Future Tense: The Universal Password

23

Comments

+ Add a Comment
avatar

aarcane

The true universal password will be in the USB Flash Drive + TPM combination.  you'll store a key INTO your TPM (which can be implemented in a USB device), then password lock your TPM device.  the key can never be recovered, and the password can be easily changed.  you then store your CERTIFICATES on the USB storage portion of the device.  You can then safely connect your drive to ANY computer system and perform authentication without risk of compromising your private KEY (the point of a TPM is that the KEY can never be recovered), and because you bring the flash drive with you, all the CERTIFICATES which pair with your key are stored on the drive, all your authentication credentials are present.  if anyone steals your key, they STILL need your password.  you can then just contact each authority (or site) that accepts your credentials and revoke your certificates and get new ones with a new key.

the problems arise in that this system depends on Operating System designers agreeing on a format for the storage of keys and the interaction with the autonomous security device (how do you enter the password, clearly an exe file is NOT an option, there must be a standard interface built into the OS that will unlock and activate the private key without relying on a third party implementation).  Secondly, services and browsers must be able to interface with this data in a generic way.  again, no browser plugins from manufacturers, but instead an OS level interface to the security layer.  Thirdly, everything and everyone must implement TLS or SSL authentication for this to work with them. 

The technology exists, and it works.  all we need to do is put the pieces together.  Since all the specifications are open and documented, the final product should be as well.  because SSL and TLS are proven, established technologies, they're ideal to solve this problem, and in many ways they've already been used to do this, short of a fully integrated solution.

avatar

majorsuave

"... the password for your bank account or your PayPal account can be broken with only a few days of computation, then it’s cost-effective for a mal-intentioned hacker to make the attempt."

How cost effective is it to target a nobody that might turn out to have a loaded credit card and 3.46$ in his account if you waste 76 hours computing his password? I know I've been there

avatar

alala12

 

 

 

Something unexpected surprise

 

  Hello. My friend

 

 

the good shopping place 

 

 

please input our website

 

 

{w w w }{jordanforworld}{com}

 

 

YOU MUST NOT MISS IT!!!

 

 

thank you!!!

 

 

 {w w w }{jordanforworld}{com} 

 

 

Believe you will love it.

 

 

{w w w }{jordanforworld}{com}

 

 

avatar

JohnP

Is there a password program that uses a secureID device like the Blizzard Battlenet authenticator?

avatar

vhenjoseph

great article you got there. makes me want to change all my passwords now..and i mean right now. XD

avatar

jonahkirk

Problem is, most of the sites needing the most security (work, banking) and thus most secure passwords, also use self expiring passwords-these are the ones that drive me nuts.

avatar

livebriand

The problem here is that, unlike my wifi password, I need to remember a login password or email password so I can use the service. I'm fine with using a randomly-generated 16 character password for my WPA2-PSK (AES) secured network, but I can't remember it offhand, so it won't work for email.

avatar

routine

This is a great idea: http://www.syferlock.com/

You remember one password, but what you type in changes everytime.

Similar to a hardware authenticator, w/o the hardware.

avatar

Barnaby

Procedural password generation, hmm. It's simple and quite brilliant. I like it. I think another thing to consider would be username complexity/length as well, since an attacker would need both of these pieces of info, right? If the username is obscure enough, an attacker wouldn't even know whose password s/he's looking for. It's one thing to be looking for the needle in the haystack. It would be even harder if you don't know whose needle you're after. Of course, I don't know how hard it would be for an attacker to get his/her hands on a database of usernames to begin with.

avatar

someuid

I use different usernames for each site as well.  It doesn't make it harder to hack the account, but it does make it harder to link all those accounts back to me (assuming the account doesn't have identifying information in it to start with) or to cross reference them with one another.

avatar

szore

I rememebr seeing a fingerprint scanner for the computer in Staples over 10 years ago.

 

What ever happened to biometrics???

avatar

JDHatman

Cleartext.

The problem with most "biometrics" scanners is that they are not biometricx scanners at all.  They are accessibility tools that mask themselves as biometrics.  Those fingerprint scanners that you see in Staples don't encrypt the information as it's transferred to the computer.  When you scan your fingerprint, it brings up your password (if your figerprint matches), and sends it in cleartext to the computer.  This makes the fingerprint reader useless.  It's not really verifying fingerprints in the Windows database, it's verifying fingerprints in its own little database and then sending unencrypted data to the Windows login screen. 

I used to have one of these, so I did the research on it.

avatar

milamber3

https://www.grc.com/haystack.htm

 

From the same guy who wrote "ShieldsUp!"

avatar

Nimrod

You sir have just named my next computer. I here by cristen my upcoming SB-E machine "Hellaflops."

avatar

black sea

"The real question is not what password system you use—but how secure do you want your online accounts and your personal data to be? Is it worth the extra time and trouble to keep your private information out of the hands of hackers?"

Exactly.  i no longer think any site that has any of my personal information is unworthy of a strong password. This type of system simplifies the situation.  However, like many others, I prefer having unique passwords for important and often used online accounts, such as email and banking.

Addressing another point, I don't see a need to eschew symbols from password generation.  Simply drop them from their usual place in the password-generating formula for sites that don't accept them.  This will make passwords stronger for sites that do accept them and merely create more variation among all your passwords.

avatar

d3v

I thought this article would be about public key cryptography. Now that would be a truly universal password system. If only someone created an easy to use web service or app for that. We wouldn't need to remember more than one passphrase anymore.

avatar

gX15L97bCcaTHvj...

I must admit that I've only recently (within the last year or so) begun to take password security very seriously.  I previously used a rotation of passwords having a common theme but I've moved away from that approach in favor of long, randomized passwords generated via LastPass (my username for this site was even generated via LastPass).  I supplement my LastPass account with YubiKey for multi-factor authentication and I'm extremely pleased with this security system.

 

For work, I run Firefox from an encrypted USB key and login to LastPass from there.  While there are no guarantees that a keylogger isn't stored on my system, the combination of the on-screen LastPass keyboard and a physical key in my possession (YubiKey) provide peace of mind(even if someone knew my master password, they still couldn't login to my account without my YubiKey).  I may soon invest in a biometric flash key for triple-factor authentication (yes, I've become that paranoid about password security in light of the security breaches within the last 8 months or so).

avatar

livebriand

Wow your username is gX15L97bCcaTHvjBg8WnQLC5XbCmXjSqebeOLWPMRMxnlSUAMvyrNchBMhY2??? Why would anyone want to guess your username?

avatar

Blaze589

I have a self contained .exe that creates up to a 16 character alphanumeric key (symbols can be specified). The great thing is that you can always generate the same key as long as you enter the same parameters.

The parameters are: phrase, url, and username. You only have to use one (phrase) the other two are optional.

Here's the link: http://www.softpedia.com/get/Security/Password-Managers-Generators/Key-Maker.shtml

avatar

Brdn666

Depending on the site, I either use the same super easy password, or a unique, difficult one. Sites that actually matter to me (Facebook, gmail, etc) all have a unique password, but since I use them constantly, they aren't hard to remember or type. But the random sites that require an account for access or whatever, they all get the same old password I've been using for years. I don't even remotely care if someone finds out that password.

avatar

jechaucer

Give me a break. Most people, myself included, can't remember a simple 6-8 character password for the sites we visit. I must have 50 sites I visit that use passwords. Use the KISS principle (Keep It Simple Stupid). A few numbers and a made up word will be more than enough to keep the kiddie hackers away. The pros are going to get in regardless of what you come up with if they really want to. Second of all, nobody is breaking into private accounts. So few private individual accounts are hacked that encrypting it with such a complex password system is hardly worth the trouble. No site is secure, regardless of the password you use. If you are that concerned about high level information, such as bank accounts and ss numbers, then don't use the web for that. Use paper billing via snailmail. I do a lot online, but refuse to log on any site that involves my ss number or bank account number.

avatar

mrvander

What's easier to hack: an encrypted password to which only you hold the decryption key or ripping open an envelope? Ignorance breeds Luddites.

avatar

Sparx10

nice article picture on the main page lol, iStock Photo is clearly visible :D

Log in to MaximumPC directly or log in using Facebook

Forgot your username or password?
Click here for help.

Login with Facebook
Log in using Facebook to share comments and articles easily with your Facebook feed.