[aklug] Re: Biggest weakness of passwords

What are you trying to protect?
thanks,
--eddie

> Date: Fri, 5 Jun 2009 11:20:38 -0800
> From: choward@indicium.us
> To: aklug@aklug.org
> Subject: [aklug] Biggest weakness of passwords
>
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> The biggest problem I have with password-based authentication (which, of
> course, I use all the time) is that I must physically type in the
> password each time I need to authenticate.
>
> That makes me nervous because then it is possible for anyone within
> visual range, who has a good memory, to simply memorize the characters
> of my password as I type them out on the keyboard. Or even attackers
> (crackers, government agents, alien spies from Mars, whatever) with poor
> memory could get the password if they could simply get a recording of me
> typing it, say with a cellphone camera or a surveillance tape.
>
> I was wondering if anyone had any thoughts about this issue. Obviously
> there are solutions like biometrics, which use physical characteristics
> of a person. The downside of biometrics, from what I understand, is that
> they are more difficult to implement (hardware-wise), not always
> accurate, and vulnerable to being fooled; furthermore, once compromised
> they cannot easily be changed (e.g., if someone learns how to fake your
> fingerprint, you're not going to want to change your fingerprint.)
>
> There are layered solutions, like using a password with a server-synced
> security card. However, this does not solve fundamentally the password
> problem, but simply says "I am going to lower my chances of being
> successfully attacked by making it necessary for the attacker to figure
> out my password and steal my security card."
>
> One approach I had considered was a system where, instead of actually
> typing your password, the login screen presents you with a 30 line
> paragraph of random text. Then, in your mind, you use a 45-step
> algorithm, with your password as the key, and generate a 30 line
> signature paragraph which you type into the login prompt. The login
> program checks that the signature is valid and then lets you gain access.
>
> The advantage of this system is that you never have to type in the
> actual password. The disadvantage of it is that it is practically
> impossible for the average human being to use it.
>
> - --
> Christopher Howard
> http://indicium.us
> http://theologia.indicium.us
>
> I digitally sign /all/ of my e-mails via PGP. If you receive any e-mail
> from me without my valid PGP signature, please take additional steps to
> verify the authenticity of the message.
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.9 (GNU/Linux)
> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
>
> iEYEARECAAYFAkopcAYACgkQQ5FLNdi0BcXKXACfSbOzyGG6NW1d9XrAhCaz4722
> vVcAoI1RtjSX91wsidaFmJxVw0GNjHfz
> =A8+g
> -----END PGP SIGNATURE-----
> ---------
> To unsubscribe, send email to <aklug-request@aklug.org>
> with 'unsubscribe' in the message body.
>

_________________________________________________________________
Windows Live™ SkyDrive™: Get 25 GB of free online storage.
http://windowslive.com/online/skydrive?ocid=TXT_TAGLM_WL_SD_25GB_062009
---------
To unsubscribe, send email to <aklug-request@aklug.org>
with 'unsubscribe' in the message body.
Received on Fri Jun 5 12:16:26 2009