Correct house battery staple: Strong Passwords…. Passphrases.. are they still relevant/necessary?

From IIW

Session Topic: Correct Horse Battery Staple: Strong Passwords…passphrases…are they still relevant/necessary?

Wednesday 5G

Convener: Jay Unger

Notes-taker(s): John Fontana

Jay Unger lead

This will be a discussion, not a presentation

how long will we have passwords?

I think they will be around for at least the next 20 years. What do you think?

Alan Karp

security by secret. I don’t need a password. I bookmark a URL, the security moves to how you get into using a computer.

Dick Hardt –

AK – this is preference for single factor log-in

temporary passwords - a one user thing.

???? uses a random password and then hits forgot password. His email becomes his password.

AK - if we can avoid password problem, you might have other problems….

Web keys –

Jay - How do you feel about .... the diff between password and the kind of security questions.

AK - answer all security questions with the dame answer

others do that.

what I have done is create a recovery password.

one person uses a password calculator to generate passwords.

DH - as we use fewer sites and log in with FB or Google, the web is becoming more secure.

AK- what bothers me is SSO but not single log-out. Site does not tell me it is federated. The so has a huge attack surface.

DH – the world is going mobile, the phone is more secure than the PC

jay – not sure I agree

AK – android has done a good idea isolating apps.

dh – more secure, what can happen on it, has a hard ID that a PC does not have.

ID on SIM card?


dh – where we want to get to with ID, is how do I know it is Jay.

with all the sensors can learn about gestures, what I do.

jay - I travel a lot. Asia is a higher risk environment. I see a lot more challenge behavior than I do in the US.

also privacy issues with behavioral queues.

dh- maybe I was not clear. How I use the phone possibly is a better way to authenticate. How can the device help, it is there with me.

J - …and it is also a store. More than a username and password. You can put dig. Certs on the phone.

J - I have lost cell phones. Many people do.

Dh – lock my phone. It is a brick to anyone else.

we treat authN as binary. We are or we are not.

J- pet peeve for me. With OpenID, ……..

dh- there are bunch of factors avail on the phone. ..when the phone is told to do something, does it have enough confidence for a transaction. If not, it does nothing.

J - I have a dumb phone, a palm pilot. I lost more expensive phones. The question that I have about devices and the role they can play in authn. Most of the lock and unlock can be attacked. If devices are a primary means … for authn…how do you make devices more secure.

dh - locking is not good. More computing mobile, so authN happens at phone. The computer is second class citizen, I use the phone to authN not the PC.

...with gestures get more of a gradient for authN.

J - there are flaws with all of these things.

ak - I have always my phone, my key ring and my wallet.

dh – in ten years the phone is left, the others disappear.

j- lot of 2 factor authN still involves strong passwords. TSA program still uses passwords; banks that use hardware keys also use passwords.

dh nexus is retina scan and card.

J – biometric is expensive and unreliable, lot of false negatives.

dh – I need a gradient rather than yes or no. the phone can learn how I move and how I do things. One of most important ID systems now is looking at history. Look at credit card, bank says – does this look like something the users have already done.

dh – my point, this is state of the art ID now. Credit card is looking at past behavior.

j- if I was at rent car counter in Shanghi and my card is rejected. I am in trouble.

ak – I had a thought, is this dick using device. What if device had a check. You do things a bit different each time. ……

j- you are saying D, that over time something you know will be less and less valuable.

dh- yes, It will be more about how we authN to our devices.

ak- but when that goes away or you need something else.

dh – I could move up into biometrics.

j- if they did 2 factor authN – they could come back and ask for Pin or password.

ak – but you might forget. When it fails, however, the gesture is it turns me down, I won’t remember the password.

dh – my point, tint he future, a number of fallbacks to get high certainty it is you.

j – it could be biometrics.

dh – yes, I have to talk to it, move it, swipe my finger.

ak – say if unlock screen, had four scroll bars. I might use two and someone else might use just one.

dh – well, you might.

???? it is multiple smaller factors. I am in an access point I am usually around….. those work in combination if your gesture changes.

j – I worry about it a little. Potential for that authN to be subverted by coercion.

J – what do thin about something you know declining

??? I feel more and more use of biometric devices. . I see bio as part of the future.

???? biometrics might be future, or should could touch your devices or provide your face. ….

j – that is high cost.

???? another way of storing password in brain. Challenge is a playback, you do it fast because you have done it so many times. ….that can not be forced out of you. The challenge is….

Ak – I like the military, the panic password.

j – I have seen that with a bank. I have a panic password, the robber is going to get money. I walk away alive… and it limits liability.

aj – the military one. It takes you into what looks like legit log-in.

j – the bank that does this panic password. Barclays does this in England.

j – this is all good. I still think something you know will be pat of multi factor authentication. I like the idea of what I call pass phrases. Correct, horse, battery, staples is one…. Don’t need a wide range of vocab for it to be effective. >less than 1K words.

thank you.

25 years from now we will come back and see if there are passwords.

k – it will be like what dick said, you will authN and you won’t even no you did.

I am seeing NFC in use; and I have heard of one country implanting RFID chips.

j – low value transactions will use simple things you know vs. things you have.

dh – I authN to device, it gets me to app.