret its contents.

And of course all of my high security passwords such as for banking contain a sequence that is memorised and never even referred to. Mercifully there are few of these to recall.
If the truth be known, I actually have a harder time remembering usernames than passwords. Most sites require both to be entered and I have a difficult time remembering which variant I used.

The other one that is difficult are four-digit PINs. Between bank cards, loyalty cards, photocopier access codes, building alarm codes, frequent flyer cards and whatever else comes up there isn’t a lot of scope. It is not that I have difficulty recalling a four digit sequence. The problem is remembering which one was used where. And of course I do not want to double up if I can help it.

J.

Here’s a group of folks that broke the new iPhone fingerprint ID system quite quickly.

Also, some people are warning about the increased privacy risks associated with biometric ID systems.

One of the core problems with biometric ID is that the algorithms have to be fuzzy. Not everything lines up perfectly each time, not all features are going to be clear, etc. You can’t go very far in reducing false positives without significantly increasing false negatives. This makes them exploitable. Fuzzy and security don’t go together.

The Co I work for just put in timeclocks w/ finger scanners.
Users had to scan 2 fingers - the second is a backup in case the first finger becomes un-readable by dirt, bandaid or the unthinkable.

I don’t mean to pick on bob++ but here is one of the reasons you don’t want to use the same password: hackers release Adobe encrypted passwords.

Here’s the appropriate xkcd comic that tipped me off to this story.

But, but, but I don’t have any Adobe passwords do I?
I don’t use any encryption.

??? What should I fear?

A password vault does seem like the best, if not ideal, approach. I’ve used KeePass for quite a while now. It has versions on several platforms, including mobile devices, and the vault is a simple file that you can copy to anywhere you want to use it, making it easy to sync. For a lot of things, I let it generate a random password. If it’s not a site I’m going to use frequently, I don’t mind having to open the password vault to get my password. If I am going to use it frequently, I’ll actually look at the password rather than just pasting it from the vault, and eventually memorize it.