Google Declares War on the Password
http://www.wired.com/wiredenterprise/2013/01/google-password/?utm_source=googlenews&utm_medium=googlenews&utm_campaign=googlenews&google_editors_picks=trueMOUNTAIN VIEW, California Want an easier way to log into your Gmail account? How about a quick tap on your computer with the ring on your finger?
This may be closer than you think. Googles security team outlines this sort of ring-finger authentication in a new research paper, set to be published late this month in the engineering journal IEEE Security & Privacy Magazine. In it, Google Vice President of Security Eric Grosse and Engineer Mayank Upadhyay outline all sorts of ways they think people could wind up logging into websites in the future and its about time.
2012 may have been the year that the password broke. It seemed like everyone on the internet received spam e-mail or desperate pleas for cash the so-called Mugged in London scam from the e-mail accounts of people who had been hacked. And Wireds own Mat Honan showed everyone just how damaging a hack can be.
The guys who hacked Honan last August deleted his Gmail account. They took over his Twitter handle and posted racist messages. And they remote-wiped his iPhone, iPad, and laptop computer, deleting a years worth of e-mails and photographs. In short, they erased his digital life.
TreasonousBastard
(43,049 posts)RSA Security that plugs into a USB port and works with my ID and password to authenticate me and my computer. They won't tell me how it works, but I figure it sends a fresh code to the other side every time I log in. Even if it is hacked, the hack would only work once.
Had it for years, and the early versions were reported to be hackable, but it's used by at least the government agency I work for, and probably others.
RC
(25,592 posts)Or run through the laundry. Or forgotten at home, which you discover at your destination.
I had a card for logging on to my work computer. It was a PITA. And I still had to use a password, in case the card was stolen.
That sort of defeated the object of having the card in the first place.
discntnt_irny_srcsm
(18,475 posts)I have an RSA token for logging in to my brokerage accounts. It can be a pain.
My work laptop has an RSA soft-token which accepts a PIN and generates a 10 digit code to connect to the VPN. When in the office, I only need my user name and password.
It's a good thing I can remember numbers better than names.
Phillip McCleod
(1,837 posts)just awesome.
gotta say i'll be glad to see the password go but it won't be that easy. there will be a place for passwords as long as hackers (in the original sense of the word not the pejorative) use keyboards and command lines. it takes like two seconds to type it in doing ssh or sudo or whatnot.
my prediction is innovation in cryptography of the sort that can defy quantum computers. so nothing based on factoring. more likely combinations of crypto algorithms like we already see.
Mnpaul
(3,655 posts)and it also doubles as a scroll bar in portrait mode. It also has a smart card slot which is basically the same thing that they are promoting here. Fujitsu has had them since 2005.
backscatter712
(26,355 posts)By two factor, I mean that of the three types of authentication you can do (show something you know, like a password, show something you have, like a key, or show something you are, like a fingerprint), you should provide two of them.
So instead of just a password, you use a password and a cryptographic dongle, like that RSA dongle. Or you use a password, and swipe your finger on the fingerprint reader. Your smartphone's useful as a key - for my Google account, when I log-in from a strange computer, I have to enter both my password and a code from the Google Authenticator app on my phone, which changes every minute. Or if you're only logging in from one PC, the system stores a cookie on that system, and can identify it that way, so your computer is your second factor.
That makes it harder to hack into your stuff.
trishnikolic
(20 posts)Passwords and simple bearer tokens such as cookies are no longer sufficient to keep users safe. Google agrees. Along with many in the industry, it feels like passwords and simple bearer tokens such as cookies are no longer sufficient to keep users safe.
Thus theyre experimenting with new ways to replace the password, including a tiny Yubico cryptographic card that when slid into a USB (Universal Serial Bus) reader can automatically log a web surfer into Google. Theyve had to modify Googles web browser to work with these cards, but theres no software download and once the browser support is there, theyre easy to use. You log into the website, plug in the USB stick and then register it with a single mouse click.