Subscriber Discussion

Passwords To Dissapear In The Near Future?

Avatar
Gert Molkens
Jul 29, 2016
IPVMU Certified

i found this claim in Securitymagazine recently:

'Trust in passwords is waning, most companies plan to do away with them

Sixty-nine percent of security professionals believe usernames and passwords alone no longer provide sufficient security
Seventy-two percent believe their company will do away with passwords by 2025.'

the 'study' mentioned is made by a company selling solutions to these problems and so isn't completely unbiased in my opinion.

However, it raises an interesting point. Certainly in an industry where we use accounts to log in devices all the time.

maybe worth to start a poll on this?

(1)
JH
John Honovich
Jul 29, 2016
IPVM

Gert,

I agree that using usernames and passwords is insecure but is what the replacement for the web? The upside of the password is all you need to do is enter in characters which can be done anywhere (keybad, keyboard, touchscreen, etc.)

Other approaches require additional technology to be available everywhere like fingerprint readers, cameras for face rec, etc.

What alternative is going to be available widely enough that it becomes a replacement?

U
Undisclosed #1
Jul 29, 2016
IPVMU Certified
Avatar
Timothy Howell
Jul 30, 2016
IPVMU Certified

I also agree that passwords need to go and I hope we all see that day sooner than later. The interesting thing I picked up in the Google article is that the Trust API approach would return a confidence level of the authentication which might not be high enough for some institutions like a financial one. This would then require additional time consuming authentication be done which I personally would find aggravating. In addition there would need to be a method where one could log into their computer without having internet access. Interesting problem. Good discussion.

Avatar
Gert Molkens
Jul 29, 2016
IPVMU Certified

John,

i agree, i also do wonder how this would be done in practice. I suppose the most practical would be some kind of USB dongle such as the Ubikey i'm currently using for two,factor authentication. But even with that, the first factor is still a user name and password (or fingerprint on an iPhone)

maybe NFC innthe future or some kind of biometric? I don't know but surely would like to get rid of passwords anyway

oK
oleg Kush
Jul 29, 2016

cant remember which service, maybe paypal...

they had keyfob with constantly rolling passwords.

there is a problem with "doing away" with username/password combination.

how will companies distinguish between two users who inadvertently typed wrong "password"

JH
John Honovich
Jul 29, 2016
IPVM

The problem is unless you force all users to use some other form of authentication, you have to leave passwords as a means anyway, so you still have the risk.

For example, let's say we let people optionally sign in to IPVM with a fingerprint scanner, even if that is helpful to some we could not get rid of passwords since doing so would inconvenience most members who do not have a fingerprint scanner available.

Avatar
Sean Nelson
Jul 29, 2016
Nelly's Security

the beginning stages of the mark of the beast.............

(1)
Avatar
Gert Molkens
Jul 30, 2016
IPVMU Certified

What about eID's? Wouldn't those be a possible second factor in authentication? Sure, they can be stolen, you need to have a card reader, not everyone has one yet etc etc.

same for the fingerprint. I agree, not everyone has one (yet) but they ate becoming more and more commonplace. Same thing for mobile phones which could also be used through NFC in the future.

We're not there het but i wouldn't rule out the possibility either

U
Undisclosed #1
Jul 30, 2016
IPVMU Certified

Being a contrarian makes me an advocate for sloppy passwords.

Sloppy passwords are like pass-phrases that make up in length what they lack in precision.

So maybe a pass-phrase like, "jobber untold must keel together" which I can remember easily and type really fast, especially if "jober untols mudt heel togethr" is an example of the minimum accuracy needed for authentication.

The idea here is that when you use actual dictionary words in your phrase, it's easier to remember and type, but you make it much easier for automated crackers to crack, so therefore to offset that you need the phrase to be much longer.

But by the same token, it allows a great deal of sloppiness, since 'mudt' is not a dictionary word itself and will be tried by the cracker well after the dictionary word "much", so it doesn't hurt, except in brute force attacks which would take too long, due to the length of the phrase.

I have explained this to many people without a single person agreeing or even comprehending, so if you do, you've probably erred. ;)

(1)
Avatar
Gert Molkens
Jul 30, 2016
IPVMU Certified

U1, i completely agree with you but in a world where a lot of people still think 1234 is a password it might just be easier to change the technology rather than the mentality to get it right.

(1)
JH
John Honovich
Jul 30, 2016
IPVM

The most immediate step up is two factor authentication with a call / text message to a phone number. This way, your authentication is dependent on proving you have your phone. A number of sites do that now though usually it's optional because it increases time / inconvenience to verify via phone / text.

Avatar
Gert Molkens
Jul 31, 2016
IPVMU Certified

any improvement in secutity is likely to increase time and/or inconvenience is guess.

Just read an interesting article on this SMS verification systems. Seemed that you could use that to earn money on it by having those systems text back to a paid number. A white hacker used that on Google, Office365 and another that i allready forgot. They all closed that gap in the mean time

New discussion

Ask questions and get answers to your physical security questions from IPVM team members and fellow subscribers.

Newest discussions