davePremium,MVM
join:2000-05-04
not in ohio
kudos:8 | reply to antdude
Re: Google Declares War on the Password Does no-one in the security forum except me actually use a hardware logon token for anything? There seems to be a lot of resistance to having any physical thing that helps logon security.
For the record, the problems with the current hardware logon-token approaches are:
1. As far as I know, it's site-specific [my RSA token has to be known to the web site in question], so isn't going to scale
2. I have to copy the digits from the token to the password-entry form: but this is fixable by having a token with a USB interface
3. It doesn't eliminate passwords, and nor should it (for the same reasons that having an ATM card doesn't eliminate PINs). But it does reduce required password complexity.
I don't see that the Wired article is suggesting much more than using the same sort of approach but making it more ubiquitous. And smaller.
Since it's actual money involved with the web site in question, I'm glad of the incremental protection of the token on top of the password.
For the record, I've never lost it, forgotten it, or suffered more inconvenience than having left the token in my coat downstairs when I'm upstairs.
The technology question we perhaps ought to consider here is: how secure is it to rely on a single authentication service? |
|
| reply to OZO
You know, I proposed just this to my best friend, because I think privacy is all but gone anyway and I told her I was willing to give up my last shred of it for convenience. I'm only half kidding. I might actually sign up for it. No more passwords, so intriguing to me.
Of course it makes her insanely angry at me, and she tells me what an idiot I am. She's not really kidding either. She thinks the idea is awful.  |
|
 sivranOpera convertPremium
join:2003-09-15
Arlington, TX
kudos:1 | reply to dave
I have a paypal fob.
I barely use it anymore as I rarely log into paypal. |
|
|
|
OZOPremium
join:2003-01-17
kudos:2 | reply to unavailable
said by unavailable :You know, I proposed just this to my best friend, because I think privacy is all but gone anyway and I told her I was willing to give up my last shred of it for convenience. I'm only half kidding. I might actually sign up for it. No more passwords, so intriguing to me.
Of course it makes her insanely angry at me, and she tells me what an idiot I am. She's not really kidding either. She thinks the idea is awful.
Good to hear from a guy, who thinks about it as the glass half full. Now, look from the the glass is half empty perspective. I may have hundreds of those tags and none of those are under my skin. Moreover all of them could be easily reprogrammed to copy your ID, as well as anyone I want... How does that sound now? Is it secure? Is it convenient? Or is it worth to do at all???
Listen to your g/f. You may learn something from her 
BTW, the more often you repeat to yourself "I think privacy is all but gone anyway", the more it becomes true. That's why I do not do that.
--
Keep it simple, it'll become complex by itself... |
|
| reply to antdude
The title should be "Google declares war on web anonymity"
I don't think they give a rat's @ss about security; it's all about knowing every move everyone makes on the web in order to monetize it. |
|
OZOPremium
join:2003-01-17
kudos:2 | And that's exactly what they're doing... |
|
| reply to dave
said by dave:said by goalieskates:And what makes Google think I wear rings? You didn't read the article, did you? The actual article is about using hardware tokens for authentication, and just used 'a figure ring' as an example of how one might conveniently carry such a thing - more conveniently than, I suppose, today's key-ring-sized RSA tokens. I read the article, all right. But since you don't appreciate (lame but pointed) humor, I'm not about to start carrying around hardware tokens for specific sites "for security" or anything else. It's clutter, it's junk, and it's not automatically secure. That's just the sales pitch. |
|
| reply to OZO
Well, the best security systems involve a challenge based on (1) something you have (or are) and (2) something you know. The first could be a device or something else to--supposedly--"prove" who you are (retina scan, fingerprint reader ..."ring"?). Of course, the second could still be a password (or PIN). (However, would this actually make your accounts et al "hack-proof"?)
(At least, if the first were in use here, then one might not jump to the conclusion that someone "unavailable" is a "guy"? )
--
"...but ya doesn't hasta call me Johnson!" |
|
 AVDRespice, Adspice, ProspicePremium
join:2003-02-06
Onion, NJ
kudos:1 | Microsoft can lock a computer if a bluetooth enabled phone goes out of range.
--
* seek help if having trouble coping
--Standard disclaimers apply.-- |
|
 LagzPremium
join:2000-09-03
The Rock
 ·AT&T DSL Service
| reply to goalieskates
said by goalieskates:I'm not about to start carrying around hardware tokens for specific sites "for security" or anything else. It's clutter, it's junk, and it's not automatically secure. That's just the sales pitch.
Next thing you know you will be wearing 50 rings.
--
When somebody tells you nothing is impossible, ask him to dribble a football. |
|
 antdudeA Ninja AntPremium,VIP
join:2001-03-25
United State
kudos:4
 ·RoadRunner Cable
| said by Lagz:said by goalieskates:I'm not about to start carrying around hardware tokens for specific sites "for security" or anything else. It's clutter, it's junk, and it's not automatically secure. That's just the sales pitch.
Next thing you know you will be wearing 50 rings. [att=1] Bling, bling!
--
Ant @ AQFL.net and AntFarm.ma.cx. Please do not IM/e-mail me for technical support. Use this forum or better, »community.norton.com ! Disclaimer: The views expressed in this posting are mine, and do not necessarily reflect the views of my employer. |
|
KearnstdElf WizardPremium
join:2002-01-22
Mullica Hill, NJ | reply to NotTheMama
said by NotTheMama:Well, the best security systems involve a challenge based on (1) something you have (or are) and (2) something you know. The first could be a device or something else to--supposedly--"prove" who you are (retina scan, fingerprint reader ..."ring"?). Of course, the second could still be a password (or PIN). (However, would this actually make your accounts et al "hack-proof"?)
(At least, if the first were in use here, then one might not jump to the conclusion that someone "unavailable" is a "guy"? )
I guess the hard part is how does a biometric device report its scan to the related security package. And could that be man in the middled. aka someone records a legit input and then fools into taking a directly fed data stream.
While the password grows ever weaker as computing grows ever stronger and most people do not use complex passwords because they have to be remembered.
social engineering will likely grow in popularity as a form of hacking. Why brute it when you can gain access right through the side doors. |
|
SukunaiPremium
join:2008-05-07
kudos:1 Reviews:
·ELECTRONICBOX
·TekSavvy DSL
| reply to antdude
It doesn't matter how the data is transmitted, in the end, it has to arrive as digital data and the nasties will always be able to steal it once it is just digital data.
I'd rather just stick with a password, because chips, rings, cards with things in them, I don't see it being worth the added effort.
Every defense eventually has a counter. |
|
 milnoc
join:2001-03-05
H3B
kudos:1 | reply to goalieskates
said by goalieskates:And what makes Google think I wear rings? And not always on our fingers.
That would make "ringing in" at public terminals rather delicate. 
--
Watch my future television channel's public test broadcast!
»thecanadianpublic.com/live |
|
TheMGPremium
join:2007-09-04
Canada
kudos:1 | reply to Kearnstd
said by Kearnstd:social engineering will likely grow in popularity as a form of hacking. Why brute it when you can gain access right through the side doors.
Social engineering already is the most popular way to obtain passwords and also the easiest.
It's scary how effective a little social engineering can be and how easily people fall into the trap.
For instance, the classic method of sending emails pretending to be legitimate ones, with a link to a fake website for the user to log in. As long as you can get past the spam filters, you're guaranteed to get quite a few hits. |
|
