Rejoice! The End of ‘User Name and Password’ May Be Nigh by Niki2

REAL WORLD EVENT DISCUSSIONS

Rejoice! The End of ‘User Name and Password’ May Be Nigh

POSTED BY: NIKI2
UPDATED: Sunday, May 19, 2013 09:28
SHORT URL:
VIEWED: 1624
PAGE 1 of 1

Thursday, May 16, 2013 6:49 AM

Gettin' old, but still a hippie at heart...

Hey, I can dig it!

Quote:
What’s the absolute worst part of the Internet? Reasonable folks may disagree, but most would say keeping track of an endless string passwords ranks somewhere at the top.

Nobody, of course, can remember a unique password for the dozens of sites we each sign into each day, so we end up using the same one over and over again. But as recent breaches of high-profile websites like LinkedIn and Gawker show, this practice makes us increasingly vulnerable to hackers who can find valuable passwords for our bank accounts and email by breaking into other, less secure sites.

This is why a consortium of tech companies, including PayPal and Google, have joined together to dream up the future of passwords. And the future, according to this FIDO Alliance (which stands for Fast Identity Online) is to have no passwords at all. “Passwords are just not working terribly well anymore,” says Michael Barrett, Chief Information Security Officer of PayPal and President of FIDO. “And they’re starting to impede the development of the Internet ecosystem.”

A recent study released by Nok Nok shows just how bad many of us are at protecting our online identities. On average, it says, an Internet user has 6.5 passwords, and they share one password between 3.9 websites.
.....
So what is FIDO’s solution? As a consortium of companies, FIDO isn’t interested in coming up with a single alternative to passwords, but rather wants to create a technological framework through which different companies can offer various solutions. While FIDO is agnostic about what method or methods of “authentication” ultimately replace the password, Barrett explained that the technology exists for devices like computers and smartphones to recognize who you are through your unique physical qualities.

For instance, camera resolution on computers and phones is advanced enough that your computer could verify who you are by scanning your face or eyes. And Barrett expects that within a year smartphones with fingerprint scanners will hit the market. Other examples of authentication methods include touch screens that can read your signature, and voice-recognition software. Lots more at http://business.time.com/2013/05/16/rejoice-the-end-of-the-user-name-a
nd-password-is-nigh/

Aowwww...wouldn't it be loverly??! I HATE passwords; every friggin' time I buy something on line they want me to register and create a damned password...it drives me NUTS. I'm at the point where I don't even bother keeping track of most of them, if/when I ever go back there, I just hit "forgot password"... and "6.5"?!?! Is he kidding? I do all my bills, banking, etc., on line; I've got a whole PAGE of "user names" and "passwords", drives me nuts...

NOTIFY: Y | REPLY | REPLY WITH QUOTE | TOP | HOME

Saturday, May 18, 2013 12:57 AM

KWICKO

"We'll know our disinformation program is complete when everything the American public believes is false." -- William Casey, Reagan's presidential campaign manager & CIA Director (from first staff meeting in 1981)

I wish I only had a page of passwords; I have a freaking BOOK. Not kidding. I had to break down and buy a binder to keep my passwords in. I tend to use variations on a few different ones as my "default" passwords - one set for important stuff (banking, credit cards, paying bills, etc.) and another for unimportant stuff (facebook, online chats, etc.), and a third set for online shopping, linked to a low-limit credit card so I can't ever be taken for very much. So hacking the password to my facebook account doesn't get you my bank info or allow you to go on a shopping spree on my dime.

I've had two instances of credit card fraud, and both were places where I used my credit card - but neither of them were places where I ordered online. In both instances, I had gone to eat and paid at the restaurant, and then THEIR system had been hacked. Or should I say "hacked" in quotation marks? Ironically, or coincidentally (or maybe not so coincidentally), both instances were from two different Greek restaurants in town, leading me to never use a credit card for Greek food again out of fear of what I came to refer to as "The Greek Scam."

"I supported Bush in 2000 and 2004 and intellegence [sic] had very little to do with that decision." - Hero

"I was wrong" - Hero, 2012

Mitt Romney, introducing his running mate: "Join me in welcoming the next President of the United States, Paul Ryan!"

Rappy's response? "You're lying, gullible ( believing in some BS you heard on msnbc ) or hard of hearing."

NOTIFY: Y | REPLY | REPLY WITH QUOTE | TOP | HOME

Saturday, May 18, 2013 4:24 AM

NEWOLDBROWNCOAT

Not sure I approve of whatever they're proposing to replace name & password. They don't seem to be too specific.

Your computer ( or CPU, I'm not sure exactly which.) already has a serial number or identifier built in. So does your cell phone. So does almost every hardware device connected to the internet. You already have one on the internet, the numeric url by which the internet directs the stuff you try to access to you. It doesn't send data to "NOBC @fff.net", but to some theoretically unique hex number "H$99FFF314159...something." This ID CAN get stamped into everything you send. It can be used to track you. Enough stuff gets stamped into every picture you take with your digital camera to identify the brand and model number of the camera that took it, and often ownership for copyright purposes. I've seen that used.It wouldn'yt be hard to add the serial number of that exact camera, the time and date, and the GPS position, if that's not done routinely already. It CAN be used to fingerprint what you post. Which means that it can be traced by the government. It doesn't get pasted to EVERY POST you make, but it COULD. The Government DOESN'T use it to trace EVERYTHING YOU DO, but it COULD if it wanted to work hard enough. ( OK, I suppose maybe the NSA already does, the more paranoid among us will tell me. They aren't terribly successful at it, and they don't spend a LOT of money and POLICE time following up. Otherwise we'd catch even MORE terrorists as potential threats.)

Hell, your copy of Windows has a unique identifier- MICROSOFT checks it every time you go there for an update to make sure you paid for and didn't pirate your copy, It helps tell them what updates you need. So probably does your copy of whatever anti-virus you use, or any other software you update frequently. If the manufacturers wanted to track you by that, wanted to bother to record and store any of those numbers, you could be tracked by it.

Anyway, there are plenty of numbers out there that could already be used to validate at least what machine something came from. Issues like using your spouses' laptop instead of your desktop machine, or which user at your workplace was actually using which terminal MAY not YET be verifiable by those numbers.

But just deciding on one of those numbers, mandating the protocol by which it's attached and to exactly how much of everything you send, and legislating who may legally track and use it, and how transparently or invisible that is to the user, would be a simple legislative matter.

Of course, this would open the door to FURTHER really EASY government snooping and tyranny.

NOTIFY: Y | REPLY | REPLY WITH QUOTE | TOP | HOME

Saturday, May 18, 2013 4:34 AM

6IXSTRINGJACK

Wow.... really?

Four words for you guys....

I

Love

Big

Brother

Had it ever even occurred to you that the reason computer tech is so cheap and easy for old people to use now is that they wanted to get to this point?

Hell... it shocks me how much Best Buy can still charge all the retards for sub-par hardware with a limited OS after all of these years. Building your own superior PC for the same price today is as easy as following rudimentary LEGO designs compared to when my friend and I were doing it for people back in the late 90s.

I used to have a sheet of notebook paper with all of my logon and password info. From that, I divised a simple cypher that would change those actual "words" into something that didn't make sense, but was really only one place removed from the truth... which was also, still on paper.

Today, I have at least 30 websites, bills and other places I go to, each with unique passwords, and each which nobody would be able to guess. Best of all, none of it is written down.

Jesus Christ...

It isn't Jedi Mind Tricks I'm talking about here. It's nothing more than basic math applied intelligently.

You go right ahead Niki and use your thumbprint or get a barcode on your forehead for authentication.

Call me an old dog, but that shit is uber-scary.

Have fun with the Jackboot Thugs in the midst...

NOTIFY: Y | REPLY | REPLY WITH QUOTE | TOP | HOME

Saturday, May 18, 2013 4:57 AM

SIGNYM

I believe in solving problems, not sharing them.

Quote:
I've seen that used.It wouldn'yt be hard to add the serial number of that exact camera, the time and date, and the GPS position

Word to the wise: never post smart-phone pictures online. All smart-phone metadata (The stuff attached to the picture file that you don't see) contains GPS data. (That's what you get for wanting GPS with your phone!)

Quote:
if that's not done routinely already. It CAN be used to fingerprint what you post. Which means that it can be traced by the government. It doesn't get pasted to EVERY POST you make, but it COULD. The Government DOESN'T use it to trace EVERYTHING YOU DO, but it COULD if it wanted to work hard enough. ( OK, I suppose maybe the NSA already does, the more paranoid among us will tell me. They aren't terribly successful at it, and they don't spend a LOT of money and POLICE time following up. Otherwise we'd catch even MORE terrorists as potential threats.)

But they're working on it. Give them time. Total surveillance, all the time. http://www.whistleblower.org/program-areas/homeland-security-a-human-r
ights/surveillance/nsa-whistleblowers-bill-binney-a-j-kirk-wiebe

Seriously, NIKI. Write down your passwords if you have such a hard time with them. Convenience is the bait in the trap. Look CAREFULLY at what you're giving up for just a little bit more convenience.

NOTIFY: Y | REPLY | REPLY WITH QUOTE | TOP | HOME

Saturday, May 18, 2013 6:46 AM

NEWOLDBROWNCOAT

Quote:
Originally posted by SIGNYM:
Quote:
I've seen that used.It wouldn'yt be hard to add the serial number of that exact camera, the time and date, and the GPS position
Word to the wise: never post smart-phone pictures online. All smart-phone metadata (The stuff attached to the picture file that you don't see) contains GPS data. (That's what you get for wanting GPS with your phone!)
Quote:
if that's not done routinely already. It CAN be used to fingerprint what you post. Which means that it can be traced by the government. It doesn't get pasted to EVERY POST you make, but it COULD. The Government DOESN'T use it to trace EVERYTHING YOU DO, but it COULD if it wanted to work hard enough. ( OK, I suppose maybe the NSA already does, the more paranoid among us will tell me. They aren't terribly successful at it, and they don't spend a LOT of money and POLICE time following up. Otherwise we'd catch even MORE terrorists as potential threats.)
But they're working on it. Give them time. Total surveillance, all the time. http://www.whistleblower.org/program-areas/homeland-security-a-human-r
ights/surveillance/nsa-whistleblowers-bill-binney-a-j-kirk-wiebe

Seriously, NIKI. Write down your passwords if you have such a hard time with them. Convenience is the bait in the trap. Look CAREFULLY at what you're giving up for just a little bit more convenience.

I knew that smart phones all had a GPS chip inside. I assumed that most dumb cell phones do. I don't KNOW if regular digital cameras do or not, but I know it can be put on a single chip, and I'm sure it could be stuck in there without anybody noticing, if it isn't already done routinely.

As to passwords, one workplace where I was a user changed them every 90 days and tracked them so you couldn't just alternate one this cycle and the other next time. Took six before the oldest one dropped off their list. I use one of those 6 most everywhere I go. I've added 2 new ones in the last year, after my e-mail account was nearly hacked after I used a public computer. One of those is the only one that is realy secure, 11 alphabetic characters and 2 digits, and a word unlikely to be in any dictionary. My other passwords are so obscure that you'd have to know my personal (weird) interests pretty well to guess them , even with the password hints. ( Would you believe one hint is "Washburne", and the password Hoban? Well, would you believe--? They're on that level) My wife and daughter couldn't get 'em from the hints, and they know me of course pretty well. My PIN numbers are from my obscure special interests, somebody with those in common might get 'em by logic. And of course they could all be beaten by random or sequential crackers,

NOTIFY: Y | REPLY | REPLY WITH QUOTE | TOP | HOME

Saturday, May 18, 2013 7:31 AM

NIKI2

Gettin' old, but still a hippie at heart...

Mike, the only reason I ONLY have a "page" of passwords is that I stopped keeping track of them. The important ones, yes, but the rest, I just create whatever's easy and, if I ever go there again, do "forgot password". This is for stupid stuff, not stuff I buy or where it's important; I don't give a fuck if someone "gets" my password here and posts under my name That sort of thing.

I'd rather NOT have passwords for the vast majority of stuff I do on line, I'd rather just be as anonymous (as much as we "usually" are anyway); I may never go back there and if it's not tagged to me personally, fewer can hurt me that way. But virtually everything wants you to "create an account" nowadays, which often means I can't get an entire article because I don't WANT to create an account, thank you. Shees.

I'm not going to get all paranoid about this shit; it's the world we live in, we've been living in it for quite some time, c'est la vie.

NOTIFY: Y | REPLY | REPLY WITH QUOTE | TOP | HOME

Saturday, May 18, 2013 9:39 AM

JONGSSTRAW

Most of the sites I go to on the web like FFF or Amazon remember me, and I never have to sign in. It's my job that's the problem. I probably have 8 or 10 different reports and forms, as well as different levels of database access that are user and password protected. It's totally ridiculous, but you can't do anything without them.

NOTIFY: N | REPLY | REPLY WITH QUOTE | TOP | HOME

Saturday, May 18, 2013 4:11 PM

NEWOLDBROWNCOAT

NOBC strikes again, I read the headline and about 1/2 the post. Farther down, it says face, voice or fingerprint recognition.
Not sure those couldn't be hacked in some way, once they got out of your machine and onto The Cortex, but they could be used to prove that the YOU operating your hardware is actually you. Not sure how much that degree of security would actually be worth if you actually have to pay for it in dollars.

In fact, here's a scenario: You start up your hardware. It confirms you're you. You make a secure transaction, Your computer attaches either an " I'm Me" code to the transaction message, or sends your recognition data to the second party, who already had a copy of your data. The second party's machine checks your data and agrees " You're you."
No problem.
SO somebody taps your connection, and rips off your " I'M ME" code or your data, or steals it at one of the many transfer points your message passes thru. They they attach it to a message to that says to your Second party, " I'M ME, or " See, here's my data , you can check and tell me, "You're you." Except the message says ," Charge this transaction to ME, you Remember You even told me I'm ME, but transfer all my money to JOhn Dillinger . I wanta give it to him." That's how it already happens NOW.

Or it gets attached to a " Give all my money to the San Francisco Tea Party and NRA group, the one the IRS is investigating as a 504(c) 4 violator ." But this time your data is encoded with the standard encription that is synched to the date and time, so it looks more secure, but that's the one the NSA can break if they want to, or the one they have the back door into, and Bob's yer uncle.

ALL of that can Already happen under the systems in use now. But everybody who's looked into it knows that, and knows that it really isn't secure. Under the new systems, more folks will Think they're secure, and might be more careless.

Meanwhile, Niki, you're right- You're not really using it for much that you REALLY want or need to keep really secure. As, Kwick ( I think it was, above) suggests, keep your online business it linked to one credit card with a low limit, to limit the damage.

NOTIFY: Y | REPLY | REPLY WITH QUOTE | TOP | HOME

Saturday, May 18, 2013 9:49 PM

SIGNYM

I believe in solving problems, not sharing them.

Oh, in any case Myth Busters showed how easy it is to hack someone's fingerprint. In that episode, they handed a friend a really clean DVD, and when they got it back it had a nice fat juicy fingerprint on it. All they had to do was photocopy the print, blow it up and clean it up with a marker, and re-copy it smaller. The scanner never knew the difference.

NOTIFY: Y | REPLY | REPLY WITH QUOTE | TOP | HOME

Sunday, May 19, 2013 1:17 AM

NEWOLDBROWNCOAT

Quote:
Originally posted by SIGNYM:
Oh, in any case Myth Busters showed how easy it is to hack someone's fingerprint. In that episode, they handed a friend a really clean DVD, and when they got it back it had a nice fat juicy fingerprint on it. All they had to do was photocopy the print, blow it up and clean it up with a marker, and re-copy it smaller. The scanner never knew the difference.

I remember that. They beat the finger-print lock on Grant's door, didn't they? Several ways.

NOTIFY: Y | REPLY | REPLY WITH QUOTE | TOP | HOME

Sunday, May 19, 2013 3:27 AM

ANONYMOUSE

Bear in mind that there was at least one stage in the process which they, quite sensibly, didn't show. It's not as simple as shown, though it is simpler than it should be.

Any alternative to the username/password system would doubtless involve a central repository for users' account data...exactly what we don't want. I don't trust any government with my personal data; given their track record, any such repository would be hacked within less than a day of being set up.

The UK government has given up on the idea of ID cards, but not because they've realised it isn't workable and is an infringement of civil liberties - they've given up on it because the biometric technology still isn't up to it and it's not secure enough.

About the only way I can think of to do away with usernames & passwords is a somehow-unhackable AI capable of individual identity recognition, an entity which can either be mobile on the Internet (as opposed to residing on a given server), distributed through it so widely that no-one but itself could keep track of it, or more likely both. That, certainly, is beyond the current state of the art.

So don't throw your password books away yet, peeps! :)

NOTIFY: Y | REPLY | REPLY WITH QUOTE | TOP | HOME

Sunday, May 19, 2013 6:58 AM

NEWOLDBROWNCOAT

DNA testing for everybody, then attach and post the results. Yeah, that's REAL practical... Still subject to online piracy, and it won't protect you if your identical twin is soap opera EVIL.

NOTIFY: Y | REPLY | REPLY WITH QUOTE | TOP | HOME

Sunday, May 19, 2013 8:01 AM

6IXSTRINGJACK

Quote:
Originally posted by Niki2:
I don't give a fuck if someone "gets" my password here and posts under my name That sort of thing.

Yep.. I get you here Niki! Afterall, anyone who posted as me could not possibly be 1/2 as obnoxious as I am.... right?

NOTIFY: Y | REPLY | REPLY WITH QUOTE | TOP | HOME

Sunday, May 19, 2013 9:10 AM

1KIKI

Goodbye, kind world (George Monbiot) - In common with all those generations which have contemplated catastrophe, we appear to be incapable of understanding what confronts us.

I read a really long article a few months ago about how the username/password combination was obsolete. http://www.wired.com/gadgetlab/2012/11/ff-mat-honan-password-hacker/al
l/

Then it went on to disprove it's own premise by going on at length to consider all the failings of that combo and how it COULD be fixed or gotten around if both ends of the transactions took proper care. But that they (proper security measures) were considered to be speedbumps in the process of parting the user from their money - ie purchasing. It argued that the internet could be secure, but that would make it inconvenient for purchasers, which would slow up its utility to vendors. So, as they saw it, it comes down to money in the pocket of business. And I think that’s true. No vendor wants to make it onerous for people to login and spend, so they put up with weak passwords and weak security systems that put people at risk.

But I think there is just a little bit more to it than that.

Losing your password to phishing or an individualized attack on you is a big problem for YOU, but it's penny-ante stuff.

Systems aren't secure. When millions of people at a time have their username/ passwords hacked b/c someone got into a system, when the banks are subject to a DOS attack that's a smokescreen for malware being inserted into their code (putting hundreds of millions, perhaps billions, of accounts at risk at the same time; as well as bank-to-bank transactions), when email servers that filter spam are subject to a MASSIVE DOS attack, it argues to me that they systems themselves aren't secure.

And the answer people seem to be gravitating for is less privacy to irretrievably link a physical person and system to an ID, making their movements online far more traceable.

I'd think that the answer would be to make everything more secure, delocalized, harder to trace, and private, instead.

NOTIFY: N | REPLY | REPLY WITH QUOTE | TOP | HOME

Sunday, May 19, 2013 9:19 AM

SIGNYM

I believe in solving problems, not sharing them.

Heh! The funny thing is, NOBC, I AM an identical twin! So my DNA has a copy out there, but my fingerpints and retinal patterns are my own (but hackable, presumably).

NOTIFY: Y | REPLY | REPLY WITH QUOTE | TOP | HOME

Sunday, May 19, 2013 9:28 AM

SIGNYM

I believe in solving problems, not sharing them.

You CAN make systems much more secure than they are now. The problem is, most businesses and utilities are running on Windows (For god's sake, WHY??? Don't they have money to pay for real programmers??? ) and there are two problems with Windows, as I understand it:

1) The way it is written, it is impossible to secure. Hubby has analyzed Windows to be similar to the Great Barrier Reef... it was never rewritten from the ground up, but still relies on old DOS code and other crap from the past with patches on patches. Worse, it isn't modularized... it's one giant program. It's impossible to isolate the function of one part of the software from another, so viruses can go from an application like Adobe all the way into the operating system kernel.

2) It has built-in backdoors for government intrusion, most famously found as the "NSAKEY". The government REALLY doesn't want fully secure software, because otherwise how could THEY get in? For example, if a bank's software was really secure from intrusion, then all of those transactions that the government might have an interest in would be inaccessable. I mean, it would be like the Silk Road everywhere! That is why (I think) the US government blocked access to a BitCoin server.* (* Irrespective of whether or not BitCoin is a good idea or not, the government has an abiding interest in knowing who is exchanging money for what.)

ETA... In addition, I don't trust business any more than I trust government. Government may be prohibited from snooping into your business... not that they pay attention to those prohibitions all that well... but nothing prohibits the government from paying someone else to gather the information for them! So, do you really want an universal database with an ID linked to your physical presence?

NOTIFY: Y | REPLY | REPLY WITH QUOTE | TOP | HOME

YOUR OPTIONS

SHARE THREAD

NEW POSTS TODAY

USER	POST DATE

USER

POST DATE