I have fifty online logins, and I can't remember any of them.
What's my password? I can't use the same password for every website. That's not secure. So every password is unique and specific to that website. And what's my login name? Hopefully it's my email address, if the site allows that. But which email address?
This is a companion discussion topic for the original blog entry at: http://www.codinghorror.com/blog/2006/03/the-login-explosion.html
“One particular pitfall is the idea that your fingerprint is a secure substitute for your password.”
But it’s not, and it says it’s not. In fact, you can’t use the Microsoft reader to log on to your machine or the domain. What it is, is a hotkey for logins. Your stated problem isn’t that you don’t have a secure method for signing on to a web site. It’s that you can’t remember all of your passwords. If you only used three web sites, you could probably remember them all.
So the problem, as you state it, seems to be a data management issue. So you create a database of logins and use some kind of index lookup, in Scott case (and mine) we use a fingerprint reader. It looks at our fingerprint and the url of the site we want to log into and does a lookup.
I suspect that most of the fifty websites that you have logons on do not really need to be secure.
Probably at least half of the websites that I have logon info on do not have any real security needs - they simply keep track of any preferences I have, which set of messages I’ve read, and what my sig should be for any messages I post.
If anyone else is able to logon as me the worst they’d be able to do is post some embarassing messages that look like were from me. I’m not losing any sleep over that.
Of course it’s a very different story for sites that I actually perform financial transactions on or other things that require real authentication.
Unfortunately, that’s still a lot of websites.
But it’s not, and it says it’s not. In fact, you can’t use the Microsoft reader to log on to your machine or the domain. What it is, is a hotkey for logins.
Well, according to the Microsoft site, you can use it for fast user switching:
“Quickly switch between user accounts with your fingerprint, without logging out or closing programs and files.”
That’s not quite a login, but it’s awfully close.
So you create a database of logins and use some kind of index lookup, in Scott case (and mine) we use a fingerprint reader.
All these so-called solutions make the problem worse. It’s yet another bit of hardware or software we have to set up, configure, and maintain.
At least with InfoCard, that bit of software is a single-click solution that becomes part of the OS. For Vista, XP, and even MacOS and possibly Linux:
For example, the panel discussion at MIX06 I saw yesterday had someone from the Higgins project as a participant (among others). Microsoft is actively pulling in outside groups, many of them traditionally hostile to Microsoft, to help design InfoCard.
Even if you have your password really complex, it still doesn’t stop the web site itself from handling your password in an insecure way.
I don’t know how many times a web site has been able to send me my password through email when I forgot it. Not a new password, the same password I put into their system. This is insane. They should be storing my passwords in a one way hash method that makes it much harder for a hacker if they were able to get in and obtain the database.
I do log into my machine with the Microsoft Finger Printer reader…
Indeed. I once gained access to many of my fellow pupils email addresses at school by making a signup where they entered a username, email and password. Needless to say, all but one used the same password for their email. Not that I did anything malicious mind you, I just highlighted the point to them.
I know it’s just part of the problem, but KeePass is awesome. Especially when sharing accounts (banks) with others (wife).
Oh, and here’s one for all the pesky sites you DON’T want to log in to.
Of course, I’m sure most people have heard of these…
Got to go with the previous comment re: KeePass.
It is certainly a neat little solution to the ream of passwords problem!
One of the biggest failings of the MS Fingerprint reader from a usability perspective is that you can’t export/import your password/URL lists.
When Scott uses TrueImage to reimage his PC, he will have to start all over again registering passwords against his fingerprint.
However, like him, I’ve taken the attitude that for a home PC the risk is small enough. After all, someone could get in with a boot disk regardless if they really wanted to.
And in the end, I am fairly certain I am better off fast-switching between my admin and non-admin account with a fingerprint reader than working online as an admin.
Other odd shortcomings: 1) the reader gets dirty really quickly even with regularly washed hands - keep a roll of sellotape handy for you need it to use some every day or two; 2) It isn’t designed to work with the ‘Run As’ dialog which has an extra option button to select to activate the credentials fields.
I have to admin I do not go as far as to use it to remember the password for online banking, but most other websites are not that critical.
I use Firefox for pretty much all of my browsing and it has a nice “master password” option for saving username and password information for most sites. The usernames and passwords are still safe as long as I close down the browser after each time I connect to a controlled website and I can still use different passwords on each site.
For the most part, this works pretty well, but there are still a few secure websites that don’t seem to be picked up by the browser as capable of being saved. For these, I just use a gpg encrypted local text file that I can quickly view whenever I forget the login/password.
The InfoCard system from Microsoft sounds quite a bit like PAM (Pluggable Authentication Modules) for Linux/unix a href="http://www.kernel.org/pub/linux/libs/pam/"http://www.kernel.org/pub/linux/libs/pam//a
There’s a variety of deterministic password generators out there, one of which I use. It just MD5’s your mistress password with the URL and gives you the first few letters. Not wildly secure, but very easy. I swiped one from http://labs.zarate.org/
For secure stuff I use a GPG’s file, and for some stuff I use the Schneier method - a postit on my monitor (so anyone stealing the password has to have already broken into my room and possibly also house…)
Jeff, maybe if you stopped drinking so much, started eating more fish, and worked on some memorization techniques, you could remember all your passwords.
Having not used this technology, I’m curious as to how strict it is in matching, in certain instances where your finger print may become temporarily defaced. I.e. by some sort of cut. And if it’s not very strict, then how secure could it possibly be? Take it a step further and what happens when you get in some sort of accident and mangle your finger pretty severely, or lose it all together. There would need to be some sort of backup means by which to bypass the system so you don’t forever lose access to your own account. Then of course, that, would raise other vulnerabilities in the system.
I feel you on all of the on-nline Identities and such. I was just writing about my solution, KeePass, at my blog (this article – a href="http://lumpyscorner.com/TidBits/?p=23)."http://lumpyscorner.com/TidBits/?p=23)./a It is free, encrypted and opensource.
It resides on my thumbdrive and I keep a paper backup at home in my lockbox.
As for “which email address”, I use a catch all for my domain and use the name of the website I’m at as the id. Thus, codinghorror.com at jdanielsmith |dot| org.
Iris scans will never be popular. High quality images of many famous and important people are already available, and usually of high enough quality to defeat an iris scanner.
Any decent 5 mega pixel camera will solve the problem for less popular people.
After all, when was the last time someone got a good face shot of you? Did you object? Did you even think about objecting?
That key is already well into the public domain - and hey, since the scanners from 5 years ago were reported to work from behind a two way mirror from over 5’ away, I’m betting that you REALLY don’t want to depend on the privacy of your eyeballs for any type of security or identity proof.
It would kill most debit card fraud if the ATMs and keypads at stores had fingerprint readers in them to combine with yer pin code. Really tough to grab and use that information en mass with a skimmer and camera (ok, you might be able to get the prints, but it would take longer than prefered to fabricate a 1000 jujube fingers, and look REALLY funny at the ATM)
just using passwords and no usernames
Password and username is still single factor, so it doesn’t matter if they are two textboxes or not. Conceptually you can think of them as a single string, eg…
== equals ==
And both are “things I know”, in the possible realm of…
- Things I am
- Things I have
- Things I know
If I was using a smart card in addition to a password/username, that would be more secure.
I hope this doesnt come off as a plug but I use SecretServer, though i’m impartial since i had part in development. To me what other products lacked is that i needed to have something with me to get access to my passwords. Secret Server allows me to share my passwords with my wife and kids, online management (no usb keys/sync issues).
I would suggest looking at it and see if it could help you as well. Its free for just one user.
"As for “which email address”, I use a catch all for my domain and use the name of the website I’m at as the id. Thus, codinghorror.com jdanielsmith |dot| org."
My brother did that for a long time, and when he moved out and I effectivly took over control of the connection I considered doing the same. However, he said that he didn’t get that much spam. I did it for a short while, and I didn’t get anything that doesn’t already filter out for me. So I deemed it unecessary.
But then again different horses for different courses. Depending on where you sign up (no, I’m not referring to porn necessarily, I’m referring to popular websites that may post your email in a harvastable manner) will signify who ends up with your email.