Apparently passwords are outdated (but havent been replaced by anything else yet!)

http://9hardware.com/blog/in_the_news/657.html


Quote:

It seems that our cyber-identities are constantly under attack and the recent password leaks from high profile sites like LinkedIn, eHarmony, and last.fm are signaling the fact that our data in the cloud is not as secure as some had hoped. Most people use dozens, if not hundreds of different websites and keeping track of all of these logins is difficult. The result is that many people use the same password on multiple sites, compounding the criticality of these security breaches. So what's the solution? The first issue is that companies need to do a better job protecting our data and especially our security credentials. The fact that LinkedIn never salted the password hashes has made the task of cracking passwords infinitely easier. The salt would've had minimal overhead to LinkedIn and would've gone a long way to reducing the impact of the breach. In addition, there are many tools available that help organizations detect and stop these types of attacks. While at HP Discover, we've seen several good offerings that would also help an organization know that they were under attack. From tools like HP Fortify that tests application security to Tipping Point for network monitoring to ArcSight for information analysis, there are applications and processes that can be put into place to help prevent these leaks from happening in the first place. Having said that, no system is 100% secure; breaches will happen and passwords will be released. So is the password a dinosaur, a relic from the past that has outlived its usefulness? And if so, how should we be protecting our identities? One way is to have a central password safe that all sites rely on for authentication. This is something that Facebook as a platform is offering. Indeed, you can even login to Neowin with your Facebook account if you so choose. This has the benefit of allowing you to pick an ultra-secure password and not risk forgetting it. It also means that you can hopefully rely on the universal platform to properly store and secure your passwords in such a way that even if they are compromised, the actual data can not be read. However this seems to be a poor idea overall for many reasons, not the least of which is that if history has proven anything it's that no system is safe. Indeed, put all of your valuables in a single repository just means the bad guys will focus their fire at that target. Another idea is to use a token in your possession that constantly changes. Sites like eBay and World of Warcraft already provide this functionality and it's a good way to help secure your identity. Even if someone steals your password, they can't login as you without the token. This isn't a foolproof solution though, as last year's attack on RSA proved, but it's another layer of protection (called two-factor authentication) that is a step in the right direction. Unfortunately this doesn't scale well if you have to carry 100 tokens around on your key chain in order to access the web. Perhaps the best solution would be to tie access information into your mobile phone. More and more people are using smartphones, so instead of a token, sites could provide an app for your phone or perhaps send an SMS message that contains a passcode to you. The downside is that more companies would have access to your phone number and if you lose your device, you increase the chance of allowing anyone to access your data on the web, but this might be a better solution than having poorly secured passwords that attackers can easily obtain. Do you think the age of the password is nearing an end and that we need something more secure? Or are you not concerned about most of the data sitting out on the web anyway?

SOB

use spaces, and symbol in your passwords, and they will be a LOT stronger.

mozzaok wrote on Jun 9^th, 2012 at 4:15pm:

use spaces, and symbol in your passwords, and they will be a LOT stronger.

Yeah if they allow it

Still if passwords are no longer secure what can we do? Whats the next technology?

SOB

I don't think it really matters much for forums such as this one though.

Frances wrote on Jun 9^th, 2012 at 4:40pm:

I don't think it really matters much for forums such as this one though.

Think again then, Francis. I've posted here since about the 2007 election, but if look at my profile it will show I've been here since 2010. That is because I had to have my original skippy profile deleted after an over zealous righty found it amusing to hack into my account here. I was silly in using the same password on a few different accounts at the time and a poster that used the same forums had too much time on their hands to play around trying to hack into others accounts. Suffice to say I NEVER use the same password more than once any more and make sure all passwords entail, letters numbers and symbols.

skippy. wrote on Jun 9^th, 2012 at 4:51pm:

Frances wrote on Jun 9th, 2012 at 4:40pm: I don't think it really matters much for forums such as this one though. Think again then, Francis. I've posted here since about the 2007 election, but if look at my profile it will show I've been here since 2010. That is because I had to have my original skippy profile deleted after an over zealous righty found it amusing to hack into my account here. I was silly in using the same password on a few different accounts at the time and a poster that used the same forums had too much time on their hands to play around trying to hack into others accounts. Suffice to say I NEVER use the same password more than once any more and make sure all passwords entail, letters numbers and symbols.

Who was it?

SOB

Sir Spot of Borg wrote on Jun 9^th, 2012 at 4:58pm:

skippy. wrote on Jun 9th, 2012 at 4:51pm: Frances wrote on Jun 9th, 2012 at 4:40pm: I don't think it really matters much for forums such as this one though. Think again then, Francis. I've posted here since about the 2007 election, but if look at my profile it will show I've been here since 2010. That is because I had to have my original skippy profile deleted after an over zealous righty found it amusing to hack into my account here. I was silly in using the same password on a few different accounts at the time and a poster that used the same forums had too much time on their hands to play around trying to hack into others accounts. Suffice to say I NEVER use the same password more than once any more and make sure all passwords entail, letters numbers and symbols. Who was it? SOB

They dont post here anymore. But mozz can vouch for me that I had to get him to delete the original.

Passwords are very safe because of the great number of possibiities.

Look at the maths:
26 letters of the alphabet either in lower or upper case
equals 52 letters
plus digits 0 to 9.
That equals 62 possible characters.

Let's say you use just 6 characters in your password:

the number of combinations or possibilities  =

62 to the power of 6 = 56,800,235,584

That's over  56  billion combinations.

If it took 10 seconds to try each password you could try 10 per minute.
600 per hour.
14,400 per day
5,256,000  per year


56,800,235,584 passwords  divided by 
5,256,000  per year


10,806 years to enter all possible passwords!
That sounds secure to me & that's only with 6 characters.



Note:
You can use 16 characters for internet banking giving
697,699,357,611 x the age of the universe
(universe = 13 billlion years old )

700  billion times the age of the universe to crack the code!


Of course  - if you leave the code lying around or
you have  key logger spyware on your computer it doesn't work.

For your computer, programs such as Truecrypt can be used to store confidential financial information etc. You can use a combination of  passwords and keyfiles and you can specify a number of different encryption algorithms. A keyfile can be any file you want such as a Word Document or a video, either on your local system or on the net.  It's free for Linux at least.

Well what about thumb scanners etc? Facebook wants to put in face recognition (like everyone has a cam huh). Things like that?

SOB

Sir Spot of Borg wrote on Jun 10^th, 2012 at 4:48am:

Well what about thumb scanners etc? Facebook wants to put in face recognition (like everyone has a cam huh). Things like that? SOB

Remote face recognition is a crap idea. Anyone with some webcam footage or a picture could get into somebody else's account.

muso wrote on Jun 10^th, 2012 at 9:35am:

Sir Spot of Borg wrote on Jun 10th, 2012 at 4:48am: Well what about thumb scanners etc? Facebook wants to put in face recognition (like everyone has a cam huh). Things like that? SOB Remote face recognition is a crap idea. Anyone with some webcam footage or a picture could get into somebody else's account.

Heh yeah. i think anything scanning or otherwise is going to need software to drive it so will be vulnerable to hacking anyway.

SOB