Correct house battery staple: Strong Passwords…. Passphrases.. are they still relevant/necessary?
Session Topic: Correct Horse Battery Staple: Strong Passwords…passphrases…are they still relevant/necessary?
Wednesday 5G
Convener: Jay Unger
Notes-taker(s): John Fontana
Jay Unger lead
This will be a discussion, not a presentation
how long will we have passwords?
I think they will be around for at least the next 20 years. What do you think?
Alan Karp
security by secret. I don’t need a password. I bookmark a URL, the security moves to how you get into using a computer.
Dick Hardt –
AK – this is preference for single factor log-in
temporary passwords - a one user thing.
???? uses a random password and then hits forgot password. His email becomes his password.
AK - if we can avoid password problem, you might have other problems….
Web keys –
Jay - How do you feel about .... the diff between password and the kind of security questions.
AK - answer all security questions with the dame answer
others do that.
what I have done is create a recovery password.
one person uses a password calculator to generate passwords.
DH - as we use fewer sites and log in with FB or Google, the web is becoming more secure.
AK- what bothers me is SSO but not single log-out. Site does not tell me it is federated. The so has a huge attack surface.
DH – the world is going mobile, the phone is more secure than the PC
jay – not sure I agree
AK – android has done a good idea isolating apps.
dh – more secure, what can happen on it, has a hard ID that a PC does not have.
ID on SIM card?
yes.
dh – where we want to get to with ID, is how do I know it is Jay.
with all the sensors can learn about gestures, what I do.
jay - I travel a lot. Asia is a higher risk environment. I see a lot more challenge behavior than I do in the US.
also privacy issues with behavioral queues.
dh- maybe I was not clear. How I use the phone possibly is a better way to authenticate. How can the device help, it is there with me.
J - …and it is also a store. More than a username and password. You can put dig. Certs on the phone.
J - I have lost cell phones. Many people do.
Dh – lock my phone. It is a brick to anyone else.
we treat authN as binary. We are or we are not.
J- pet peeve for me. With OpenID, ……..
dh- there are bunch of factors avail on the phone. ..when the phone is told to do something, does it have enough confidence for a transaction. If not, it does nothing.
J - I have a dumb phone, a palm pilot. I lost more expensive phones. The question that I have about devices and the role they can play in authn. Most of the lock and unlock can be attacked. If devices are a primary means … for authn…how do you make devices more secure.
dh - locking is not good. More computing mobile, so authN happens at phone. The computer is second class citizen, I use the phone to authN not the PC.
...with gestures get more of a gradient for authN.
J - there are flaws with all of these things.
ak - I have always my phone, my key ring and my wallet.
dh – in ten years the phone is left, the others disappear.
j- lot of 2 factor authN still involves strong passwords. TSA program still uses passwords; banks that use hardware keys also use passwords.
dh nexus is retina scan and card.
J – biometric is expensive and unreliable, lot of false negatives.
dh – I need a gradient rather than yes or no. the phone can learn how I move and how I do things. One of most important ID systems now is looking at history. Look at credit card, bank says – does this look like something the users have already done.
dh – my point, this is state of the art ID now. Credit card is looking at past behavior.
j- if I was at rent car counter in Shanghi and my card is rejected. I am in trouble.
ak – I had a thought, is this dick using device. What if device had a check. You do things a bit different each time. ……
j- you are saying D, that over time something you know will be less and less valuable.
dh- yes, It will be more about how we authN to our devices.
ak- but when that goes away or you need something else.
dh – I could move up into biometrics.
j- if they did 2 factor authN – they could come back and ask for Pin or password.
ak – but you might forget. When it fails, however, the gesture is it turns me down, I won’t remember the password.
dh – my point, tint he future, a number of fallbacks to get high certainty it is you.
j – it could be biometrics.
dh – yes, I have to talk to it, move it, swipe my finger.
ak – say if unlock screen, had four scroll bars. I might use two and someone else might use just one.
dh – well, you might.
???? it is multiple smaller factors. I am in an access point I am usually around….. those work in combination if your gesture changes.
j – I worry about it a little. Potential for that authN to be subverted by coercion.
J – what do thin about something you know declining
??? I feel more and more use of biometric devices. . I see bio as part of the future.
???? biometrics might be future, or should could touch your devices or provide your face. ….
j – that is high cost.
???? another way of storing password in brain. Challenge is a playback, you do it fast because you have done it so many times. ….that can not be forced out of you. The challenge is….
Ak – I like the military, the panic password.
j – I have seen that with a bank. I have a panic password, the robber is going to get money. I walk away alive… and it limits liability.
aj – the military one. It takes you into what looks like legit log-in.
j – the bank that does this panic password. Barclays does this in England.
j – this is all good. I still think something you know will be pat of multi factor authentication. I like the idea of what I call pass phrases. Correct, horse, battery, staples is one…. Don’t need a wide range of vocab for it to be effective. >less than 1K words.
thank you.
25 years from now we will come back and see if there are passwords.
k – it will be like what dick said, you will authN and you won’t even no you did.
I am seeing NFC in use; and I have heard of one country implanting RFID chips.
j – low value transactions will use simple things you know vs. things you have.
dh – I authN to device, it gets me to app.