Are Passwords Obsolete? - Comments Page 1

Have you seen SQRL by Steve Gibson at GRC.com

So I need to buy a cellphone and/or a scanner just to verify who I am? There has to be another way. I don't have either and have no reason to get either. I realize I'm not mainstream normal, nor do I care to be, but there has to be alternatives to those proposals for those like myself.

Bob, if that Model 33 was the same one we used in school, the HEL was not truly a part of your login, but was short for "HELLO". If I remember correctly, you would type SCR (short for "scratch") to delete the current program from RAM, and KIL (for "kill") to delete it from disk (or maybe it was tape back then.) Wow, that was a long time ago. :)

EDITOR'S NOTE: Yes, the HEL was short for HELLO. The N703 was my username, and the MTH was the password. Ours stored programs remotely (via 300 baud modem) at a local university, but you could also save programs to punch tape.

Bob,
Very interesting comments. These mechanisms are more for controlling the internet than personal security.
As you said in the article, why steal one identity when millions are much more easily obtained for less work.
The point is centralized repositories are bad for individual identity. If you put everything in one place, it is much easier to attack.
Basically, information was much safer in your desk drawer than when you have to pay someone to access your own data on the "cloud".
A step farther data is safer on your home network than at a server farm. Because at home you only have to worry about your kids, not some minimum wage employee with a grudge tampering with your information.

problem with using cell phone is the fact that after using my cell # for extra security, started getting all sorts of un solicited calls. Until companies stop selling our numbers, this isn't going to fly with many of us.

Thanks for your excellent article.

Two-factor authentication is a great way to go---just as long---as it does not include biometric data such as fingerprints or retinal scans or anything else that a person cannot change.

The reason for this is that corrupt people and authorities may abuse this, because information amounts to power in many cases.

Passwords don't have to be saved within the computer system. Instead the easy thing to do is to save the MD5 or SHA-1 hash of the password. Then whenever anyone logs on, they supply their password. A hash a made of the password and a match is made in the database of hashes (instead of stored passwords). It is so easy. It doesn't matter if someone breaks into the database and steals the hash codes---it wouldn't do them any good.

I totally agree that more security should be offered to the public. Sometimes I wonder if companies don't give a damn about their customers. All they are thinking about their own profits. They will do it anyway they can make to make an extra buck.

I agree that passwords are a problem, but adding more rigmarole for the users doesn't seem like much of a solution.

Requiring two-factor verfication is an excellent way to ensure that I will not visit your site or use your service.

And yes, I am an old fart!

I guess "onedeafeye" and myself maybe the only two people left in US that can live w/o a cellphone. Life w/o one has some minor pitfalls but since everyone else has got one already, I don't feel that even in an emergency I would really need my own. It just cracks me up to observe people coddle their phones in public.
Anyways, one of the pitfalls is the fact that I cannot be engaged in 2-Step (or 2Factor) Authentication process. Even Google warns users that a gVoice phone# should NOT be used for 2SA.
I am not preaching that we should go back to the IBM selectric typewriters but 20+ character passwords work just dandy for me. My KeePass password safe tell me that I have over 500+ unique entries for passwords. I am way okay with using unique passwords for every site that I visit. I am also okay with using a unique email alias for each website that requires me to register. That is my version of 2FA for the immediate future and I don't feel threatened what-so-ever!

I did some clinical programming work for a major (top 1 - 2) pharmaceutical company some years back (1995-2000) and they required a Passkey generator number to be entered along with Username and Password at login to their system. They actually stopped using those after a few years but I don't know why.
I searched for the Passkey product before entering this comment but couldn't find it/any. It came in several hand key-fob or credit-card sized models and generated a 4 or maybe 6 digit number which was synced to a device on their system.

But my point is - that was (nearly) 20 YEARS AGO and they were using 2-factor verification.

Had to laugh about the 'butt password'. If today was April 1, I wouldn't have believed it. Haha.

I have a cellphone, but all it does is make & receive phone calls - text feature off. And, I only turn it on when I go out. So, I guess I fall into the the "old fartett" category.

If 2F verification becomes a must. I guess I'll be left out.

Now where did I put my Selectric?

In response to Marty, the vast majority of sites do store hashed passwords, not clear text. The trouble is if someone steals the hashes, it's very quick and easy with the tools available today to crack all the simple passwords by brute force. Weak passwords will be guessed by this method within minutes or even seconds, and only really strong passwords will stand up, at least for many days of attempted cracking. Most users don't use strong passwords.

Hi Bob can u please explain one of the above comments (2nd May from Marty) as it seemed 2b a possible alternative to passwords that might work 4me...
'save the MD5 or SHA-1 hash of the password. Then whenever anybody logs on they supply their password.'
I'm a mum & a farmer with reasonable computer skills but have no idea what Marty is telling us we can do as a good alternative to 2SA
thanks Bob-really enjoy yr newsletters
yours Jenny :-]

Fingerprint scans have proven to be problematical (probably because of dirty fingers or smudged scan screens). Actually, for me, the option that seems the best and most fool-proof and easily used is the retinal scan. My only question is why it's taking so long considering that virtually every tablet, smartphone and laptop have a camera already.

Recently a friend lost his child living in another country. It has been an added nightmare for the family in trying to find out this person's accounts, insurance details etc.. At one time statements for bank accounts etc would be mailed out which helped leave a hard copy paper trail. Later, details would have been stored on a person's only computer. Now, people often have several devices but complicating things even more, this information now is often stored on the cloud, hidden behind passwords and accounts that loved ones often have no knowledge of. This has been a timely reminder for us all and any suggestions of a work around would be helpful. Eye scans etc would make this more difficult too. Not only is there no knowledge of the accounts, if these were known of, access passwords are not known. I guess banks, insurance etc are not obligated to front up with the information and wonder how much unclaimed money benefits these institutions.

My favorite is your ECG. The BioNym is to be released soon.
http://www.bionym.com/

@Ross >> those key fobs are still being utilized by some corporation for their employees who take laptops home. One brand is called "RSA SecureID" (www.rsa.com) and has an LCD display that rolls a new 6 digit numeric key code every 30 seconds.

Bob, good article, that has also, generated some good debate!

I honestly think, in the "future", who knows how far though, passwords will not be used. I am not sure, what will be used, to access pertinent information, but, I do think, it will not be passwords.

As for now, the 2-Factor Authorization seem to be the "fashionable" trend. I say trend, since, it is not widely used, at the moment. I may have read this article wrong ... But, it seems to be mostly geared to the Mobile Phone user, not the Desktop user.

Someone, somewhere with a "simple" mind, needs to really come up with a bang-up idea, for both the Mobile and Desktop/Laptop users ... To have a method that is easy, for even the Newbies ... To access their personal or business computers/mobile phones/tablets, safely.

Bob, you are exactly point on, when you said, the most computer/cell phone users are lazy. They are, exceedly so. They just want to get to the "business, at hand" and as quickly, as possible. This is why, I really think ... If ... Passwords will be a "thing of the past" ... It becomes paramount, that the "new" method of accessing our computers or communication devices, it has to as simple as a password, but, which much better security levels.

Don't have the solution, to this issue, either. For now, I am trying to change my habit, of using the same password, everywhere I go. Must admit though ... So far, I have been mighty lucky ... I haven't been compromised, yet. (Knock on wood!!!) :)