Microsoft Says It’s Time to Kill Off the Password

Discussion in 'HardForum Tech News' started by Megalith, Dec 31, 2017.

  1. Megalith

    Megalith 24-bit/48kHz Staff Member

    Messages:
    13,004
    Joined:
    Aug 20, 2006
    Microsoft’s solution to the password? You. In what is probably a veiled attempt at drumming up interest for Windows Hello, its facial, fingerprint, and iris-scanning system, the company is touting the superiority of biometrics over strings of typed text for security.

    But Windows Hello isn’t infallible, at least on older versions of the OS. Last week, German security firm SYSS discovered they could trick its facial recognition tech using a printed headshot. The other big company pushing the virtues of biometric authentication is, of course, Apple. Despite several examples of its Face ID system being tricked by photos and users' relatives, the system is still expected to arrive in the company’s other devices next year.
     
  2. cyberguyz

    cyberguyz Gawd

    Messages:
    694
    Joined:
    Aug 28, 2014
    Yes it is superior.... Until it doesn't work.

    It sux hard to get locked out of your precious because you scruffed your fingertips somewhere. And face recognition has been beaten time & again.
     
    Armenius, Revdarian and Delicieuxz like this.
  3. Merc1138

    Merc1138 2[H]4U

    Messages:
    2,092
    Joined:
    Sep 25, 2010
    Pretty much.

    Need to change my password? Yup, I can do that.

    Change my face? Uhh... not so much.
     
    Jovian, Hop-Scotch, Tweak42 and 10 others like this.
  4. Scottw

    Scottw Limp Gawd

    Messages:
    170
    Joined:
    May 8, 2001
    The main issue is that we have one set of biometric data each. Once that data is acquired by someone who should not have it, we are probably screwed. Multiple types and ways to obscure authentication could help, but in the end it seems like it could be a huge issue.
     
    Last edited: Jan 1, 2018
    Armenius and Bloodystumps like this.
  5. gxp500

    gxp500 Gawd

    Messages:
    865
    Joined:
    Mar 4, 2015

    Who wants to give all that to Microsoft?
     
    mynamehere, Tweak42, Armenius and 8 others like this.
  6. noko

    noko [H]ardness Supreme

    Messages:
    4,354
    Joined:
    Apr 14, 2010
    DNA match test is next.

    Lol of photographs working - that really sounds secure :D

    Voice recognition if you read off of the screen something random? Kinda hard to record something like that but sounds rather time consuming. Maybe a gesture type facial expression you do in real time where you can't use a picture for. A double wink wink.
     
  7. iamjanco

    iamjanco Limp Gawd

    Messages:
    441
    Joined:
    Jul 8, 2016
    Iris scan. The only way around that is if you rip out my eyeball, or hack my opthamologist.

    OTOH, something like an Ubisoft Orifice Shift that can be sat on might also work. Are hemorrhoids unique? Hmmm... an Ubisoft Orifice Shift coupled with a Nosulus Rift could turn out to be a rather interesting experience. New GoFundMe page anyone?
     
  8. MV75

    MV75 [H]ard|Gawd

    Messages:
    1,025
    Joined:
    Nov 13, 2007
    Microsofts "solution to a problem that doesn't exist"? Whatever Apple has done and proven is utter crap, then to go "ME TOO"!
     
    Armenius and Madoc like this.
  9. arentol

    arentol 2[H]4U

    Messages:
    2,712
    Joined:
    Jun 15, 2004
    How about we use biometrics AND passwords. Much more secure.
     
    lironmiron, Armenius and {NG}Fidel like this.
  10. MV75

    MV75 [H]ard|Gawd

    Messages:
    1,025
    Joined:
    Nov 13, 2007
    My android phone does that. :) Finger and password capable. The problem with facial is that there is no heat detector device built in to distinguish if it's just not a picture. Plus they use cheap crap components that don't have enough point references.
     
    motqalden likes this.
  11. Galvin

    Galvin 2[H]4U

    Messages:
    2,695
    Joined:
    Jan 22, 2002
    Seems like the finger print scanner is the best compromise. Photo is just too easy a tool to bypass.

    I know these guys just want image to work cause you can just look at the screen, but unless they can make a system that cant be tricked by a photo . Its useless
     
    {NG}Fidel likes this.
  12. Nenu

    Nenu [H]ardened

    Messages:
    18,961
    Joined:
    Apr 28, 2007
    How about we never use biometrics!
    Short cutting security is a terrible idea.
    Especially when you have to give such sensitive data to companies like MS who could disseminate it anywhere and you would never know.

    When I create a password it doesnt pass on any information about me at all, and as pointed out you can change it without needing a major operation and a screwed up life.
    Biometrics is a disaster waiting to happen.
     
  13. MacLeod

    MacLeod [H]ardness Supreme

    Messages:
    7,616
    Joined:
    Jul 28, 2009
    Seems like trying to reinvent the wheel to me. The password has work pretty much just fine for several decades. The only problem with passwords these days is sites requiring some weird combinations of symbols, letters and geometric shapes that ensure that not only will you not remember it but it'll be completely different from the other sites that require similar stupid password configurations. I wish they'd just go back to letting me use the password I want to.
     
  14. umeng2002

    umeng2002 Gawd

    Messages:
    923
    Joined:
    May 23, 2008
    It's just a push at the request of LEA.
     
    mynamehere and Madoc like this.
  15. Merc1138

    Merc1138 2[H]4U

    Messages:
    2,092
    Joined:
    Sep 25, 2010
    Because then idiots will use Password1 and complain when they get "hacked". What's probably the worst I've seen for password requirements is a maximum length. Sure it can't be infinite, but I've seen places with max lengths of 12 characters. TWELVE! My car insurance company does that crap, so not only do I have to remember a password with symbols, numbers, capitals, in it... it can't be longer than 12 digits. Th1sIsMyCarInsuranceP@assword would be way better, and easy to remember but no.

    XKCD explained this ages ago, but few people seem to understand it https://xkcd.com/936/
     
    Nolan7689 and Revdarian like this.
  16. MacLeod

    MacLeod [H]ardness Supreme

    Messages:
    7,616
    Joined:
    Jul 28, 2009
    I get that because lots of dumbass people will never accept responsibility for their own stupidity like the guys that leave their cars running to warm up in the driveway with the doors unlocked then are shocked when they walk out and it's gone. Still, saddling the rest of us with way over the top password requirements isn't much of an answer either.
     
    Madoc likes this.
  17. cyclone3d

    cyclone3d [H]ardForum Junkie

    Messages:
    13,098
    Joined:
    Aug 16, 2004
    I don't have a web cam so facial recognition is out.

    Plus.. what happens when a family member need to use my computer?

    Screw biometrics for my home computer.
     
    Armenius and Madoc like this.
  18. LurkerLito

    LurkerLito 2[H]4U

    Messages:
    2,133
    Joined:
    Dec 5, 2007
    Personally I won't give up on passwords. I refuse to use any of the biometric because it's weaker than passwords for anyone who uses good passwords. Seriously I think biometrics is the "solution" tech companies are going to use as their bargaining chip against strong encryption regulations. Nothing says we built a backdoor into everyone's phone without compromising the underlying security than all you need to do is print a picture and a 3d plastic mask to get in, or those fingerprints you had on file will unlock with a rubber glove tip, some powder and a piece of scotch tape.
     
  19. heatlesssun

    heatlesssun [H]ard as it Gets

    Messages:
    44,157
    Joined:
    Nov 5, 2005
    It's not an all or nothing proposition. Technology is often a matter of making things faster and easier. No authentication method is foolproof and while strong passwords have advantages, typing in and constantly changing a strong text password across an array of services isn't ideal at least.
     
  20. Gavv

    Gavv [H]ardForum Junkie

    Messages:
    9,889
    Joined:
    Dec 4, 2005
    I like the 2 factor authorization

    Password and then they send you a code via email, text or phone

    Ever changing world though .... soon enough something is bound to replace it.

    If the alternative is proven more secure and then kill off the password. Won’t break my heart any
     
  21. BulletDust

    BulletDust [H]ardness Supreme

    Messages:
    6,057
    Joined:
    Feb 17, 2016
    Microsoft - "Lets keep changing shit that doesn't need changing"....:rolleyes:
     
    Armenius and Madoc like this.
  22. heatlesssun

    heatlesssun [H]ard as it Gets

    Messages:
    44,157
    Joined:
    Nov 5, 2005
    Happy New Year!

    It is this time of the year where I like many take account of the changes in the world through time. I often think of how different the world is now compared to the world into which my almost 91 old year mother was born. To think that a desktop operating system is somehow more futureproof than the milkman is the type of arrogance that is at the heart of failure and core the failings of Microsoft over the years.
     
  23. ManofGod

    ManofGod [H]ardForum Junkie

    Messages:
    11,043
    Joined:
    Oct 4, 2007
    You still have to have a password to use Windows Hello regardless, it just means you do not have to type it in every time. The facial recognition part, at least on the phones, never worked well because you had to have the phone practically in your face for it to work. However, the fingerprint reader part, at least on the Idol 4S for Windows, works well. I have not tried it on a desktop or laptop computer though.
     
    heatlesssun likes this.
  24. ManofGod

    ManofGod [H]ardForum Junkie

    Messages:
    11,043
    Joined:
    Oct 4, 2007
    Yeah but, unfortunately, when the name Microsoft enters into it, suddenly, people get this all or nothing mentality which is completely illogical.
     
    heatlesssun likes this.
  25. heatlesssun

    heatlesssun [H]ard as it Gets

    Messages:
    44,157
    Joined:
    Nov 5, 2005
    We live in a paranoid culture in fear of too many things and often not the right ones. No expert cyberthief is trying to break into one device or single low value target. This stuff is done one scale. And what hacker uses force before the fact? Gee, my data got stolen because I used biometric security measure instead of 23383 character password.
     
  26. ManofGod

    ManofGod [H]ardForum Junkie

    Messages:
    11,043
    Joined:
    Oct 4, 2007
    Yeah, how DARE THEY provide another option. But, let me guess, you are one of those guys that think another option is the only option offered by Microsoft, amirite?
     
  27. BulletDust

    BulletDust [H]ardness Supreme

    Messages:
    6,057
    Joined:
    Feb 17, 2016
    No.
     
  28. heatlesssun

    heatlesssun [H]ard as it Gets

    Messages:
    44,157
    Joined:
    Nov 5, 2005
    The problem for the types in a place like this is that Microsoft has been forced to do things that are not in alignment with its desktop heritage through a combination of its own failings and the realties of modern computing. And while Microsoft totally failed in smartphones, at least one of its ideas even before the smartphone era in mobile computing has become some what popular, 2-in-1 devices with digital pens.
     
  29. Toepunch

    Toepunch Limp Gawd

    Messages:
    157
    Joined:
    May 16, 2012
    The facial recognization worked great till the creator's update broke it on my alienware
     
  30. BulletDust

    BulletDust [H]ardness Supreme

    Messages:
    6,057
    Joined:
    Feb 17, 2016
    Facial recognition can be fooled.

    Hell, we used to fool the fingerprint scanner on the the clock machines at one of my jobs using PVA glue - Not too sure if that works on the newer sensors as effectively.
     
    Last edited: Jan 1, 2018
  31. Derangel

    Derangel [H]ard as it Gets

    Messages:
    17,860
    Joined:
    Jan 31, 2008
    Yep. Though, the same is true of any type of security. There is no such thing as unbreakable security. Someone skilled with social engineering is going to be able to break any kind of security. Facial recognition? Its not that hard to get a picture of a person. Fingerprint scanner? Even easier to get finger prints, people leave them all over the place. Especially near work areas or in their home. Passwords? Very few people use truly unique, and random, passwords across their accounts. Even people good with password security tend to come up with tricks to help them remember passwords, if they're not using a password manager. That trick means there is a common link between password, which means as soon as someone figures out that link they're able to use it to get into all of their target's accounts. A password manager with good, two-step, verification is only slightly more secure depending on what the 2nd step of that is linked to.

    Of course, none of that really matters for the average person. Unless you have a crazy stalker or something extremely valuable, you are highly unlikely to be targeted if you keep up good security practices. Its a lot more profitable for most criminals to go after easy targets vs people that would take a lot of time and effort.
     
  32. BulletDust

    BulletDust [H]ardness Supreme

    Messages:
    6,057
    Joined:
    Feb 17, 2016
    Two factor authentication using apps as opposed to SMS from reputable sources is pretty good. The fingerprint thing was piss easy to crack when I stumbled upon the idea one day out of curiosity.
     
  33. Pieter3dnow

    Pieter3dnow [H]ardness Supreme

    Messages:
    6,789
    Joined:
    Jul 29, 2009
    Any form of biometrics is a really bad idea to begin with. The idea that you store on any platform your biometric data which is prone to abuse (look at all the companies installing laptops with backdoors (Consumer service is the PC term for it?)) or devices you do not have "root" on on an operating system you did not install from scratch

    Is a recipe for disaster ....

    Even if you have full confidence in your device and the security still would not put any stored biometric data on it.
     
    lostin3d likes this.
  34. DeathFromBelow

    DeathFromBelow [H]ardness Supreme

    Messages:
    7,263
    Joined:
    Jul 15, 2005
    I have a feeling passwords will outlast Microsoft.
     
    Madoc, ghostwich, Poseur and 2 others like this.
  35. BulletDust

    BulletDust [H]ardness Supreme

    Messages:
    6,057
    Joined:
    Feb 17, 2016
    I have a fairly certain feeling I can concur with this assessment.
     
  36. mashie

    mashie Mawd Gawd

    Messages:
    4,187
    Joined:
    Oct 25, 2000
    The only thing needed with passwords is to scrap the retarded corporate policy to change everything every 30-45 days. Even the guy that came up with the original recommendation has since said he regretted it as it has reduced the password strengths greatly.
     
    Madoc likes this.
  37. lostin3d

    lostin3d [H]ard|Gawd

    Messages:
    2,038
    Joined:
    Oct 13, 2016
    I totally agree!

    Firmware, software, drivers, OS's, even AV solutions have all been shown to be compromised in recent years. Idiotic exploits, back doors, and improperly tested 'new features' have also proven to provide more ways for unauthorized access. Even if we ignore the fallibility of most consumer grade bio-metrics the likelihood of this information getting misused is in the extreme currently.
     
    Pieter3dnow likes this.
  38. Dead Parrot

    Dead Parrot 2[H]4U

    Messages:
    2,553
    Joined:
    Mar 4, 2013
    The main reason passwords suck is so many sites use them as the ONLY barrier to entry since they require the use of a publicly known email address as the account name. If the bad folk have to guess an account name AND match it to a valid password, their task become much harder.

    One bid advantage passwords have is your either type it 100% correct or not. There is no 98% correct.
    Most biometric schemes have to allow a fudge factor since most biometric things can change some from when the base line sample was taken. Which is why a kid's face can unlock mom's Apple account. Or your thumbprint doesn't work for days after you burn your thumb.
     
  39. ghostwich

    ghostwich [H]ard|Gawd

    Messages:
    1,723
    Joined:
    Sep 10, 2014
  40. tazeat

    tazeat [H]ard|Gawd

    Messages:
    1,253
    Joined:
    Jul 3, 2007
    It's all about contexts and what's on your threat model. No one solution works for every situation, so I wish they'd stop pushing that philosophy.