dslreports logo
site
 
    All Forums Hot Topics Gallery
spc

spacer




how-to block ads


Search Topic:
uniqs
4437
share rss forum feed


antdude
A Ninja Ant
Premium,VIP
join:2001-03-25
United State
kudos:4
Reviews:
·Time Warner Cable

Google Declares War on the Password

»www.wired.com/wiredenterprise/20···assword/

"... Want an easier way to log into your Gmail account? How about a quick tap on your computer with the ring on your finger?

This may be closer than you think. Google’s security team outlines this sort of ring-finger authentication in a new research paper, set to be published late this month in the engineering journal IEEE Security & Privacy Magazine. In it, Google Vice President of Security Eric Grosse and Engineer Mayank Upadhyay outline all sorts of ways they think people could wind up logging into websites in the future — and it’s about time..."
--
Ant @ AQFL.net and AntFarm.ma.cx. Please do not IM/e-mail me for technical support. Use this forum or better, »community.norton.com ! Disclaimer: The views expressed in this posting are mine, and do not necessarily reflect the views of my employer.



Joey1973

@verizon.net

The "problem" being primarily one of companies not protecting passwords and accounts of customers (from hackers) every bit as much as users not picking good, long passwords that are hard to crack (because they're long--oh, you mean the system only allows 12 characters max? [oops]) and easy to remember. (Sure hope no one steals my ring... or my ring finger... with the ring still on it... )



Lagz
Premium
join:2000-09-03
The Rock

1 recommendation

reply to antdude

The biggest single problem with a log on/password was when online companies shifted to requiring or using your Email address as a log on. Once a big company is compromised the thieves can then just try that email/password combination at all the other major sites. I, like many other people I know use the same password and a different log on depending on what site we are using. I have a different user name for gaming and a different user name for banking and yet another different user name for online shopping. That extra layer of protection of being able to use a different user name at different sites was nullified when companies moved to using/requiring email addresses as a log on.
--
When somebody tells you nothing is impossible, ask him to dribble a football.



chrisretusn
Retired
Premium
join:2007-08-13
Philippines
kudos:1
Reviews:
·PLDT
·Comcast
reply to antdude

Strange. I read about this elsewhere and came away with a different aspect of it. The biggest was Google is not declaring war on the password, just looking at other methods.

I don't think the password is going away anytime soon.
--
Chris
Living in Paradise!!



goalieskates
Premium
join:2004-09-12
land of big

4 recommendations

reply to antdude

said by antdude:

"... Want an easier way to log into your Gmail account? How about a quick tap on your computer with the ring on your finger?

This may be closer than you think. Google’s security team outlines this sort of ring-finger authentication ..."

How lazy are people these days?

And what makes Google think I wear rings? or would wear their ring instead of mine? Rings can be a hazard in some occupations ...

Google's security team needs to get out in the real world more.


chrisretusn
Retired
Premium
join:2007-08-13
Philippines
kudos:1

LOL. You made my day.



carpetshark3
Premium
join:2004-02-12
Idledale, CO

2 recommendations

"One ring to rule them all"



antdude
A Ninja Ant
Premium,VIP
join:2001-03-25
United State
kudos:4

1 recommendation

said by carpetshark3:

"One ring to rule them all"

Preeeeeeeeeeeeecious!

dick white
Premium
join:2000-03-24
Annandale, VA

2 recommendations

reply to antdude

What's old becomes new again...

»www.youtube.com/watch?v=WvKlqMjfk1Y


dw

dave
Premium,MVM
join:2000-05-04
not in ohio
kudos:8
Reviews:
·Verizon FiOS
reply to goalieskates

said by goalieskates:

And what makes Google think I wear rings?

You didn't read the article, did you? The actual article is about using hardware tokens for authentication, and just used 'a figure ring' as an example of how one might conveniently carry such a thing - more conveniently than, I suppose, today's key-ring-sized RSA tokens.


Snakeoil
Ignore Button. The coward's feature.
Premium
join:2000-08-05
Mentor, OH
kudos:1

1 recommendation

reply to antdude

said by antdude:

»www.wired.com/wiredenterprise/20···assword/

"... Want an easier way to log into your Gmail account? How about a quick tap on your computer with the ring on your finger?

This may be closer than you think. Google’s security team outlines this sort of ring-finger authentication in a new research paper, set to be published late this month in the engineering journal IEEE Security & Privacy Magazine. In it, Google Vice President of Security Eric Grosse and Engineer Mayank Upadhyay outline all sorts of ways they think people could wind up logging into websites in the future — and it’s about time..."

Interesting. I was watching once upon a time last night. They needed to access a cell phone, but didn't have a pass word. So they used the guy's key fob and put it near the phone to unlock it.

The only problem I have with such a method, is what happens if you leave it on the shelf by the sink, or it falls off the key ring, etc?

You'd think a thumb print, retina scan would be the way to go, as you can't leave them behind.
--
Is a person a failure for doing nothing? Or is he a failure for trying, and not succeeding at what he is attempting to do? What did you fail at today?.

TheMG
Premium
join:2007-09-04
Canada
kudos:3
Reviews:
·NorthWest Tel

said by Snakeoil:

You'd think a thumb print, retina scan would be the way to go, as you can't leave them behind.

Next to come in the world of malware, after keyloggers: fingerprint loggers and retina image loggers.


Snakeoil
Ignore Button. The coward's feature.
Premium
join:2000-08-05
Mentor, OH
kudos:1

Couldn't a fob device be copied as well?

There really is no such thing as secure when you are surfing the web/have your computer connected to a network.
--
Is a person a failure for doing nothing? Or is he a failure for trying, and not succeeding at what he is attempting to do? What did you fail at today?.



NetFixer
Freedom is NOT Free
Premium
join:2004-06-24
The Boro
Reviews:
·Cingular Wireless
·Comcast Business..
·Vonage

1 recommendation

reply to Snakeoil

said by Snakeoil:

You'd think a thumb print, retina scan would be the way to go, as you can't leave them behind.

Actually, you leave thumb prints behind you every time you touch anything with your thumb (and anyone with access to the "protected" device has access to your thumb print too). I recently demonstrated that principle to someone who was in love with the finger print scanner on their notebook.

I won't go into the gory details of how a retina scanner can be compromized.
--
A well-regulated militia, being necessary to the security of a free State, the right of the people to keep and bear arms shall not be infringed.

When governments fear people, there is liberty. When the people fear the government, there is tyranny.

dave
Premium,MVM
join:2000-05-04
not in ohio
kudos:8
Reviews:
·Verizon FiOS
reply to Snakeoil

said by Snakeoil:

You'd think a thumb print, retina scan would be the way to go, as you can't leave them behind.

Thumb prints can be copied.

As far as retina scans go, call me suspicious, but I'm not about to allow some Dell Lowest-Bidder Laser Eyeballomatic to point at mine.

dave
Premium,MVM
join:2000-05-04
not in ohio
kudos:8
Reviews:
·Verizon FiOS
reply to Snakeoil

said by Snakeoil:

Couldn't a fob device be copied as well?

Not if it's properly constructed to be tamper resistant.

OZO
Premium
join:2003-01-17
kudos:2

1 recommendation

reply to antdude

Why to stop with a ring on your finger? As some have already mentioned here, you can loose it or forget to wear, when you need it. Why not to put it under the skin as an RFID tag. Then all of those problems are gone... (for a guy, who thinks the half of the glass is full in this case). Or may be that's the plan behind this Google project?
--
Keep it simple, it'll become complex by itself...



Lagz
Premium
join:2000-09-03
The Rock

1 recommendation

said by OZO:

Why not to put it under the skin as an RFID tag. Then all of those problems are gone... (for a guy, who thinks the half of the glass is full in this case). Or may be that's the plan behind this Google project?

I think this day is soon approaching where everything will require an RFID reading. Just look at this Texas school district.
--
When somebody tells you nothing is impossible, ask him to dribble a football.

OZO
Premium
join:2003-01-17
kudos:2

1 recommendation

I think, there are many control-freaks, who would be happy to see that happens
--
Keep it simple, it'll become complex by itself...



jaykaykay
4 Ever Young
Premium,MVM
join:2000-04-13
USA
kudos:24
Reviews:
·Cox HSI
·Speakeasy
reply to Lagz

said by Lagz:

said by OZO:

Why not to put it under the skin as an RFID tag. Then all of those problems are gone... (for a guy, who thinks the half of the glass is full in this case). Or may be that's the plan behind this Google project?

I think this day is soon approaching where everything will require an RFID reading. Just look at this Texas school district.

I hope to be long gone by then. The idea of all things read by chips makes me ill.
--
JKK

Age is a very high price to pay for my maturity. If I can't stay young, I can at least stay immature!

»www.pbase.com/jaykaykay


dave
Premium,MVM
join:2000-05-04
not in ohio
kudos:8
Reviews:
·Verizon FiOS
reply to antdude

Does no-one in the security forum except me actually use a hardware logon token for anything? There seems to be a lot of resistance to having any physical thing that helps logon security.

For the record, the problems with the current hardware logon-token approaches are:

1. As far as I know, it's site-specific [my RSA token has to be known to the web site in question], so isn't going to scale

2. I have to copy the digits from the token to the password-entry form: but this is fixable by having a token with a USB interface

3. It doesn't eliminate passwords, and nor should it (for the same reasons that having an ATM card doesn't eliminate PINs). But it does reduce required password complexity.

I don't see that the Wired article is suggesting much more than using the same sort of approach but making it more ubiquitous. And smaller.

Since it's actual money involved with the web site in question, I'm glad of the incremental protection of the token on top of the password.

For the record, I've never lost it, forgotten it, or suffered more inconvenience than having left the token in my coat downstairs when I'm upstairs.

The technology question we perhaps ought to consider here is: how secure is it to rely on a single authentication service?



unavailable

@tds.net
reply to OZO

You know, I proposed just this to my best friend, because I think privacy is all but gone anyway and I told her I was willing to give up my last shred of it for convenience. I'm only half kidding. I might actually sign up for it. No more passwords, so intriguing to me.

Of course it makes her insanely angry at me, and she tells me what an idiot I am. She's not really kidding either. She thinks the idea is awful.



sivran
Opera ex-pat
Premium
join:2003-09-15
Irving, TX
kudos:1
reply to dave

I have a paypal fob.

I barely use it anymore as I rarely log into paypal.


OZO
Premium
join:2003-01-17
kudos:2
reply to unavailable

said by unavailable :

You know, I proposed just this to my best friend, because I think privacy is all but gone anyway and I told her I was willing to give up my last shred of it for convenience. I'm only half kidding. I might actually sign up for it. No more passwords, so intriguing to me.

Of course it makes her insanely angry at me, and she tells me what an idiot I am. She's not really kidding either. She thinks the idea is awful.

Good to hear from a guy, who thinks about it as the glass half full. Now, look from the the glass is half empty perspective. I may have hundreds of those tags and none of those are under my skin. Moreover all of them could be easily reprogrammed to copy your ID, as well as anyone I want... How does that sound now? Is it secure? Is it convenient? Or is it worth to do at all???

Listen to your g/f. You may learn something from her

BTW, the more often you repeat to yourself "I think privacy is all but gone anyway", the more it becomes true. That's why I do not do that.
--
Keep it simple, it'll become complex by itself...

lorennerol
Premium
join:2003-10-29
Seattle, WA

2 recommendations

reply to antdude

The title should be "Google declares war on web anonymity"

I don't think they give a rat's @ss about security; it's all about knowing every move everyone makes on the web in order to monetize it.


OZO
Premium
join:2003-01-17
kudos:2

1 recommendation

And that's exactly what they're doing...



goalieskates
Premium
join:2004-09-12
land of big
reply to dave

said by dave:

said by goalieskates:

And what makes Google think I wear rings?

You didn't read the article, did you? The actual article is about using hardware tokens for authentication, and just used 'a figure ring' as an example of how one might conveniently carry such a thing - more conveniently than, I suppose, today's key-ring-sized RSA tokens.

I read the article, all right. But since you don't appreciate (lame but pointed) humor, I'm not about to start carrying around hardware tokens for specific sites "for security" or anything else. It's clutter, it's junk, and it's not automatically secure. That's just the sales pitch.


NotTheMama
What Would Earl Do?

join:2012-12-06
reply to OZO

Well, the best security systems involve a challenge based on (1) something you have (or are) and (2) something you know. The first could be a device or something else to--supposedly--"prove" who you are (retina scan, fingerprint reader ..."ring"?). Of course, the second could still be a password (or PIN). (However, would this actually make your accounts et al "hack-proof"?)

(At least, if the first were in use here, then one might not jump to the conclusion that someone "unavailable" is a "guy"? )
--
"...but ya doesn't hasta call me Johnson!"



AVD
Respice, Adspice, Prospice
Premium
join:2003-02-06
Onion, NJ
kudos:1

Microsoft can lock a computer if a bluetooth enabled phone goes out of range.
--
* seek help if having trouble coping
--Standard disclaimers apply.--



Lagz
Premium
join:2000-09-03
The Rock
reply to goalieskates

said by goalieskates:

I'm not about to start carrying around hardware tokens for specific sites "for security" or anything else. It's clutter, it's junk, and it's not automatically secure. That's just the sales pitch.

Next thing you know you will be wearing 50 rings.



--
When somebody tells you nothing is impossible, ask him to dribble a football.