Google Declares War On the Password 480
An anonymous reader writes "Wired reports on a research paper from Google employees about the future of authentication on the web. 'Along with many in the industry, we feel passwords and simple bearer tokens such as cookies are no longer sufficient to keep users safe,' the authors write. Their plan involves authenticating just once, to a single device, and then using that to unlock all of your other accounts. "We'd like your smartphone or smartcard-embedded finger ring to authorize a new computer via a tap on the computer, even in situations in which your phone might be without cellular connectivity." Recognizing that this isn't something they can accomplish on their own, they've gone ahead and created a device-based authentication protocol that is 'independent of Google, requires no special software to work — aside from a web browser that supports the login standard — and which prevents web sites from using this technology to track users.'"
Yeah yeah, we have seen this before (Score:5, Interesting)
Every big company at some point has declared war on the password. We have smart cards, biometrics, RSA tokens, and finger paintings to prove it. None of those things work any better than a password when used alone. In conjunction with a password, we can achieve "better" security.
The logic of a password-less world is what's broken. Period, end of statement. If the logic is broken, no matter who implements the password-less solution we still end up with a broken solution.
Re:That doesn't make sense.... (Score:2, Interesting)
Think of OpenID. You have one method of authentication, and you pay lots of attention to it to keep it safe! (Don't spread your eggs around different baskets, keep them all in one, and look after that basket!)
Personally I already have a single device for all my passwords. It's called my computer. Most of my often used passwords are stored by Firefox (and protected by a master password), others are in a TrueCrypt file, less worthy of concern passwords are just stored in a note or two and saved.
Re:Brilliant idea (Score:2, Interesting)
You would still have a screen lock on your phone to prevent someone from using it to authenticate into all of your other accounts.
Re:Biometrics (Score:5, Interesting)
You should always use 2 factor authentication, with biometrics and with what is being suggested here. You know, both something you can lose, and something you can forget.
Has Google become EVIL? (Score:2, Interesting)
Or, is the idea just some out-of-control childish thinkers at Google?
Re:Brilliant idea (Score:5, Interesting)
As you hint, passwords are both necessary and insufficient for real security. For anything important, you really ought to have 2/3 of the ID triangle: something you know (like a password), something you have (like an RSA token), or something you are (like fingerprints).
Re:Brilliant idea (Score:4, Interesting)
You have to simplify them?
Use sentences. Easy to remember and very strong due to length.
Re:Brilliant idea (Score:5, Interesting)
Re:Brilliant idea (Score:3, Interesting)
True, but if that password manager gets compromised by, say, Red October via capturing your keystrokes, everything is compromised for all sites until you take the time individually change each one,.
Currently, with Google Authenticator, I have it set up to authenticate me for a number of things, as if it gets compromised, simply telling it to re-sync again re-secures all of my credentials. Much, much better management. Single point control.
Actually, keepass can defeat most keyloggers as it uses a different function to put the password into a webform. Yes, you can copy the password to the clipboard, but allowing keepass to log you in is safer. Is it proof against all keyloggers? Hard to say, but it can defeat most at present.
Now if you are speaking specifically about the keypass database, the keylogger would have to have physical access to that file and as with anything physical access trumps all.
Re:how about REMOVING ARBITRARY PASSWORD LIMITS! (Score:5, Interesting)
Yes there is a reasonable excuse why it must contain certain minimum lengths and characters. It has to do with exponents. For fun I've written several types of password hash crackers in the past. The best way to defeat a brute-force password cracker is to expand the keyspace.
A good password today at a minimum 8 characters, and can consist of any one of 95 keypresses on the keyboard. 95^8 = 6.6e15 combinations.
If you don't use special characters, that 8 character password is only 62^8 = 2.2^14 combinations.
If you don't use numbers, that 8 character password is only 52^8 = 5.3^13 combinations.
And If you don't even bother to change cases, that 8 character password is 26^8 = 2.1e11 combinations.
Those numbers don't tell the real story. Old Windows XP passwords could be cracked on average 2011 hardware at about 10 million (1e7) combinations / second. The "good" password above would be cracked in 21 years (max). No special characters would be cracked in 8 months. No numbers in 2 months. And single-case only in 6 hours.
But today we have GPU password cracking, and much better hardware. A Radeon 5770 could crack the "good password", 8 characters long in a mere 28 hours. That was hardware from 2 years ago.
Why not include *where* we are? (Score:4, Interesting)
I'm certainly no expert in the security of GPS/spoofing, but since so many of our devices have location services built in, couldn't we add *where* we are trying to gain access as a relevant factor? Perhaps the security system could ask for a mere simple password if it sees that you are currently at home, and requires secondary authentication (RSA fob, Goggle Auth, etc.) someplace you haven't been before. Most people who have stolen your credentials aren't going to log in from your house (short of your own kids, but if that happens, you have bigger problems).
1998 called... (Score:4, Interesting)
Dallas Semiconductor once had a product called the "Crypto iButton", a small Java CPU + a hardware RSA engine and tamper-resistant memory. With appropriate plugins you could set it up as a security device in your browser and then authenticate remotely using SSL client certificates (with the private key never leaving the iButton).
http://people.cs.uchicago.edu/~dinoj/smartcard/javaring.html [uchicago.edu]
Re:Brilliant idea (Score:4, Interesting)
The idea is that KeePass uses a combination of mouse and keyboard input injection to type the password - most loggers only look at keyboard input, which defeats "trivial" cases - after all, if your system is keylogger compromised you have a much bigger problem anyway.