DailyDirt: Passwords Suck, But What's Better?

from the urls-we-dig-up dept

Every service wants you to create a username and password... and it all begins to pile up after a while. Users try to make things easier for themselves by re-using passwords, but you're really not supposed to do that. What are you supposed to do? Well, password management software exists, but only the truly paranoid folks spend the time to figure out which one of those is the one that works best for particular use cases and then actually set it up. (And then shit happens anyway.) Some companies are trying to figure out other solutions -- here are a few of them. After you've finished checking out those links, take a look at our Daily Deals for cool gadgets and other awesome stuff.
Hide this

Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.

Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.

While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.

–The Techdirt Team

Filed Under: authentication, biometrics, brainwaves, brute force attacks, dongles, eeg, ingestibles, pass-thoughts, passwords, pin, security
Companies: apple, google, paypal


Reader Comments

Subscribe: RSS

View by: Time | Thread


  • identicon
    Lane D, 15 Jun 2015 @ 5:28pm

    This is just my opinion

    But I wish people would stop thinking of biometrics as a replacement for passwords. Think of them as a replacement for your username, but not as a replacement for a password.

    link to this | view in chronology ]

    • identicon
      Anonymous Coward, 15 Jun 2015 @ 6:11pm

      Re: This is just my opinion

      You should think of biometrics as a replacement for privacy and liberty.

      link to this | view in chronology ]

    • identicon
      Anonymous Anonymous Coward, 15 Jun 2015 @ 6:14pm

      Re: This is just my opinion

      Agreed. Once something is digitized, it becomes something that can be passed around on the interwebs.

      It sure sounds like it might be more like personal recognition, but what if the identifying engine is only looking at a file, that might include some code to fudge a body temperature at the same time?

      To that extent, with SSN's and other data becoming so public, even with my passport and state issued photo drivers license, just how does one prove they are who they say they are?

      link to this | view in chronology ]

    • icon
      Ninja (profile), 16 Jun 2015 @ 8:56am

      Re: This is just my opinion

      I think biometrics may be a good multi-factor authentication mechanism. Ie: you got the use, pass and biometrics then you can move in. I like those keys like Yubi or things like grid authentication or Google auth. I think in the end you should just have several somewhat easy keys/steps that together will allow access.

      link to this | view in chronology ]

    • icon
      dddimwrong (profile), 23 Jun 2015 @ 8:31pm

      Re: This is just my opinion

      Well we have been using biometrics for the password for the last 6 years with no problems. To enter secure areas or access certain services from the servers you enter your user-id and then your biometric scan must match for that user-id. For further security we have additional questions such as what was the color of the wall paper of your first apartment or other really obscure questions.

      We feel strongly about the biometric we use because it has no law enforcement value and would be extremely hard to forge because the biometric is the vein pattern of a finger tip. The pattern is different finger to finger so you can use one finger for work and another for personal. Cutting off someone's finger will not work as blood must be coursing through the veins. We even read blood pressure and oxygen content letting our employees know if they may need to see a doctor.

      The point is that to eliminate fraud and to protect certain assets I need to be sure you are who you say you are and finger-vein technology is one of the best biometric passwords you can use. So I totally disagree with you and I say you are very wrong!!!!!!

      link to this | view in chronology ]

  • identicon
    Christenson, 15 Jun 2015 @ 6:12pm

    Big changes in typing patterns...

    I *usually* touch type with all ten fingers...until...I am eating with my other hand...or it is all wrapped up in a mitten with hot wax on it so as to apply deep heat...

    I sort the passwords into the really valuable ones and the lesser valued ones, memorize just a few, and keep the rest in my little black book.

    link to this | view in chronology ]

  • identicon
    Anonymous Anonymous Coward, 15 Jun 2015 @ 7:27pm

    PayPal

    PayPal wants me to ingest something of theirs? They are going to have to do a whole lot of work to get me to use their system for ANYTHING, let alone ingest something they condone, whether they built it or not. Just look at their track record.

    Then after 10 or 15 years of watching their behavior I might think about the possibility of considering ingesting something they might suggest assuming FDA approval and 20 years of other people using it without ill effect.

    So, not in my lifetime.

    link to this | view in chronology ]

    • icon
      JoeCool (profile), 15 Jun 2015 @ 8:14pm

      Re: PayPal

      The biggest problem with any kind of ingestible or injectible ID is you're telling crooks "I've got the key to my bank hidden in my stomache! Come get it!!" And many will not hesitate to do so. I would NEVER agree to any such ID, no matter what.

      It's a similar issue with biometrics - if your finger is the key to your stuff, crooks won't hesitate to lopp it off to get the goodies.

      link to this | view in chronology ]

      • icon
        dddimwrong (profile), 23 Jun 2015 @ 8:35pm

        Re: Re: PayPal

        Obviously you not aware of finger-vein technology used in biometrics. If you lopp off the finger it will no longer work as blood must be coursing through the veins for a reading. Finger vein technology is a great biometric we've used for years.

        link to this | view in chronology ]

    • icon
      Mason Wheeler (profile), 16 Jun 2015 @ 7:33am

      Re: PayPal

      Just look at their track record.

      What? Making it so easy to pay for stuff and send money around that they've become the default payment system for the Internet? Having a tech support system where it's easy to reach a real human being? Running a mature, stable platform that's been around since the 90s, so you can be confident it will still be there tomorrow?

      Why would that track record make you want to not have anything to do with them?

      link to this | view in chronology ]

      • icon
        John Fenderson (profile), 16 Jun 2015 @ 7:41am

        Re: Re: PayPal

        There are so many instances of PayPal screwing people over (and out of money) that I avoid them to the greatest extent possible. How much you trust them depends on your own comfort level, but "not at all" is a reasonable stance.

        link to this | view in chronology ]

        • icon
          Mason Wheeler (profile), 16 Jun 2015 @ 11:31am

          Re: Re: Re: PayPal

          [citation needed]

          A few times I've heard innuendos about how "everyone knows" that PayPal is evil and loves to screw its customers over. It's a lot of the same stuff you hear about Google, except with even less in the way of actual examples of customers getting screwed over.

          All I know personally is, I've been using PayPal pretty much forever and never once had a bad experience with their service.

          link to this | view in chronology ]

  • identicon
    Anonymous Coward, 15 Jun 2015 @ 7:47pm

    Steve Gibson, the creator of spinrite, is just about to release a secure password replacement based on open key cryptography called SQRL. This link attempts to explain it for normal humans-

    http://sqrl.pl/guide/

    and this link is Gibson's explanation which is fairly information dense.
    https://www.grc.com/sqrl/sqrl.htm

    link to this | view in chronology ]

    • identicon
      Shadow Firebird, 15 Jun 2015 @ 11:05pm

      Re:

      "and then on our website we store…"
      NO.

      link to this | view in chronology ]

      • identicon
        Klaus, 16 Jun 2015 @ 5:13am

        Re: Re:

        ""and then on our website we store…""

        I'm not seeing where they say this on the link above, nor on the link posted below...

        link to this | view in chronology ]

    • icon
      John Fenderson (profile), 16 Jun 2015 @ 7:47am

      Re:

      This seems solid. It's simply using PKE in one the ways it was intended. But it's unlikely I would use it, as it requires a privileged computing device in order to function. It eliminates the ability to log into stuff if you don't have your smartphone/tablet/laptop/whatever with you.

      link to this | view in chronology ]

  • identicon
    Anonymous Coward, 15 Jun 2015 @ 11:06pm

    Keypairs

    In server-space public and private keys work pretty well. A server that accepts passwords to SSH in is basically inevitably a malware hive. A keyring works pretty well there. A dongle or similar to hold a bunch of keys, using changing keys could work. The biggest downside there I can see is 5th amendment protection doesn't apply to objects but it does to your brain.

    link to this | view in chronology ]

  • identicon
    Shadow Firebird, 15 Jun 2015 @ 11:14pm

    I'm with Phil

    Phil Zimmerman solved this *20 years ago*: if I send you a message signed with my private key, you know it's from me.

    We use asymetric crypto for 2FA, but apparently not for one-factor authentication. Damned if I can work out why.

    link to this | view in chronology ]

  • identicon
    ahnkle, 16 Jun 2015 @ 1:56am

    SQRL

    The ultimate password solution is the open free Steve Gibson solution. See https://www.grc.com/sqrl/sqrl.htm.

    Its so easy, it looks like it shouldn't work. But is does.

    link to this | view in chronology ]

  • identicon
    Emelio Lizardo, 16 Jun 2015 @ 7:54am

    I really don't see the point of 'biometric' or any other form of physical identity as they can be easily duplicated.

    Well, there is convenience, but such a device needs be universal.

    Only something entirely in the user's memory can't be stolen.

    Also, from a legal perspective, the courts could order the surrender of such a device, they can't compel you to testify your password.

    But let's say we did have some universal biometric, such as a finger print reader, then governments could demand it as standard equipment and then know who you are with reasonable certainty all the time. You could be blocked from all internet connected devices. tracked.

    link to this | view in chronology ]

    • icon
      John Fenderson (profile), 16 Jun 2015 @ 8:30am

      Re:

      "I really don't see the point of 'biometric' or any other form of physical identity as they can be easily duplicated."

      Not all forms are easily duplicated, but the vast majority are. The bigger problem, though, is this: If your physical identity is stolen, there's no way for you to change your "credentials". You're simply screwed.

      link to this | view in chronology ]

  • identicon
    Amorphous Blob, 16 Jun 2015 @ 9:41am

    No way!

    Ain't nobody gonna inject anything in MY dongle!!!

    link to this | view in chronology ]


Follow Techdirt
Essential Reading
Techdirt Deals
Report this ad  |  Hide Techdirt ads
Techdirt Insider Discord

The latest chatter on the Techdirt Insider Discord channel...

Loading...
Recent Stories

This site, like most other sites on the web, uses cookies. For more information, see our privacy policy. Got it
Close

Email This

This feature is only available to registered users. Register or sign in to use it.