DailyDirt: Passwords Suck, But What's Better?

from the urls-we-dig-up dept

Every service wants you to create a username and password... and it all begins to pile up after a while. Users try to make things easier for themselves by re-using passwords, but you're really not supposed to do that. What are you supposed to do? Well, password management software exists, but only the truly paranoid folks spend the time to figure out which one of those is the one that works best for particular use cases and then actually set it up. (And then shit happens anyway.) Some companies are trying to figure out other solutions -- here are a few of them. After you've finished checking out those links, take a look at our Daily Deals for cool gadgets and other awesome stuff.
Hide this

Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.

Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.

While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.

–The Techdirt Team

Filed Under: authentication, biometrics, brainwaves, brute force attacks, dongles, eeg, ingestibles, pass-thoughts, passwords, pin, security
Companies: apple, google, paypal


Reader Comments

Subscribe: RSS

View by: Time | Thread


  • identicon
    Lane D, 15 Jun 2015 @ 5:28pm

    This is just my opinion

    But I wish people would stop thinking of biometrics as a replacement for passwords. Think of them as a replacement for your username, but not as a replacement for a password.

    reply to this | link to this | view in chronology ]

    • identicon
      Anonymous Coward, 15 Jun 2015 @ 6:11pm

      Re: This is just my opinion

      You should think of biometrics as a replacement for privacy and liberty.

      reply to this | link to this | view in chronology ]

    • identicon
      Anonymous Anonymous Coward, 15 Jun 2015 @ 6:14pm

      Re: This is just my opinion

      Agreed. Once something is digitized, it becomes something that can be passed around on the interwebs.

      It sure sounds like it might be more like personal recognition, but what if the identifying engine is only looking at a file, that might include some code to fudge a body temperature at the same time?

      To that extent, with SSN's and other data becoming so public, even with my passport and state issued photo drivers license, just how does one prove they are who they say they are?

      reply to this | link to this | view in chronology ]

    • icon
      Ninja (profile), 16 Jun 2015 @ 8:56am

      Re: This is just my opinion

      I think biometrics may be a good multi-factor authentication mechanism. Ie: you got the use, pass and biometrics then you can move in. I like those keys like Yubi or things like grid authentication or Google auth. I think in the end you should just have several somewhat easy keys/steps that together will allow access.

      reply to this | link to this | view in chronology ]

    • icon
      dddimwrong (profile), 23 Jun 2015 @ 8:31pm

      Re: This is just my opinion

      Well we have been using biometrics for the password for the last 6 years with no problems. To enter secure areas or access certain services from the servers you enter your user-id and then your biometric scan must match for that user-id. For further security we have additional questions such as what was the color of the wall paper of your first apartment or other really obscure questions.

      We feel strongly about the biometric we use because it has no law enforcement value and would be extremely hard to forge because the biometric is the vein pattern of a finger tip. The pattern is different finger to finger so you can use one finger for work and another for personal. Cutting off someone's finger will not work as blood must be coursing through the veins. We even read blood pressure and oxygen content letting our employees know if they may need to see a doctor.

      The point is that to eliminate fraud and to protect certain assets I need to be sure you are who you say you are and finger-vein technology is one of the best biometric passwords you can use. So I totally disagree with you and I say you are very wrong!!!!!!

      reply to this | link to this | view in chronology ]

  • identicon
    Christenson, 15 Jun 2015 @ 6:12pm

    Big changes in typing patterns...

    I *usually* touch type with all ten fingers...until...I am eating with my other hand...or it is all wrapped up in a mitten with hot wax on it so as to apply deep heat...

    I sort the passwords into the really valuable ones and the lesser valued ones, memorize just a few, and keep the rest in my little black book.

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Anonymous Coward, 15 Jun 2015 @ 7:27pm

    PayPal

    PayPal wants me to ingest something of theirs? They are going to have to do a whole lot of work to get me to use their system for ANYTHING, let alone ingest something they condone, whether they built it or not. Just look at their track record.

    Then after 10 or 15 years of watching their behavior I might think about the possibility of considering ingesting something they might suggest assuming FDA approval and 20 years of other people using it without ill effect.

    So, not in my lifetime.

    reply to this | link to this | view in chronology ]

    • icon
      JoeCool (profile), 15 Jun 2015 @ 8:14pm

      Re: PayPal

      The biggest problem with any kind of ingestible or injectible ID is you're telling crooks "I've got the key to my bank hidden in my stomache! Come get it!!" And many will not hesitate to do so. I would NEVER agree to any such ID, no matter what.

      It's a similar issue with biometrics - if your finger is the key to your stuff, crooks won't hesitate to lopp it off to get the goodies.

      reply to this | link to this | view in chronology ]

      • icon
        dddimwrong (profile), 23 Jun 2015 @ 8:35pm

        Re: Re: PayPal

        Obviously you not aware of finger-vein technology used in biometrics. If you lopp off the finger it will no longer work as blood must be coursing through the veins for a reading. Finger vein technology is a great biometric we've used for years.

        reply to this | link to this | view in chronology ]

    • icon
      Mason Wheeler (profile), 16 Jun 2015 @ 7:33am

      Re: PayPal

      Just look at their track record.

      What? Making it so easy to pay for stuff and send money around that they've become the default payment system for the Internet? Having a tech support system where it's easy to reach a real human being? Running a mature, stable platform that's been around since the 90s, so you can be confident it will still be there tomorrow?

      Why would that track record make you want to not have anything to do with them?

      reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 15 Jun 2015 @ 7:47pm

    Steve Gibson, the creator of spinrite, is just about to release a secure password replacement based on open key cryptography called SQRL. This link attempts to explain it for normal humans-

    http://sqrl.pl/guide/

    and this link is Gibson's explanation which is fairly information dense.
    https://www.grc.com/sqrl/sqrl.htm

    reply to this | link to this | view in chronology ]

    • identicon
      Shadow Firebird, 15 Jun 2015 @ 11:05pm

      Re:

      "and then on our website we store…"
      NO.

      reply to this | link to this | view in chronology ]

      • identicon
        Klaus, 16 Jun 2015 @ 5:13am

        Re: Re:

        ""and then on our website we store…""

        I'm not seeing where they say this on the link above, nor on the link posted below...

        reply to this | link to this | view in chronology ]

    • icon
      John Fenderson (profile), 16 Jun 2015 @ 7:47am

      Re:

      This seems solid. It's simply using PKE in one the ways it was intended. But it's unlikely I would use it, as it requires a privileged computing device in order to function. It eliminates the ability to log into stuff if you don't have your smartphone/tablet/laptop/whatever with you.

      reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 15 Jun 2015 @ 11:06pm

    Keypairs

    In server-space public and private keys work pretty well. A server that accepts passwords to SSH in is basically inevitably a malware hive. A keyring works pretty well there. A dongle or similar to hold a bunch of keys, using changing keys could work. The biggest downside there I can see is 5th amendment protection doesn't apply to objects but it does to your brain.

    reply to this | link to this | view in chronology ]

  • identicon
    Shadow Firebird, 15 Jun 2015 @ 11:14pm

    I'm with Phil

    Phil Zimmerman solved this *20 years ago*: if I send you a message signed with my private key, you know it's from me.

    We use asymetric crypto for 2FA, but apparently not for one-factor authentication. Damned if I can work out why.

    reply to this | link to this | view in chronology ]

  • identicon
    ahnkle, 16 Jun 2015 @ 1:56am

    SQRL

    The ultimate password solution is the open free Steve Gibson solution. See https://www.grc.com/sqrl/sqrl.htm.

    Its so easy, it looks like it shouldn't work. But is does.

    reply to this | link to this | view in chronology ]

  • identicon
    Emelio Lizardo, 16 Jun 2015 @ 7:54am

    I really don't see the point of 'biometric' or any other form of physical identity as they can be easily duplicated.

    Well, there is convenience, but such a device needs be universal.

    Only something entirely in the user's memory can't be stolen.

    Also, from a legal perspective, the courts could order the surrender of such a device, they can't compel you to testify your password.

    But let's say we did have some universal biometric, such as a finger print reader, then governments could demand it as standard equipment and then know who you are with reasonable certainty all the time. You could be blocked from all internet connected devices. tracked.

    reply to this | link to this | view in chronology ]

    • icon
      John Fenderson (profile), 16 Jun 2015 @ 8:30am

      Re:

      "I really don't see the point of 'biometric' or any other form of physical identity as they can be easily duplicated."

      Not all forms are easily duplicated, but the vast majority are. The bigger problem, though, is this: If your physical identity is stolen, there's no way for you to change your "credentials". You're simply screwed.

      reply to this | link to this | view in chronology ]

  • identicon
    Amorphous Blob, 16 Jun 2015 @ 9:41am

    No way!

    Ain't nobody gonna inject anything in MY dongle!!!

    reply to this | link to this | view in chronology ]


Add Your Comment

Have a Techdirt Account? Sign in now. Want one? Register here



Subscribe to the Techdirt Daily newsletter




Comment Options:

  • Use markdown. Use plain text.
  • Remember name/email/url (set a cookie)

Close

Add A Reply

Have a Techdirt Account? Sign in now. Want one? Register here



Subscribe to the Techdirt Daily newsletter




Comment Options:

  • Use markdown. Use plain text.
  • Remember name/email/url (set a cookie)

Follow Techdirt
Special Affiliate Offer

Essential Reading
Techdirt Insider Chat
Recent Stories

This site, like most other sites on the web, uses cookies. For more information, see our privacy policy. Got it
Close

Email This

This feature is only available to registered users. Register or sign in to use it.