Forgot your password?
typodupeerror
Google Security The Internet Hardware Technology

Google Declares War On the Password 480

Posted by Soulskill
from the united-nations-powerless-to-intervene dept.
An anonymous reader writes "Wired reports on a research paper from Google employees about the future of authentication on the web. 'Along with many in the industry, we feel passwords and simple bearer tokens such as cookies are no longer sufficient to keep users safe,' the authors write. Their plan involves authenticating just once, to a single device, and then using that to unlock all of your other accounts. "We'd like your smartphone or smartcard-embedded finger ring to authorize a new computer via a tap on the computer, even in situations in which your phone might be without cellular connectivity." Recognizing that this isn't something they can accomplish on their own, they've gone ahead and created a device-based authentication protocol that is 'independent of Google, requires no special software to work — aside from a web browser that supports the login standard — and which prevents web sites from using this technology to track users.'"
This discussion has been archived. No new comments can be posted.

Google Declares War On the Password

Comments Filter:
  • Brilliant idea (Score:5, Insightful)

    by 0123456 (636235) on Friday January 18, 2013 @02:04PM (#42627031)

    Because I totally want anyone who steals my phone to be able to access every other site I use.

  • Re:Brilliant idea (Score:5, Insightful)

    by Andrio (2580551) on Friday January 18, 2013 @02:06PM (#42627069)
    The best feature of the password is that it's in your head. You carry it around everywhere, and it can never be physically taken from you.

    This proposed plan just makes cellphones that much more attractive to steal.
  • Tracking (Score:5, Insightful)

    by QuietLagoon (813062) on Friday January 18, 2013 @02:07PM (#42627083)

    ... Their plan involves authenticating just once, to a single device, and then using that to unlock all of your other accounts. ...

    That certainly makes it much, much easier for google to track you as you go around the web.

  • Anonimity (Score:4, Insightful)

    by Anonymous Coward on Friday January 18, 2013 @02:09PM (#42627125)

    Passwords are bad because they allow any individual to create as many distinct accounts as he or she wants. Require a hardware device per account and you now need an investment for every distinct account. Google wants every user to be identifiable across all sites/services using the same ID.

  • Re:Brilliant idea (Score:5, Insightful)

    by Dexter Herbivore (1322345) on Friday January 18, 2013 @02:12PM (#42627151) Journal

    The best feature of the password is that it's in your head. You carry it around everywhere, and it can never be physically taken from you. This proposed plan just makes cellphones that much more attractive to steal.

    The WORST feature of the password is that it's in your head. I have 20+ login passwords between work and home, my security is lower because you have to simplify them to remember them. If we can find a way to escape the tyranny of passwords that can generally be cracked by anyone who's determined anyway it can only be progress. Not that I have any faith in any organisation to do it after many failed or barely passable attempts (biometrics, smart cards etc).

  • by Sydin (2598829) on Friday January 18, 2013 @02:19PM (#42627241)
    I really mean it: I don't want to have to login to the internet. You keep trying to get me to do it with Chrome, so I switched from that, but now you're going to badger me about this for my phone, too? Sometimes I want to surf anonymously. Sometimes I don't want Site X and Site Y knowing that I'm the same person logging into both. And I can say for certain that all the time, I don't want to be tracked by you so you can present me with more "targeted ads" to give me a better user experience. Let's not even get into what happens if my phone gets stolen, and suddenly all my consolidated information is at some stranger's fingertips. There are far, FAR too many problems with centralized authentication, and I'm really getting sick of Google trying to force it down my throat.
  • Re:Brilliant idea (Score:4, Insightful)

    by Anonymous Coward on Friday January 18, 2013 @02:21PM (#42627293)

    Please explain how I can log into whatever service provides the remote kill if I can't log into my computer, my email account, or anything else. Keep in mind that I don't know my phone's MAC or SIM identification off the top of my head.

  • by Umuri (897961) on Friday January 18, 2013 @02:29PM (#42627395)

    Relevant xkcd [xkcd.com]
    But seriously, how many times have you seen minimum (ok, can see a point here) or maximum (WTF) limits on a password length? Or requirements of what it can or cannot contain.

    Is there any reasonable excuse for why a password must not contain certain characters, besides breaking poorly made scripts? I mean password security 101 says they'll hash it anyway, so why should it matter?

  • Re:Brilliant idea (Score:3, Insightful)

    by Anonymous Coward on Friday January 18, 2013 @02:30PM (#42627407)

    That doesn't work. If someone compromises your slashdot password (e.g., hacks slashdot or phishes you for it) and sees it's "12345slashdot", it's a fair guess that "12345email" is your email password.

  • Re:Brilliant idea (Score:5, Insightful)

    by kaiser423 (828989) on Friday January 18, 2013 @02:36PM (#42627489)

    True, but if that password manager gets compromised by, say, Red October via capturing your keystrokes, everything is compromised for all sites until you take the time individually change each one,.

    Currently, with Google Authenticator, I have it set up to authenticate me for a number of things, as if it gets compromised, simply telling it to re-sync again re-secures all of my credentials. Much, much better management. Single point control.

  • by nuggz (69912) on Friday January 18, 2013 @02:41PM (#42627553) Homepage

    Yeah those bastards should work on implementing some sort of incognito mode when you're on the internet.

  • Re:Brilliant idea (Score:5, Insightful)

    by Anonymous Coward on Friday January 18, 2013 @02:48PM (#42627633)

    There sure are a lot of people responding to you to explain the convoluted acrobatics they do to manage their passwords.

    If nerds have to do a bunch of tricks just to give themselves a little faith in their passwords, what hope does everyone else have?

  • Re:Brilliant idea (Score:4, Insightful)

    by blueg3 (192743) on Friday January 18, 2013 @02:55PM (#42627735)

    I think his point was that if your phone or other device gives you access to all of your sites, then the single password on your phone is the same as using the same password on all your sites.

    Right, except that it's not, because now a successful attack requires both the password and also the phone.

  • by Hunter Shoptaw (2655515) on Friday January 18, 2013 @02:56PM (#42627739)
    So stop using Google Products. Seriously, if you don't like it change or stop complaining. You don't have to use Google, Chrome, Android or any other Google Product. You choose it.
  • Re:Brilliant idea (Score:5, Insightful)

    by Cinder6 (894572) on Friday January 18, 2013 @02:58PM (#42627769)

    What's particularly disturbing to me is that my bank has the most draconian password requirements, which make my bank password one of the weakest that I use. Joy.

  • Re:Brilliant idea (Score:4, Insightful)

    by Applekid (993327) on Friday January 18, 2013 @03:22PM (#42628011)

    If there is installed software with enough low-level permissions to read your keystrokes, they're going to have rights monitor which files are being read at the moment you're attempting to log in / mount the drive / operation X, and then steal that file.

  • Re:Brilliant idea (Score:5, Insightful)

    by blueg3 (192743) on Friday January 18, 2013 @03:32PM (#42628123)

    No, it requires both the password and A phone, but not necessarily THE phone.

    Specifically, it requires the secret stored on the phone. The phone is not simply an algorithm for turning a password into a security token. It stores its own secret, independent of the password, that you would need to acquire.

    However, even if it does require THE phone, how often do people loose their phone?

    You mean how often do they lose their phone to someone who is interested and able to guess their password? A lot less often than how often people choose trivially-guessable passwords or have their passwords disclosed by a hacked website.

    Security should include a password, a device and a biometric check. Without all three, you are just as vulnerable as having using only a password.

    Strictly untrue. A password plus one of those two things is more secure than a password alone.

  • Re:retina? (Score:4, Insightful)

    by jones_supa (887896) on Friday January 18, 2013 @04:11PM (#42628599)

    I'm not sure if the quality of many cameras is high enough for retina authentication*. Someone might also show a picture of your eye in front of the camera and thus gain access. I still find your idea interesting and would like to subscribe to your newsletter.

    *) Unless Apple comes up with Retina Camera ;)

egrep -n '^[a-z].*\(' $ | sort -t':' +2.0

Working...