*
programming and human factors
by Jeff Atwood
*
I have fifty online logins, and I can't remember any of them.
What's my password? I can't use the same password for every website. That's not secure. So every password is unique and specific to that website. And what's my login name? Hopefully it's my email address, if the site allows that. But which email address?
What's a poor user to do?
Scott Hanselman recently highlighted what he uses to combat the login explosion:
When you need two programs, a bit of hardware, your finger, and a file-sharing web service to solve a problem, you don't really have a solution for the login explosion. What you have is an even bigger problem.
One particular pitfall is the idea that your fingerprint is a secure substitute for your password. This review of a typical USB fingerprint reader illustrates just how foolish that misconception is:
The jelly fingertip peeled off the putty very easily, as you'd expect - clean, cold Silly Putty doesn't stick very well to anything but itself. The gelatine was full of bubbles from my stirring, but the jelly thumb nonetheless had a pretty good complement of print-ridges on it.Ugly and bubble-y the jelly thumb was, but the scanner loved it. It thought the jelly finger was a real one more than 50% of the time. And since you can attempt recognition about once a second, that means it'd be trivially easy to log in with a thing like this, even with people watching. Trim the jelly so it fits over the end of your real finger, and some very rudimentary prestidigitation will keep your fakery from the attention of onlookers.
I also found it was possible to enroll the jelly thumb as a new finger. It took me four attempts to do it, and its recognition rate wasn't any better than when I was trying to match it to my real finger. But that's still quite good enough to be useable in an, um, covert situation.
Making a gummi fingertip is not difficult, and all current fingerprint readers are fooled by even marginal gummi fingertips a hundred percent of the time. In fact, all biometric systems have significant weaknesses:
Earlier [in 2002], German tech mag c't tested nine fingerprint scanners (six capacitive, two optical and one thermal), plus Panasonic's Authenticam iris scanner, and Cognitec Systems' FaceVACS-Logon facial recognition system. All of the widgets tested were current models, and all came with impressive marketing claims.Two finger scanners c't tested just didn't work properly. Of the remainder, the capacitive sensors could be fooled in a number of ways if an authorised user hasn't cleaned the sensor after fingering it. A latent print on many capacitive sensors can be revived by, for instance, breathing on it, applying graphite powder, or pressing a plastic carrier bag with water in it up against the sensor.
The graphite powder method works with lifted prints, too - follow your target to the pub, grab his glass after he's finished with it, dust a print with graphite, lift it with tape, and you're ready to go.
Optical sensors didn't fare any better. C't fooled them with silicone fingers made from an impression in wax, and also succeeded with backlit graphite print-copies on tape.
All biometrics can be easily attacked with commonly available materials and widely known techniques.
But the real problem isn't the biometrics. The real problem is relying on a single method of security. Any security expert can tell you that security is based on..
Any authentication method that relies on only one of these things is inherently insecure. If you lose your laptop (something you have), you're still somewhat protected because the thief does not have your password (something you know). Ditto for your cell phone. Switching from only using passwords to only using fingerprints is simply trading one set of insecurities for another.
I have high hopes that Microsoft's InfoCard will be a more viable solution to the login explosion. The InfoCard related MIX06 sessions I've attended so far look promising: it's simple, it does not require any Microsoft servers or software, and it has been developed in conjuction with the rest of the online community. Kim Cameron's Laws of Identity whitepaper has the most comprehensible high-level overview of the problems InfoCard is trying to solve. It's a great read.
Until InfoCard arrives, I guess I'll be clicking the "Having trouble logging in" link. Again.
Posted by Jeff Atwood View blog reactions
« Everything You Know Will Be Obsolete in Five Years Rapid Prototyping Fun »
"One particular pitfall is the idea that your fingerprint is a secure substitute for your password."
But it's not, and it says it's not. In fact, you can't use the Microsoft reader to log on to your machine or the domain. What it is, is a hotkey for logins. Your stated problem isn't that you don't have a secure method for signing on to a web site. It's that you can't remember all of your passwords. If you only used three web sites, you could probably remember them all.
So the problem, as you state it, seems to be a data management issue. So you create a database of logins and use some kind of index lookup, in Scott case (and mine) we use a fingerprint reader. It looks at our fingerprint and the url of the site we want to log into and does a lookup.
Scott on March 22, 2006 02:17 PMI suspect that most of the fifty websites that you have logons on do not really need to be secure.
Probably at least half of the websites that I have logon info on do not have any real security needs - they simply keep track of any preferences I have, which set of messages I've read, and what my sig should be for any messages I post.
If anyone else is able to logon as me the worst they'd be able to do is post some embarassing messages that look like were from me. I'm not losing any sleep over that.
Of course it's a very different story for sites that I actually perform financial transactions on or other things that require real authentication.
Unfortunately, that's still a lot of websites.
mikeb on March 22, 2006 03:03 PM> But it's not, and it says it's not. In fact, you can't use the Microsoft reader to log on to your machine or the domain. What it is, is a hotkey for logins.
Well, according to the Microsoft site, you can use it for fast user switching:
"Quickly switch between user accounts with your fingerprint, without logging out or closing programs and files."
That's not quite a login, but it's awfully close.
> So you create a database of logins and use some kind of index lookup, in Scott case (and mine) we use a fingerprint reader.
All these so-called solutions make the problem worse. It's yet another bit of hardware or software we have to set up, configure, and maintain.
At least with InfoCard, that bit of software is a single-click solution that becomes part of the OS. For Vista, XP, and even MacOS and possibly Linux:
http://news.com.com/2100-7355_3-6043360.html
For example, the panel discussion at MIX06 I saw yesterday had someone from the Higgins project as a participant (among others). Microsoft is actively pulling in outside groups, many of them traditionally hostile to Microsoft, to help design InfoCard.
Even if you have your password really complex, it still doesn't stop the web site itself from handling your password in an insecure way.
I don't know how many times a web site has been able to send me my password through email when I forgot it. Not a new password, the same password I put into their system. This is insane. They should be storing my passwords in a one way hash method that makes it much harder for a hacker if they were able to get in and obtain the database.
I do log into my machine with the Microsoft Finger Printer reader...
Scott Hanselman on March 22, 2006 03:58 PMIndeed. I once gained access to many of my fellow pupils email addresses at school by making a signup where they entered a username, email and password. Needless to say, all but one used the same password for their email. Not that I did anything malicious mind you, I just highlighted the point to them.
[ICR] on March 22, 2006 05:07 PMI know it's just part of the problem, but KeePass is awesome. Especially when sharing accounts (banks) with others (wife).
<a href="http://keepass.sourceforge.net/">http://keepass.sourceforge.net/</a>;
Oh, and here's one for all the pesky sites you DON'T want to log in to.
<a href="http://bugmenot.com/">http://bugmenot.com/</a>;
Of course, I'm sure most people have heard of these...
kludger on March 22, 2006 06:15 PMGot to go with the previous comment re: KeePass.
It is certainly a neat little solution to the ream of passwords problem!
One of the biggest failings of the MS Fingerprint reader from a usability perspective is that you can't export/import your password/URL lists.
When Scott uses TrueImage to reimage his PC, he will have to start all over again registering passwords against his fingerprint.
However, like him, I've taken the attitude that for a home PC the risk is small enough. After all, someone could get in with a boot disk regardless if they really wanted to.
And in the end, I am fairly certain I am better off fast-switching between my admin and non-admin account with a fingerprint reader than working online as an admin.
Other odd shortcomings: 1) the reader gets dirty really quickly even with regularly washed hands - keep a roll of sellotape handy for you need it to use some every day or two; 2) It isn't designed to work with the 'Run As' dialog which has an extra option button to select to activate the credentials fields.
I have to admin I do not go as far as to use it to remember the password for online banking, but most other websites are not that critical.
Paul Coddington on March 22, 2006 07:39 PMI use Firefox for pretty much all of my browsing and it has a nice "master password" option for saving username and password information for most sites. The usernames and passwords are still safe as long as I close down the browser after each time I connect to a controlled website and I can still use different passwords on each site.
For the most part, this works pretty well, but there are still a few secure websites that don't seem to be picked up by the browser as capable of being saved. For these, I just use a gpg encrypted local text file that I can quickly view whenever I forget the login/password.
The InfoCard system from Microsoft sounds quite a bit like PAM (Pluggable Authentication Modules) for Linux/unix <a href="http://www.kernel.org/pub/linux/libs/pam/">http://www.kernel.org/pub/linux/libs/pam/</a>;
Steve Bush on March 22, 2006 09:12 PMThere's a variety of deterministic password generators out there, one of which I use. It just MD5's your mistress password with the URL and gives you the first few letters. Not wildly secure, but very easy. I swiped one from http://labs.zarate.org/
For secure stuff I use a GPG's file, and for some stuff I use the Schneier method - a postit on my monitor (so anyone stealing the password has to have already broken into my room and possibly also house...)
Moz on March 22, 2006 10:18 PMJeff, maybe if you stopped drinking so much, started eating more fish, and worked on some memorization techniques, you could remember all your passwords.
Or not.
Haacked on March 22, 2006 11:58 PMI feel you on all of the on-nline Identities and such. I was just writing about my solution, KeePass, at my blog (this article --> <a href="http://lumpyscorner.com/TidBits/?p=23).">http://lumpyscorner.com/TidBits/?p=23).</a> It is free, encrypted and opensource.
It resides on my thumbdrive and I keep a paper backup at home in my lockbox.
Uh, Jeff, didn't you advocate single-factor authentication a while back? Yeah, on the October 10, 2005 blog entry, the one about just using passwords and no usernames.
I know it's a bit rude of me to dredge up old posts. But has your opinion changed?
As for "which email address", I use a catch all for my domain and use the name of the website I'm at as the id. Thus, codinghorror.com < at > jdanielsmith |dot| org.
Iris scans will never be popular. High quality images of many famous and important people are already available, and usually of high enough quality to defeat an iris scanner.
Any decent 5 mega pixel camera will solve the problem for less popular people.
After all, when was the last time someone got a good face shot of you? Did you object? Did you even think about objecting?
Nope.
That key is already well into the public domain - and hey, since the scanners from 5 years ago were reported to work from behind a two way mirror from over 5' away, I'm betting that you REALLY don't want to depend on the privacy of your eyeballs for any type of security or identity proof.
It would kill most debit card fraud if the ATMs and keypads at stores had fingerprint readers in them to combine with yer pin code. Really tough to grab and use that information en mass with a skimmer and camera (ok, you might be able to get the prints, but it would take longer than prefered to fabricate a 1000 jujube fingers, and look REALLY funny at the ATM)
Xepol on March 23, 2006 12:31 PM> just using passwords and no usernames
Password and username is still single factor, so it doesn't matter if they are two textboxes or not. Conceptually you can think of them as a single string, eg..
username: Jeff
password: Altamont1
== equals ==
login: Jeff/Altamont1
And both are "things I know", in the possible realm of..
1. Things I am
2. Things I have
3. Things I know
If I was using a smart card in *addition* to a password/username, that would be more secure.
Jeff Atwood on March 23, 2006 12:34 PMHaving not used this technology, I'm curious as to how strict it is in matching, in certain instances where your finger print may become temporarily defaced. I.e. by some sort of cut. And if it's not very strict, then how secure could it possibly be? Take it a step further and what happens when you get in some sort of accident and mangle your finger pretty severely, or lose it all together. There would need to be some sort of backup means by which to bypass the system so you don't forever lose access to your own account. Then of course, that, would raise other vulnerabilities in the system.
Adrian J on March 23, 2006 06:04 PMI hope this doesnt come off as a plug but I use SecretServer, though i'm impartial since i had part in development. To me what other products lacked is that i needed to have something with me to get access to my passwords. Secret Server allows me to share my passwords with my wife and kids, online management (no usb keys/sync issues).
I would suggest looking at it and see if it could help you as well. Its free for just one user.
http://www.thesecretserver.com/
"As for "which email address", I use a catch all for my domain and use the name of the website I'm at as the id. Thus, codinghorror.com jdanielsmith |dot| org."
My brother did that for a long time, and when he moved out and I effectivly took over control of the connection I considered doing the same. However, he said that he didn't get that much spam. I did it for a short while, and I didn't get anything that doesn't already filter out for me. So I deemed it unecessary.
But then again different horses for different courses. Depending on where you sign up (no, I'm not referring to porn necessarily, I'm referring to popular websites that may post your email in a harvastable manner) will signify who ends up with your email.
"As for "which email address", I use a catch all for my domain and use the name of the website I'm at as the id. Thus, codinghorror.com jdanielsmith |dot| org."
My brother did that for a long time, and when he moved out and I effectivly took over control of the connection I considered doing the same. However, he said that he didn't get that much spam. I did it for a short while, and I didn't get anything that doesn't already filter out for me. So I deemed it unecessary.
But then again different horses for different courses. Depending on where you sign up (no, I'm not referring to porn necessarily, I'm referring to popular websites that may post your email in a harvastable manner) will signify who ends up with your email.
Have a look at <a href="http://www.amustsoft.com/1-password.">http://www.amustsoft.com/1-password.</a>; It's in beta yet, but idea looks interesting: "1-Password generates a unique password for each web site through one-way hash (HMAC-MD5 encryption) of your Master Password and the web site address".
Fyodor Sheremetyev on March 26, 2006 06:54 AMYet another plug for Secret Server ...
We are about to release 1.1 which will include import capability so you can easily import your AnyPassword or Keepass passwords to try it out.
We are also incorporating our commercial API for two factor authentication into the next release which will allow for keyring tokens to further secure your master repository.
Secret Server is for technical teams who want to share and audit passwords.
Jonathan Cogley on March 26, 2006 08:23 PMI tried the tool Scott recommended but it really wasn't that great. Having a smart phone I wanted to keep things in sync on my desktop and my smart phone. I travel a lot so NOT being at my desktop where my passwords are happens a lot. I've been using Code Wallet Pro for sometime now. It has a desktop version and a smart phone version. Pretty nifty program, lots of features I don't even use like creating your own custom templates, etc. Yeah, it cost money, but it keeps everything in sync when I travel, for me, it was worth it. My $.02.
Keith Elder on April 10, 2006 09:51 AMTim Bray on "The Prompt of Doom"
http://www.tbray.org/ongoing/When/200x/2006/07/05/The-Prompt-of-Doom
Jeff Atwood on July 6, 2006 11:05 PM| Content (c) 2008 Jeff Atwood. Logo image used with permission of the author. (c) 1993 Steven C. McConnell. All Rights Reserved. |
Subscribe in a reader
Subscribe via email