dslreports logo
 
    All Forums Hot Topics Gallery
spc
Search similar:


uniqs
4666

antdude
Matrix Ant
Premium Member
join:2001-03-25
US

antdude

Premium Member

Google Declares War on the Password

»www.wired.com/wiredenter ··· assword/

"... Want an easier way to log into your Gmail account? How about a quick tap on your computer with the ring on your finger?

This may be closer than you think. Google’s security team outlines this sort of ring-finger authentication in a new research paper, set to be published late this month in the engineering journal IEEE Security & Privacy Magazine. In it, Google Vice President of Security Eric Grosse and Engineer Mayank Upadhyay outline all sorts of ways they think people could wind up logging into websites in the future — and it’s about time..."

Joey1973
@verizon.net

Joey1973

Anon

The "problem" being primarily one of companies not protecting passwords and accounts of customers (from hackers) every bit as much as users not picking good, long passwords that are hard to crack (because they're long--oh, you mean the system only allows 12 characters max? [oops]) and easy to remember. (Sure hope no one steals my ring... or my ring finger... with the ring still on it... )

Lagz
Premium Member
join:2000-09-03
The Rock

1 recommendation

Lagz to antdude

Premium Member

to antdude
The biggest single problem with a log on/password was when online companies shifted to requiring or using your Email address as a log on. Once a big company is compromised the thieves can then just try that email/password combination at all the other major sites. I, like many other people I know use the same password and a different log on depending on what site we are using. I have a different user name for gaming and a different user name for banking and yet another different user name for online shopping. That extra layer of protection of being able to use a different user name at different sites was nullified when companies moved to using/requiring email addresses as a log on.

chrisretusn
Retired
Premium Member
join:2007-08-13
Philippines

chrisretusn to antdude

Premium Member

to antdude
Strange. I read about this elsewhere and came away with a different aspect of it. The biggest was Google is not declaring war on the password, just looking at other methods.

I don't think the password is going away anytime soon.

goalieskates
Premium Member
join:2004-09-12
land of big

4 recommendations

goalieskates to antdude

Premium Member

to antdude
said by antdude:

"... Want an easier way to log into your Gmail account? How about a quick tap on your computer with the ring on your finger?

This may be closer than you think. Google’s security team outlines this sort of ring-finger authentication ..."

How lazy are people these days?

And what makes Google think I wear rings? or would wear their ring instead of mine? Rings can be a hazard in some occupations ...

Google's security team needs to get out in the real world more.

chrisretusn
Retired
Premium Member
join:2007-08-13
Philippines

chrisretusn

Premium Member

LOL. You made my day.

carpetshark3
Premium Member
join:2004-02-12
Idledale, CO

2 recommendations

carpetshark3

Premium Member

"One ring to rule them all"

antdude
Matrix Ant
Premium Member
join:2001-03-25
US

1 recommendation

antdude

Premium Member

said by carpetshark3:

"One ring to rule them all"

Preeeeeeeeeeeeecious!
dick white
Premium Member
join:2000-03-24
Springfield, VA

2 recommendations

dick white to antdude

Premium Member

to antdude
What's old becomes new again...

»www.youtube.com/watch?v= ··· lqMjfk1Y


dw
dave
Premium Member
join:2000-05-04
not in ohio

dave to goalieskates

Premium Member

to goalieskates
said by goalieskates:

And what makes Google think I wear rings?

You didn't read the article, did you? The actual article is about using hardware tokens for authentication, and just used 'a figure ring' as an example of how one might conveniently carry such a thing - more conveniently than, I suppose, today's key-ring-sized RSA tokens.

Snakeoil
Ignore Button. The coward's feature.
Premium Member
join:2000-08-05
united state

1 recommendation

Snakeoil to antdude

Premium Member

to antdude
said by antdude:

»www.wired.com/wiredenter ··· assword/

"... Want an easier way to log into your Gmail account? How about a quick tap on your computer with the ring on your finger?

This may be closer than you think. Google’s security team outlines this sort of ring-finger authentication in a new research paper, set to be published late this month in the engineering journal IEEE Security & Privacy Magazine. In it, Google Vice President of Security Eric Grosse and Engineer Mayank Upadhyay outline all sorts of ways they think people could wind up logging into websites in the future — and it’s about time..."

Interesting. I was watching once upon a time last night. They needed to access a cell phone, but didn't have a pass word. So they used the guy's key fob and put it near the phone to unlock it.

The only problem I have with such a method, is what happens if you leave it on the shelf by the sink, or it falls off the key ring, etc?

You'd think a thumb print, retina scan would be the way to go, as you can't leave them behind.
TheMG
Premium Member
join:2007-09-04
Canada
MikroTik RB450G
Cisco DPC3008
Cisco SPA112

TheMG

Premium Member

said by Snakeoil:

You'd think a thumb print, retina scan would be the way to go, as you can't leave them behind.

Next to come in the world of malware, after keyloggers: fingerprint loggers and retina image loggers.

Snakeoil
Ignore Button. The coward's feature.
Premium Member
join:2000-08-05
united state

Snakeoil

Premium Member

Couldn't a fob device be copied as well?

There really is no such thing as secure when you are surfing the web/have your computer connected to a network.

NetFixer
From My Cold Dead Hands
Premium Member
join:2004-06-24
The Boro
Netgear CM500
Pace 5268AC
TRENDnet TEW-829DRU

1 recommendation

NetFixer to Snakeoil

Premium Member

to Snakeoil
said by Snakeoil:

You'd think a thumb print, retina scan would be the way to go, as you can't leave them behind.

Actually, you leave thumb prints behind you every time you touch anything with your thumb (and anyone with access to the "protected" device has access to your thumb print too). I recently demonstrated that principle to someone who was in love with the finger print scanner on their notebook.

I won't go into the gory details of how a retina scanner can be compromized.
dave
Premium Member
join:2000-05-04
not in ohio

dave to Snakeoil

Premium Member

to Snakeoil
said by Snakeoil:

You'd think a thumb print, retina scan would be the way to go, as you can't leave them behind.

Thumb prints can be copied.

As far as retina scans go, call me suspicious, but I'm not about to allow some Dell Lowest-Bidder Laser Eyeballomatic to point at mine.
dave

dave to Snakeoil

Premium Member

to Snakeoil
said by Snakeoil:

Couldn't a fob device be copied as well?

Not if it's properly constructed to be tamper resistant.
OZO
Premium Member
join:2003-01-17

1 recommendation

OZO to antdude

Premium Member

to antdude
Why to stop with a ring on your finger? As some have already mentioned here, you can loose it or forget to wear, when you need it. Why not to put it under the skin as an RFID tag. Then all of those problems are gone... (for a guy, who thinks the half of the glass is full in this case). Or may be that's the plan behind this Google project?

Lagz
Premium Member
join:2000-09-03
The Rock

1 recommendation

Lagz

Premium Member

said by OZO:

Why not to put it under the skin as an RFID tag. Then all of those problems are gone... (for a guy, who thinks the half of the glass is full in this case). Or may be that's the plan behind this Google project?

I think this day is soon approaching where everything will require an RFID reading. Just look at this Texas school district.
OZO
Premium Member
join:2003-01-17

1 recommendation

OZO

Premium Member

I think, there are many control-freaks, who would be happy to see that happens

jaykaykay
4 Ever Young
MVM
join:2000-04-13
USA

jaykaykay to Lagz

MVM

to Lagz
said by Lagz:

said by OZO:

Why not to put it under the skin as an RFID tag. Then all of those problems are gone... (for a guy, who thinks the half of the glass is full in this case). Or may be that's the plan behind this Google project?

I think this day is soon approaching where everything will require an RFID reading. Just look at this Texas school district.

I hope to be long gone by then. The idea of all things read by chips makes me ill.
dave
Premium Member
join:2000-05-04
not in ohio

dave to antdude

Premium Member

to antdude
Does no-one in the security forum except me actually use a hardware logon token for anything? There seems to be a lot of resistance to having any physical thing that helps logon security.

For the record, the problems with the current hardware logon-token approaches are:

1. As far as I know, it's site-specific [my RSA token has to be known to the web site in question], so isn't going to scale

2. I have to copy the digits from the token to the password-entry form: but this is fixable by having a token with a USB interface

3. It doesn't eliminate passwords, and nor should it (for the same reasons that having an ATM card doesn't eliminate PINs). But it does reduce required password complexity.

I don't see that the Wired article is suggesting much more than using the same sort of approach but making it more ubiquitous. And smaller.

Since it's actual money involved with the web site in question, I'm glad of the incremental protection of the token on top of the password.

For the record, I've never lost it, forgotten it, or suffered more inconvenience than having left the token in my coat downstairs when I'm upstairs.

The technology question we perhaps ought to consider here is: how secure is it to rely on a single authentication service?

unavailable
@tds.net

unavailable to OZO

Anon

to OZO
You know, I proposed just this to my best friend, because I think privacy is all but gone anyway and I told her I was willing to give up my last shred of it for convenience. I'm only half kidding. I might actually sign up for it. No more passwords, so intriguing to me.

Of course it makes her insanely angry at me, and she tells me what an idiot I am. She's not really kidding either. She thinks the idea is awful.

sivran
Vive Vivaldi
Premium Member
join:2003-09-15
Irving, TX

sivran to dave

Premium Member

to dave
I have a paypal fob.

I barely use it anymore as I rarely log into paypal.
OZO
Premium Member
join:2003-01-17

OZO to unavailable

Premium Member

to unavailable
said by unavailable :

You know, I proposed just this to my best friend, because I think privacy is all but gone anyway and I told her I was willing to give up my last shred of it for convenience. I'm only half kidding. I might actually sign up for it. No more passwords, so intriguing to me.

Of course it makes her insanely angry at me, and she tells me what an idiot I am. She's not really kidding either. She thinks the idea is awful.

Good to hear from a guy, who thinks about it as the glass half full. Now, look from the the glass is half empty perspective. I may have hundreds of those tags and none of those are under my skin. Moreover all of them could be easily reprogrammed to copy your ID, as well as anyone I want... How does that sound now? Is it secure? Is it convenient? Or is it worth to do at all???

Listen to your g/f. You may learn something from her

BTW, the more often you repeat to yourself "I think privacy is all but gone anyway", the more it becomes true. That's why I do not do that.
lorennerol
Premium Member
join:2003-10-29
Seattle, WA

2 recommendations

lorennerol to antdude

Premium Member

to antdude
The title should be "Google declares war on web anonymity"

I don't think they give a rat's @ss about security; it's all about knowing every move everyone makes on the web in order to monetize it.
OZO
Premium Member
join:2003-01-17

1 recommendation

OZO

Premium Member

And that's exactly what they're doing...

goalieskates
Premium Member
join:2004-09-12
land of big

goalieskates to dave

Premium Member

to dave
said by dave:

said by goalieskates:

And what makes Google think I wear rings?

You didn't read the article, did you? The actual article is about using hardware tokens for authentication, and just used 'a figure ring' as an example of how one might conveniently carry such a thing - more conveniently than, I suppose, today's key-ring-sized RSA tokens.

I read the article, all right. But since you don't appreciate (lame but pointed) humor, I'm not about to start carrying around hardware tokens for specific sites "for security" or anything else. It's clutter, it's junk, and it's not automatically secure. That's just the sales pitch.
NoHereNoMo
join:2012-12-06

NoHereNoMo to OZO

Member

to OZO
Well, the best security systems involve a challenge based on (1) something you have (or are) and (2) something you know. The first could be a device or something else to--supposedly--"prove" who you are (retina scan, fingerprint reader ..."ring"?). Of course, the second could still be a password (or PIN). (However, would this actually make your accounts et al "hack-proof"?)

(At least, if the first were in use here, then one might not jump to the conclusion that someone "unavailable" is a "guy"? )

AVD
Respice, Adspice, Prospice
Premium Member
join:2003-02-06
Onion, NJ

AVD

Premium Member

Microsoft can lock a computer if a bluetooth enabled phone goes out of range.

Lagz
Premium Member
join:2000-09-03
The Rock

Lagz to goalieskates

Premium Member

to goalieskates
said by goalieskates:

I'm not about to start carrying around hardware tokens for specific sites "for security" or anything else. It's clutter, it's junk, and it's not automatically secure. That's just the sales pitch.

Next thing you know you will be wearing 50 rings.