Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
RIP passwords: new web standard designed to replace login
View unanswered posts
View posts from last 24 hours

Goto page Previous  1, 2  
Reply to topic    Gentoo Forums Forum Index Off the Wall
View previous topic :: View next topic  
Author Message
Ant P.
Watchman
Watchman


Joined: 18 Apr 2009
Posts: 5917

PostPosted: Wed Apr 18, 2018 10:15 pm    Post subject: Reply with quote

Biometric authentication makes it harder to accidentally misplace your credentials, but it doesn't stop someone stealing them.
Back to top
View user's profile Send private message
Bones McCracker
Veteran
Veteran


Joined: 14 Mar 2006
Posts: 1609
Location: U.S.A.

PostPosted: Thu Apr 19, 2018 4:56 pm    Post subject: Reply with quote

Try to be understanding guys. He has a sub-rudimentary grasp of of only a couple of the basic concepts of cryptography.
Back to top
View user's profile Send private message
cokey
Advocate
Advocate


Joined: 23 Apr 2004
Posts: 3343

PostPosted: Fri Apr 20, 2018 10:54 am    Post subject: Reply with quote

erm67 wrote:
cokey wrote:
The Doctor wrote:
cokey wrote:
The Doctor wrote:
So, basically as soon as one site cracks your not-a-password you are hosed across every site you have ever used or ever will.

Sounds wonderful.:roll:
I'm so happy they can replicate my iris remotely
You don't have to. Just set up a nasty JavaScript to intercept whatever the result of the iris scan and provide that when ever you want to log in. Basically how you steal credit card details.
Iris scanning is a mathematical interpretation and is therefore kept under an encrypted system. You would therefor need your javascript to somehow recognise whether it is successful or not. And then steal my phone. And then find somehow to put that mathematical representation into the phone while the sensor is looking at something. And then interrupt the false identification and use the correct maths to unlock the keyring into the phone and use the correct keypair to log in into the website.


FTFY
If it was like you say than your password (the math representation of your iris) would be the password for every website on the 'net, but instead there is a different 'password' that is sent over the wires for every website. Otherwise the guys at google coud look into your yahoo account if the password was the same.
Thankyou. My cryptography knowledge is , as stated, sub-rudimentary
_________________
"Sex: breakfast of champions" - James Hunt
Back to top
View user's profile Send private message
The Doctor
Moderator
Moderator


Joined: 27 Jul 2010
Posts: 2600

PostPosted: Fri Apr 20, 2018 8:12 pm    Post subject: Reply with quote

It breaks down to having a password for your passwords. Since you will want to have access to your bank even if your phone breaks the "passwords" would have to exists in a secure backup in the cloud. The password to that secure storage would be your eye or finger so all that an attacker needs to do is steal what one password to unlock all the others. A single point of failure.

Needless to say that isn't attractive for security purposes especially since the individual passwords could be changed but the master key is immutable. A vulnerability will exist and it will be exploited.

EDIT: It really doesn't matter how you implement this. You still only need to steal one thing to break the entire system and it if it becomes popular lots of money will be spent figuring out how to do it.
_________________
First things first, but not necessarily in that order.

Apologies if I take a while to respond. I'm currently working on the dematerialization circuit for my blue box.


Last edited by The Doctor on Fri Apr 20, 2018 8:27 pm; edited 1 time in total
Back to top
View user's profile Send private message
patrix_neo
Guru
Guru


Joined: 08 Jan 2004
Posts: 518
Location: The Maldives

PostPosted: Fri Apr 20, 2018 8:26 pm    Post subject: Reply with quote

That's what I would call a Leonardo Da Vinci one.
Backwards, letters turned to numbers and change the order of it. etc...Stil, nowadays, l cannot trick a go computer. A f-kn computer.
I am on the rails to getting a chip...

The human thought: I cannot win.
The ratbrain in me : I can only go forward and that's it.

Sorry if being off topic. Felt like a-ok. 6:th beer in.
Back to top
View user's profile Send private message
erm67
Guru
Guru


Joined: 01 Nov 2005
Posts: 410
Location: EU

PostPosted: Sat Apr 21, 2018 6:10 am    Post subject: Reply with quote

Basically is just a standardization of the state of the art, since many digital identity systems work already more or less that way. It forces the user to use a keyring secured by a strong password and use different strong passwords for every website/application.
In italy the goverment uses a system called SPID so now I can pay taxes using my fingerprint ???? (iris scan is not supported) ....
_________________
True ignorance is not the absence of knowledge, but the refusal to acquire it.
Ab esse ad posse valet, a posse ad esse non valet consequentia

My fediverse account: @erm67@erm67.dynu.net
Back to top
View user's profile Send private message
pjp
Administrator
Administrator


Joined: 16 Apr 2002
Posts: 18084

PostPosted: Mon Apr 23, 2018 4:39 am    Post subject: Reply with quote

Login With Facebook Data Hijacked by JavaScript Trackers
Quote:
Facebook confirms to TechCrunch that it’s investigating a security research report that shows Facebook user data can be grabbed by third-party JavaScript trackers embedded on websites using Login With Facebook. The exploit lets these trackers gather a user’s data including name, email address, age range, gender, locale, and profile photo depending on what users originally provided to the website. It's unclear what these trackers do with the data, but many of their parent companies including Lytics and ProPS sell publisher monetization services based on collected user data.

_________________
Those who know what's best for us must rise and save us from ourselves.
Back to top
View user's profile Send private message
cokey
Advocate
Advocate


Joined: 23 Apr 2004
Posts: 3343

PostPosted: Mon Apr 23, 2018 7:56 am    Post subject: Reply with quote

I can't see the reason behind the resistance to this. Unless it is less secure than the current systems then it is good, right?
_________________
"Sex: breakfast of champions" - James Hunt
Back to top
View user's profile Send private message
Akkara
Administrator
Administrator


Joined: 28 Mar 2006
Posts: 6702
Location: &akkara

PostPosted: Mon Apr 23, 2018 9:21 am    Post subject: Reply with quote

cokey wrote:
Unless it is less secure than the current systems then it is good, right?

Problem is currently there is almost no security. So it would take a special show of mismanagement and ignorance for it to be less secure. So this is not a high test to pass.

It has to not only be better, but significantly better. Otherwise we're just re-arranging the deck-chairs on the Titanic, to quote an old saying.

The unstated problem is that nearly everything wants its own account nowadays. Utilities, bank, credit, housing, doctors, labs, and so on. Sign up to see your medical records! Sign up to see your power usage online! Sign up to this exclusive community designed just for your neighborhood! Sign up and receive coupons texted right to your phone! So far I've managed to avoid most, but I worry how much longer it can hold out.

I would like to just receive email statements on many of the lesser-important ones. They do do email, but the email that arrives invariably says, "your statement is now available online. Easy sign-up just click here." (Now, stop and think about it for a moment: Imagine receiving a (physical) letter in the mail that says, "Your statement is now available at our offices, just drive ${here}". Stupid, right? So how did this become common accepted practice whenever "e"-anything is involved. ^#$ cloudy thinking.)

The "best" one of these looked like a standard business form letter formatted for email: my name, address, SS #, account #, and then "Dear X, your monthly statement is now available ${URL}". So - they have just sent all this sensitive information in cleartext in an email. They may as well have included the account balance while they were at it and saved me the trouble. Not like it couldn't be phished easily enough had anyone intercepted it. Called them up the very next day, told them to remove my email, and even that was difficult. Idiots.

90% of the need for accounts could be solved with a well-implemented public-key email setup. The "signup" consists of me giving them my name, email address, and public key. They encrypt the statements or whatever and send it on its way. I decrypt locally using my private key. WAY more secure than any of this "sign up with facebook" or whatever the flavor-of-the-day bullshit is.

Anyway, sorry for the rant, and for any derailment that ensues.
_________________
Many think that Dilbert is a comic. Unfortunately it is a documentary.
Back to top
View user's profile Send private message
Bones McCracker
Veteran
Veteran


Joined: 14 Mar 2006
Posts: 1609
Location: U.S.A.

PostPosted: Tue Apr 24, 2018 9:05 am    Post subject: Reply with quote

cokey wrote:
I can't see the reason behind the resistance to this. Unless it is less secure than the current systems then it is good, right?

It's almost as secure as a chip in the head.
_________________
patrix_neo wrote:
The human thought: I cannot win.
The ratbrain in me : I can only go forward and that's it.
Back to top
View user's profile Send private message
erm67
Guru
Guru


Joined: 01 Nov 2005
Posts: 410
Location: EU

PostPosted: Fri Apr 27, 2018 7:13 am    Post subject: Reply with quote

cokey wrote:
I can't see the reason behind the resistance to this. Unless it is less secure than the current systems then it is good, right?


The problem is that old people hate change ..... they claim it's because they want something better, but the truth is that some people doesn't want any change (mostly losers).
It easy to spot them since what they say is absolutely unrelated to actual thing (the standard in this case) but a generic rant.

BTW once the standard for public key credential level one (webauthn) is in place, it will be time for level 2 and 3 ....

The real thing:
https://www.w3.org/TR/webauthn/
_________________
True ignorance is not the absence of knowledge, but the refusal to acquire it.
Ab esse ad posse valet, a posse ad esse non valet consequentia

My fediverse account: @erm67@erm67.dynu.net
Back to top
View user's profile Send private message
The Doctor
Moderator
Moderator


Joined: 27 Jul 2010
Posts: 2600

PostPosted: Sat Apr 28, 2018 12:57 am    Post subject: Reply with quote

cokey wrote:
I can't see the reason behind the resistance to this. Unless it is less secure than the current systems then it is good, right?
The worst part is that schemes like this have the appearance of security while having a single very vulnerable point of failure. All you need is a nasty piece of code that acts as a 21st century key logger to grab a single master password that is immutable (biometrics). Given the right vulnerabilities you could do it with a simple javascript. A better implementation may require a more complex Trojan to break it. But it will be broken and millions of people's banks and identities will be compromised. Make no mistake once something is declared unsinkable someone will make it their mission to prove otherwise and succeed.

On my password manager I can set the key and reset it whenever I like. If my thumb print gets stolen it is game over.

The "ideal" security is to use public/private key pairs for everything. It is trivial to establish a secure log in with even single use keys. The problem is how do you securely store your private key? A password is usually a weak link. Most can be cracked in a matter of minutes. If you have less than 7 characters you don't have a password. If you have a long password you may have difficulty in remembering it but it is still very vulnerable to dictionary attacks if it makes any sense at all. Biometric? Better on paper but then all I need is an image of your print. All that I need is to ask you to give me a scan. Or maliciously sniff the scanner. Or whatever. And once I have that I have your entire collection of credentials and you can't change the master key. Basically, any single point of failure is a problem. Can you think of a potential way to break it? Then the entire system falls apart.

Remember, chip and pin was supposed to be the unbreakable credit card. It took no time at all for a wide range of attacks to be thought up to steal your details. Something that was promised to be impossible.

The best strategy I have found is to make a long password, 20+ characters using upper case, lower case, and symbols. That is long enough to be immune to brute force. To combat the dictionary attack I use acronyms that are meaningless except to a very niche audiences and mix them together to create a memorable string of gibberish.
_________________
First things first, but not necessarily in that order.

Apologies if I take a while to respond. I'm currently working on the dematerialization circuit for my blue box.
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Off the Wall All times are GMT
Goto page Previous  1, 2
Page 2 of 2

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum