[ NNSquad ] Die Passwords! Die!

NNSquad - Network Neutrality Squad
NNSquad Home Page
NNSquad Mailing List Information
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[ NNSquad ] Die Passwords! Die!
To: nnsquad@nnsquad.org
Subject: [ NNSquad ] Die Passwords! Die!
From: Lauren Weinstein <lauren@vortex.com>
Date: Fri, 31 May 2013 11:53:53 -0700

                            Die Passwords! Die!

              http://lauren.vortex.com/archive/001035.html


In one form or another -- verbal, written, typed, semaphored, grunted,
and more -- passwords broadly defined have been part of our cultures
pretty much since the dawn of humans at least.  Whether an 18
character mixed-case password replete with unusual symbols, or the
limb-twisting motions of a secret handshake, we've always needed means
for authentication and identity verification, and we've long used the
concept of a communicable "secret" of some kind to fill this need.

As we plow our way ever deeper into the 21st century, it is notable
that most of our Internet and other computer-based systems still
depend on the basic password motif for access control.  And despite
sometimes herculean efforts to keep password-based environments
viable, it's all too clear that we're rapidly reaching the end of the
road for this venerable mechanism.

That this was eventually inevitable has long been clear, but recent
events seem to be piling up and pointing at a more rapid degeneration
of password security than many observers had anticipated, and this is
taking us quickly into the most complex realms of identity and
privacy.

Advances in mathematical techniques, parallel processing, and
particularly in the computational power available to password crackers
(now often using very high speed graphics processing units to do the
number crunching) are undermining long held assumptions about the
safety of passwords of any given length or complexity, and rendering
even hashed password files increasingly vulnerable to successful
attacks.  If a single configuration error allows such files to fall
into the wrong hands, even the use of more advanced password hashing
algorithms is no guarantee of protection against the march of
computational power and techniques that may decimate them in the
future.

What seems like an almost daily series of high profile password
breaches has triggered something of a stampede to finally implement
multiple-factor authentication systems of various kinds, which are
usually a notch below even more secure systems that use a new password
for every login attempt (that is, OTP - One-Time Password systems,
which usually depend on a hardware device or smartphone app to
generate disposable passwords).

As you'd imagine, the ultimate security of what we might call these
"enhanced password" environments depends greatly on the quality of
their implementations and maintenance.  A well designed multiple
factor system can do a lot of good, but a poorly built and vulnerable
one can give users a false sense of security that is actually even
more dangerous than a basic password system alone.

Given all this, it's understandable that attention has now turned
toward more advanced methodologies that -- we hope -- will be less
vulnerable than any typical password-based regimes.

There are numerous issues.  Ideally, you don't want folks routinely
using passwords at all in the conventional sense.  Even relatively
strong passwords become especially problematic when they're used on
multiple systems -- a very common practice.  The old adage of the
weakest link in the chain holds true here as well.  And the less said
about weak passwords the better (such as "12345" -- the kind of
password, as noted in Mel Brooks' film "Spaceballs" -- that "an idiot
would have on his luggage") -- or worse.

So, much focus now is on "federated" authentication systems, such as
OAuth and others.

At first glance, the concept appears simple enough.  Rather than
logging in separately to every site, you authenticate to a single site
that then (with your permission) shares your credentials via "tokens"
that represent your desired and permitted access levels.  Those other
sites never learn your password per se, they only see your tokens,
which can be revoked on demand.  For example, if you use Google+, you
can choose to use your Google+ credentials to access various other
cooperating sites.  An expanding variety of other similar environments
are also in various stages of availability.

This is a significant advance.  But if you're still using simple
passwords for access to a federated authentication system, many of the
same old vulnerabilities may still be play.  Someone gaining illicit
access to your federated identity may then have access to all
associated systems.  This strongly suggests that when using federated
login environments you should always use the strongest currently
available practical protections -- like multiple-factor
authentication.

All that being said, it's clear that the foreseeable future of
authentication will appropriately depend heavily on federated
environments of one form or another, so a strong focus there is
utterly reasonable.

Given that the point of access to a federated authentication system is
so crucial, much work is in progress to eliminate passwords entirely
at this level, or to at least associate them with additional physical
means of verification.

An obvious approach to this is biometrics -- fingerprints, iris scans,
and an array of other bodily metrics.  However, since biometric
identifiers are so associated with law enforcement, cannot be
transferred to another individual in cases of emergency, and are
unable to be changed if compromised, the biometric approach alone may
not be widely acceptable for mass adoption outside of specialized,
relatively high-security environments.

Wearable devices may represent a much more acceptable compromise for
many more persons.  They could be transferred to another individual
when necessary (and stolen as well, but means to render them impotent
in that circumstance are fairly straightforward).

A plethora of possibilities exist in this realm -- electronically
enabled watches, bracelets, rings, temporary tattoos, even swallowable
pills -- to name but a few.  Sound like science-fiction?  Nope, all of
these already exist or are in active development.

Naturally, such methods are useless unless the specific hardware
capabilities to receive their authentication signals is also present,
when and where you need it, so these devices probably will not be in
particularly widespread use for the very short term at least.  But
it's certainly possible to visualize them being sold along with a
receiver unit that could be plugged into existing equipment.  As
always, price will be a crucial factor in adoption rates.

Yet while the wearable side of the authentication equation has the
coolness factor, the truth is that it's behind the scenes where the
really tough challenges and the most seriously important related
policy and engineering questions reside.

No matter the chosen methods of authentication -- typed, worn, or
swallowed -- one of the most challenging areas is how to appropriately
design, deploy, and operate the underlying systems.  It is incumbent
on us to create powerful federated authentication environments in ways
that give users trustworthy control over how their identity
credentials are managed and shared, what capabilities they wish to
provide in specific environments, how these factors interact with
complex privacy parameters, and a whole host of associated questions,
including how to provide for pseudonymous and anonymous activities
where appropriate.

Not only do we need to understand the basic topology of these
questions and develop policies that represent reasonable answers, we
must actually build and deploy such systems in secure and reliable
ways, often at enormous scale by historical standards.  It's a
fascinating area, and there is a tremendous amount of thinking and
work ongoing toward these goals -- but in many ways we're only just at
the beginning.  Interesting times.

One thing is pretty much certain, however.  Passwords as we've
traditionally known them are on the way out.  They are doomed.  The
sooner we're rid of them, the better off we're all going to be.

Especially if your password is "12345" ...

--Lauren--
Lauren Weinstein (lauren@vortex.com): http://www.vortex.com/lauren 
Co-Founder: People For Internet Responsibility: http://www.pfir.org/pfir-info
Founder:
 - Network Neutrality Squad: http://www.nnsquad.org 
 - PRIVACY Forum: http://www.vortex.com/privacy-info
 - Data Wisdom Explorers League: http://www.dwel.org
 - Global Coalition for Transparent Internet Performance: http://www.gctip.org
Member: ACM Committee on Computers and Public Policy
Lauren's Blog: http://lauren.vortex.com
Google+: http://vortex.com/g+lauren / Twitter: http://vortex.com/t-lauren 
Tel: +1 (818) 225-2800 / Skype: vortex.com
_______________________________________________
nnsquad mailing list
http://lists.nnsquad.org/mailman/listinfo/nnsquad
Prev by Date: [ NNSquad ] EFF: Computer Scientists Urge Court to Block Copyright Claims in Oracle v. Google API Fight
Next by Date: [ NNSquad ] Google says no to Glass facial recognition app approvals for now
Previous by thread: [ NNSquad ] EFF: Computer Scientists Urge Court to Block Copyright Claims in Oracle v. Google API Fight
Next by thread: [ NNSquad ] Google says no to Glass facial recognition app approvals for now
Index(es):
- Date
- Thread