HardOCP News
[H] News
- Joined
- Dec 31, 1969
- Messages
- 0
![[H]ard|Forum](/styles/hardforum/xenforo/logo_dark.png){kind=logo}
Google Security Exec: 'Passwords Are Dead'
- Thread starter HardOCP News
- Start date
kbrickley
Supreme [H]ardness
- Joined
- May 13, 2012
- Messages
- 7,514
I think we will see a continued switch to biometric type requirements or hard connection physical keys this decade ... I don't know if passwords will ever go completely away but they will definitely become the more provincial security option
mynamehere
[H]ard|Gawd
- Joined
- Jun 30, 2007
- Messages
- 1,763
DNA sample with a secondary verification method.
Sorry, can't eat your meatloaf tonight hun, I have to log in to Google tomorrow.
I've never found passwords to be insecure for me. I use a different password for every service and my passwords vary in length from your standard 8-12 character random nonsense to 30+ character passphrases.
A better solution would be to start holding people liable for security breaches. If you don't know how to secure a computer, either hire someone who knows how or get off the internet. If your computer is compromised and used to facilitate attacks on other people, you should be held liable for those attacks. It is no different than a car; most people don't know how to fix them and yet they are liable if they neglect their maintenance and someone is harmed as a result, which is why they take them to mechanics.
A better solution would be to start holding people liable for security breaches. If you don't know how to secure a computer, either hire someone who knows how or get off the internet. If your computer is compromised and used to facilitate attacks on other people, you should be held liable for those attacks. It is no different than a car; most people don't know how to fix them and yet they are liable if they neglect their maintenance and someone is harmed as a result, which is why they take them to mechanics.
MrValentine
[H]ard|Gawd
- Joined
- Jul 5, 2004
- Messages
- 1,798
biometrics and DNA can be stolen also. What happens when crooks get a copy of your fingerprints? or a digital copy of your DNA? I can change my passwords, once your biometrics are compromised your screwed. And dont tell me that your biometrics wont ever be released. Companies cant protect passwords as it is, you sure dont want to trust them with your biometric data.
Yakk
Supreme [H]ardness
- Joined
- Nov 5, 2010
- Messages
- 5,810
I think the biggest issue is how long of a password is practical to use or can you remember? Algorithms for cracking encrypted communications is evolving quickly and DNA and Biometrics only increase the size of the key, not address the fundamental problem. I have go agree that passwords are on their way out as a useful tool.
The statement from this Google exec and the above are indicative of the true problem when it comes to passwords. Simply put, the people in charge of the password policies don't know what a good password is. What is a good password? Is it 8-10 random characters with symbols and crap? No, because most humans can't remember that garbage so they write it down or store it online. A Good password is a 20-40 character "Phrase". This is something that can easily be remembered by any human, but due to the length something near impossible to crack. The problem with this of course is because of the above mentioning of security "Admins" really still continuing to be clueless they do not allow passwords of that length. So they shoehorn people into making passwords they have little chance of remembering, but modern PC's have little difficulty cracking. Then they turn around and make braindead statements like this decrying the password as dead, when in fact password "Policy" is bad.
Ashbringer
Supreme [H]ardness
- Joined
- Jan 25, 2010
- Messages
- 5,522
The reason why passwords are a weak method for security is because of two reasons.
#1 When someone gets hacked, the passwords they grab are likely to be used for other websites.
#2 Everyone for some reason allows you to log in using your email as a username?
A lot of people like to reuse passwords, and give no second thought about it. This isn't a problem, until Sony or some website gets hacked, and gets your password. I love it when they announce that your credit card information is still fine, cause that's what they were going for right? There's a very good chance that those passwords are used for your email and bank account info, cause people are very lazy.
For whatever reason lots of places use your email as a username. That's the stupidest thing ever, cause finding your email is a relatively easy thing to do. So as soon as they get your password, it's a simply matter to log in. I get why they do it, cause at some point snoopdog22 or nirvana17 starts to frustrate people that someone else took their username. But at the same time those websites that use email as a username requires uppercase letters, strange characters must be used, and it has to be minimum 12 characters long. I guess they figure if they force you to use a stronger password will overpower the email as a username?
Of course as a end user you can get around this by not using the same password for everything. Ultimately though it's the website or whatever that needs to be 100% secure. Cause nobody can just keep pumping passwords into your account until it works, as you would know cause if you get it wrong 5 times your account is locked. So really it takes the website to hacked or compromised to gain access to those passwords. Look at Sony with PSN where they stored the passwords in a text document.
The only way a weak password could allow someone to get into your account is if you used a stupid password like "password" or "12345".
#1 When someone gets hacked, the passwords they grab are likely to be used for other websites.
#2 Everyone for some reason allows you to log in using your email as a username?
A lot of people like to reuse passwords, and give no second thought about it. This isn't a problem, until Sony or some website gets hacked, and gets your password. I love it when they announce that your credit card information is still fine, cause that's what they were going for right? There's a very good chance that those passwords are used for your email and bank account info, cause people are very lazy.
For whatever reason lots of places use your email as a username. That's the stupidest thing ever, cause finding your email is a relatively easy thing to do. So as soon as they get your password, it's a simply matter to log in. I get why they do it, cause at some point snoopdog22 or nirvana17 starts to frustrate people that someone else took their username. But at the same time those websites that use email as a username requires uppercase letters, strange characters must be used, and it has to be minimum 12 characters long. I guess they figure if they force you to use a stronger password will overpower the email as a username?
Of course as a end user you can get around this by not using the same password for everything. Ultimately though it's the website or whatever that needs to be 100% secure. Cause nobody can just keep pumping passwords into your account until it works, as you would know cause if you get it wrong 5 times your account is locked. So really it takes the website to hacked or compromised to gain access to those passwords. Look at Sony with PSN where they stored the passwords in a text document.
The only way a weak password could allow someone to get into your account is if you used a stupid password like "password" or "12345".
mastaBlasta
Gawd
- Joined
- Jan 27, 2011
- Messages
- 605
Serious hackers don't care about this or that user's password. They try to infiltrate the system and get the whole database.
The biggest breaches have been directly on the DB, like what happened with Sony and Steam. If we use a vault analogy, your locking mechanism can be as sophisticated as you want, if you have a human sized ventilation duct leading into the vault, people will get in.
Now let's rant about how stupid long password requirements are. "You must have 1 upper case, 1 lower case, 1 unicode char, 1 dick and 2 balls.".....so stupid
The biggest breaches have been directly on the DB, like what happened with Sony and Steam. If we use a vault analogy, your locking mechanism can be as sophisticated as you want, if you have a human sized ventilation duct leading into the vault, people will get in.
Now let's rant about how stupid long password requirements are. "You must have 1 upper case, 1 lower case, 1 unicode char, 1 dick and 2 balls.".....so stupid
crazypooljunkie
n00b
- Joined
- Oct 24, 2011
- Messages
- 43
Passwords simply need to change. Eight random characters does not a good password make. However four random works makes an excellent password.
The other end of the equation is that service owners need to secure user information better. Unencrypted data that has been stole is unacceptable.
The other end of the equation is that service owners need to secure user information better. Unencrypted data that has been stole is unacceptable.
gossipninja1
Weaksauce
- Joined
- Jul 31, 2011
- Messages
- 120
I have always liked the idea of a 2 phrase system
You basically have pw1 and pw2 and neither validates unless the other does, would make cracking orders of magnitude harder...but also makes it harder for users, since it make recovery and remembering which pw was used where harder.
However, the issue isn't so much passwords anymore, with phishing attacks and full database comprises, there are so many attacks where the password isn't really the issue.
Imagine you have a 3 digit safe, (1-10) so 1000 combinations to try, and we make a robot that can go through all the combos..making the combo 5 digit or 10 digit helps, but the robot will still do it (a bad analogy for these super cracking GPU and ASIC machines) but it is ultimately trivial when the bad guy can just take the safe with them and beat on it with a hammer at their leisure (like these full DB dump attacks)
You basically have pw1 and pw2 and neither validates unless the other does, would make cracking orders of magnitude harder...but also makes it harder for users, since it make recovery and remembering which pw was used where harder.
However, the issue isn't so much passwords anymore, with phishing attacks and full database comprises, there are so many attacks where the password isn't really the issue.
Imagine you have a 3 digit safe, (1-10) so 1000 combinations to try, and we make a robot that can go through all the combos..making the combo 5 digit or 10 digit helps, but the robot will still do it (a bad analogy for these super cracking GPU and ASIC machines) but it is ultimately trivial when the bad guy can just take the safe with them and beat on it with a hammer at their leisure (like these full DB dump attacks)
D
Deleted member 126051
Guest
Passwords are dead in the same way Jason Voorhees is dead.
And this woman is basically some buzzword-spouting marketing type, rather than a technician.
She makes a stupid, blanket statement, and then doesn't tell us what EXACTLY to replace it with.
Also, she goes on to tout Google's "two factor" authentication. This is where you can hear the wind whistling between the ears loudest.
Why? Ask yourself. "TWO FACTOR" authentication. Sure. One of them is a code sent to your phone or something.
What's the other one? Oh yeah. A Username/PASSWORD combination!
And the whole near-field communication thing? Waving a dongle at an object? Or having it embedded on or in you? Take a look at the issues with RFID and credit cards. A couple hundred bucks in equipment, and thieves can steal your credentials just walking past you.
Google's management and technicians need to slap people like this down. It makes them look bad, and it makes Google look bad.
And this woman is basically some buzzword-spouting marketing type, rather than a technician.
She makes a stupid, blanket statement, and then doesn't tell us what EXACTLY to replace it with.
Also, she goes on to tout Google's "two factor" authentication. This is where you can hear the wind whistling between the ears loudest.
Why? Ask yourself. "TWO FACTOR" authentication. Sure. One of them is a code sent to your phone or something.
What's the other one? Oh yeah. A Username/PASSWORD combination!
And the whole near-field communication thing? Waving a dongle at an object? Or having it embedded on or in you? Take a look at the issues with RFID and credit cards. A couple hundred bucks in equipment, and thieves can steal your credentials just walking past you.
Google's management and technicians need to slap people like this down. It makes them look bad, and it makes Google look bad.
Kazimieras
n00b
- Joined
- Jan 14, 2009
- Messages
- 14
I like how this person says "passwords are dead" but didn't offer a single alternative or solution.
I think you aren't putting this into the correct context. He was referring to his pet gerbil who was named "Passwords". He died on the weekend, and the exec was lamenting the loss of life.
Your next question may be about using "are" rather than "is". He did this just to give people the nod from All your base are belong to us
Outamyhead
Supreme [H]ardness
- Joined
- Jan 3, 2008
- Messages
- 4,263
Passwords are dead, long live the passwords.
I have enough trouble trying to get my order right at the drive thru
Me:"Root beer"
Server:"Orange Juice?"
Me:"no, a root beer"
Server:"Ten Orange Juices!???"
Me:"Fuck it, just a Coke"
Server:"Okay a Coke".
I dread to think what will happen with different hardware trying to interpret my pass phrase, gestures, or retina scan.
I have enough trouble trying to get my order right at the drive thru
Me:"Root beer"
Server:"Orange Juice?"
Me:"no, a root beer"
Server:"Ten Orange Juices!???"
Me:"Fuck it, just a Coke"
Server:"Okay a Coke".
I dread to think what will happen with different hardware trying to interpret my pass phrase, gestures, or retina scan.
You beat me to it. At least with passwords, when they inevitably get disclosed/stolen or thought to be compromised, I can just change them. Biometrics information is going to be stored in the same places, and prone to the same issues.
And I can't change them after. Biometrics is a good idea on a small scale, but once you start talking large sites/apps or widespread use, the idea becomes a very bad one.
The big problem here is defining what is "enough" as far as security. You ask 20 random people who have some measure of technical knowledge, and they're going to have 20 different answers. Especially so if they're also users of the "stuff" being secured. Everyone has a different idea of what is acceptable risk, acceptable availability, etc.
Biometric security, IMO, is a long way off from being ready for prime time (in the retail world). Just liked hacked debit machines, biometric readers can be hacked to store your fingerprint, voiceprint, retina scan or even DNA after use. Thieves can then use these copies to gain repeated access to your account(s). The cost of implementing biometrics is another challenge. A cashier debit machine runs for about $300. A sophisticated biometric reader would cost thousands or more. I just don't see BM taking anytime soon.
That might have something to do with you mumbling.
Something you have, something you know, a pass code sent to your phone is the same as a second password and wouldn't actually equate to two factor authentication. The a modified derivative of a hardware mac similar to what MS started using while authenticating their OS is a close but it becomes useless when your network security is compromised and we have all been learning just how compromised the internet is as a network system.
I have an idea, marketing and intelligence/cop types have something in common, they like to see what you are doing so they know what you like or are planning to do. Buying a car, planning a vacation, attacking a church, whatever, it's the same process.
So what if we tell them we are doing everything, everywhere, all the time?
If everyone is everywhere doing everything all the time, then nobody is anywhere doing anything ever right?
So what if we tell them we are doing everything, everywhere, all the time?
If everyone is everywhere doing everything all the time, then nobody is anywhere doing anything ever right?
dyzophoria
Gawd
- Joined
- Jan 17, 2006
- Messages
- 946
people should shift to passphrases, two factor passphrases for added bonus
The conductor says it's Tsjaikovski, but it's just another Miley Cyrus.
TechLarry
RIP [H] Brother - June 1, 2022
- Joined
- Aug 9, 2005
- Messages
- 30,481
If you want to see Two-Factor Identification, just look at Google.
Wait, no. Please don't.
Wait, no. Please don't.