[OPLIN 4cast] OPLIN 4Cast #322: Giving passwords a pass
Editor
editor at oplin.org
Wed Feb 20 10:31:22 EST 2013
Email not displaying correctly? View it in your browser.
<http://www.oplin.org/4cast/>
OPLIN 4Cast
OPLIN 4Cast #322: Giving passwords a pass
February 20th, 2013
key ringHow many passwords do you have? How many do you have trouble
remembering? How many of your co-workers tape their passwords on the
underside of their keyboard? Isn't there a better way to handle user
authentication? Last week, we looked at "social login" authentication,
one alternative to passwords that is popular for its ease of use, but
may not be particularly secure. But social login is only one entry in
the effort to replace passwords. Regardless of how it gets done, it
seems that the end of the password may be coming soon.
* P@$$1234: the end of strong password-only security
<http://www.deloitte.com/view/en_GX/global/industries/technology-media-telecommunications/tmt-predictions-2013/tmt-predictions-2013-technology/9eb6f4efcbccb310VgnVCM1000003256f70aRCRD.htm>
(Deloitte TMT Predictions 2013) "However, a number of factors,
related to human behavior and changes in technology, have combined
to render the 'strong' password vulnerable. First, humans struggle
to remember more than seven numbers in our short-term memory. Over a
longer time span, the average person can remember only five. Adding
letters, cases, and odd symbols to the mix makes remembering
multiple characters even more challenging. As a result, people use a
variety of tricks to make recalling passwords easier. For example,
users often create passwords that reference words and names in our
language and experience. Users typically put the upper case symbol
at the beginning of the password and place the numbers at the end of
the password, repeating the numbers or putting them in ascending
order. Although a keyboard has 32 different symbols, humans
generally only use half-a-dozen in passwords because they have
trouble distinguishing between many of them. These tricks and
tendencies combine to make passwords less random, and therefore weaker."
* Google declares war on the password
<http://www.wired.com/wiredenterprise/2013/01/google-password/all/>
(Wired/Robert McMillan) "Passwords are a cheap and easy way to
authenticate web surfers, but they're not secure enough for today's
internet, and they never will be
<http://www.wired.com/gadgetlab/2012/11/ff-mat-honan-password-hacker/all/>.
Google agrees. 'Along with many in the industry, we feel passwords
and simple bearer tokens such as cookies are no longer sufficient to
keep users safe,' Grosse and Upadhyay write in their paper. Thus,
they're experimenting with new ways to replace the password,
including a tiny Yubico <http://www.yubico.com/> cryptographic card
that - when slid into a USB (Universal Serial Bus) reader - can
automatically log a web surfer into Google."
* DARPA, FIDO Alliance join race to replace passwords
<http://threatpost.com/en_us/blogs/darpa-fido-alliance-join-race-replace-passwords-021213>
(Threatpost/Brian Donohue) "For years, industry thinkers have
somewhat vaguely referenced the need for Internet fingerprints
capable of reliably verifing identities online. Yet here we are,
it's 2013 and passwords remain the primary means of authenticating
users onto networks and workstations. Two groups today announced
projects bent on taking passwords to the curb. The first is an
industry group calling itself the FIDO (Fast IDentity Online)
Alliance. ... The second is the Defense Advanced Research Project
Agency (DARPA), a research and development arm of the Defense
Department."
* Internet giants launch new system to fix the password problem
<http://www.securityweek.com/paypal-lenovo-alliance-launches-new-system-fix-password-problem>
(SecurityWeek/Fahmida Y. Rashid) "Under the FIDO specification,
businesses would be able to authenticate and authorize users using
existing hardware devices, such as smartphones and tablets,
fingerprint readers, microphones, cameras, TPM chips, near-field
communications, and one-time password tokens. Instead of traditional
username and password combinations, the device the user happens to
be holding would play a more central role in authentication,
according to the FIDO Alliance. This would make it much more
difficult for attackers to steal login credentials and compromise
user accounts, Barrett said."
*/Overused fact:/*
Last year, the Trustwave security services firm found that the most
commonly used password on business systems - and thus the least secure -
was /Password1/.
------------------------------------------------------------------------
The */OPLIN 4cast/* is a weekly compilation of recent headlines, topics,
and trends that could impact public libraries. You can subscribe to it
in a variety of ways, such as:
* *RSS feed.* You can receive the OPLIN 4cast via RSS feed by
subscribing to the following URL:
http://www.oplin.org/4cast/index.php/?feed=rss2.
* *Live Bookmark.* If you're using the Firefox web browser, you can go
to the 4cast website (http://www.oplin.org/4cast/) and click on the
orange "radio wave" icon on the right side of the address bar. In
Internet Explorer 7, click on the same icon to view or subscribe to
the 4cast RSS feed.
* *E-mail.* You can have the OPLIN 4cast delivered via e-mail (a'la
OPLINlist and OPLINtech) by subscribing to the 4cast mailing list at
http://mail.oplin.org/mailman/listinfo/OPLIN4cast.
OPLIN 4Cast
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.oplin.org/pipermail/oplin4cast/attachments/20130220/47708985/attachment-0003.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: kubrickheader.jpg
Type: image/jpeg
Size: 38379 bytes
Desc: not available
URL: <http://lists.oplin.org/pipermail/oplin4cast/attachments/20130220/47708985/attachment-0003.jpg>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: key-ring.png
Type: image/png
Size: 16899 bytes
Desc: not available
URL: <http://lists.oplin.org/pipermail/oplin4cast/attachments/20130220/47708985/attachment-0003.png>
More information about the OPLIN4cast
mailing list