Correct house battery staple: Strong Passwords…. Passphrases.. are they still relevant/necessary?

From IIW

Session Topic: Correct Horse Battery Staple: Strong Passwords…passphrases…are they still relevant/necessary?

Wednesday 5G

Convener: Jay Unger

Notes-taker(s): John Fontana


Jay Unger lead

This will be a discussion, not a presentation

how long will we have passwords?

I think they will be around for at least the next 20 years. What do you think?


Alan Karp

security by secret. I don’t need a password. I bookmark a URL, the security moves to how you get into using a computer.


Dick Hardt –


AK – this is preference for single factor log-in


temporary passwords - a one user thing.


???? uses a random password and then hits forgot password. His email becomes his password.


AK - if we can avoid password problem, you might have other problems….


Web keys –


Jay - How do you feel about .... the diff between password and the kind of security questions.


AK - answer all security questions with the dame answer


others do that.


what I have done is create a recovery password.


one person uses a password calculator to generate passwords.


DH - as we use fewer sites and log in with FB or Google, the web is becoming more secure.


AK- what bothers me is SSO but not single log-out. Site does not tell me it is federated. The so has a huge attack surface.


DH – the world is going mobile, the phone is more secure than the PC

jay – not sure I agree

AK – android has done a good idea isolating apps.


dh – more secure, what can happen on it, has a hard ID that a PC does not have.

ID on SIM card?

yes.


dh – where we want to get to with ID, is how do I know it is Jay.

with all the sensors can learn about gestures, what I do.


jay - I travel a lot. Asia is a higher risk environment. I see a lot more challenge behavior than I do in the US.

also privacy issues with behavioral queues.


dh- maybe I was not clear. How I use the phone possibly is a better way to authenticate. How can the device help, it is there with me.


J - …and it is also a store. More than a username and password. You can put dig. Certs on the phone.

J - I have lost cell phones. Many people do.


Dh – lock my phone. It is a brick to anyone else.

we treat authN as binary. We are or we are not.


J- pet peeve for me. With OpenID, ……..


dh- there are bunch of factors avail on the phone. ..when the phone is told to do something, does it have enough confidence for a transaction. If not, it does nothing.


J - I have a dumb phone, a palm pilot. I lost more expensive phones. The question that I have about devices and the role they can play in authn. Most of the lock and unlock can be attacked. If devices are a primary means … for authn…how do you make devices more secure.


dh - locking is not good. More computing mobile, so authN happens at phone. The computer is second class citizen, I use the phone to authN not the PC.

...with gestures get more of a gradient for authN.


J - there are flaws with all of these things.


ak - I have always my phone, my key ring and my wallet.


dh – in ten years the phone is left, the others disappear.


j- lot of 2 factor authN still involves strong passwords. TSA program still uses passwords; banks that use hardware keys also use passwords.

dh nexus is retina scan and card.


J – biometric is expensive and unreliable, lot of false negatives.


dh – I need a gradient rather than yes or no. the phone can learn how I move and how I do things. One of most important ID systems now is looking at history. Look at credit card, bank says – does this look like something the users have already done.


dh – my point, this is state of the art ID now. Credit card is looking at past behavior.


j- if I was at rent car counter in Shanghi and my card is rejected. I am in trouble.


ak – I had a thought, is this dick using device. What if device had a check. You do things a bit different each time. ……


j- you are saying D, that over time something you know will be less and less valuable.


dh- yes, It will be more about how we authN to our devices.


ak- but when that goes away or you need something else.

dh – I could move up into biometrics.


j- if they did 2 factor authN – they could come back and ask for Pin or password.


ak – but you might forget. When it fails, however, the gesture is it turns me down, I won’t remember the password.


dh – my point, tint he future, a number of fallbacks to get high certainty it is you.


j – it could be biometrics.


dh – yes, I have to talk to it, move it, swipe my finger.


ak – say if unlock screen, had four scroll bars. I might use two and someone else might use just one.


dh – well, you might.


???? it is multiple smaller factors. I am in an access point I am usually around….. those work in combination if your gesture changes.


j – I worry about it a little. Potential for that authN to be subverted by coercion.


J – what do thin about something you know declining


??? I feel more and more use of biometric devices. . I see bio as part of the future.


???? biometrics might be future, or should could touch your devices or provide your face. ….


j – that is high cost.


???? another way of storing password in brain. Challenge is a playback, you do it fast because you have done it so many times. ….that can not be forced out of you. The challenge is….


Ak – I like the military, the panic password.


j – I have seen that with a bank. I have a panic password, the robber is going to get money. I walk away alive… and it limits liability.


aj – the military one. It takes you into what looks like legit log-in.


j – the bank that does this panic password. Barclays does this in England.


j – this is all good. I still think something you know will be pat of multi factor authentication. I like the idea of what I call pass phrases. Correct, horse, battery, staples is one…. Don’t need a wide range of vocab for it to be effective. >less than 1K words.

thank you.

25 years from now we will come back and see if there are passwords.


k – it will be like what dick said, you will authN and you won’t even no you did.


I am seeing NFC in use; and I have heard of one country implanting RFID chips.

j – low value transactions will use simple things you know vs. things you have.


dh – I authN to device, it gets me to app.