The biggest problem with passwords

Galdorf said:
When the person forgets the password to $300,000 of bitcoin locked in a password-ed zip file.

https://arstechnica.com/information...0-of-bitcoin-from-an-old-zip-file/?comments=1
Click to expand...

I got **** for this before but I can't imagine passwords being the primary method of authentication in the future. Similar to how credit cards are now proximity cards, I can't believe that passwords being as primitive as they being a method of authentication in the future (backup authentication probably). It may be past my life time but passwords are becoming so incredibly cumbersome and primitive and with government oversight becoming more and more involved due in part to corona (socialism at least in the US, free money) I can't see how the planet wouldn't move to modern authentication meaning iris or fingerprint for more major applications for better or worse, and in at least my view for the worse. Beyond my generation or a few generations beyond me they wont know the difference.

The proof is in the pudding, we've already moved away from passwords and even pass codes in mobile devices towards facial recognition, iris recognition, and fingerprint recognition. For all I know fingerprints may be a backup authentication method and iris may be the primary.

I can already see future generations saying wait what, you used lovemypassword1234 to get into your tax account? We just use the fingerprint module built into our device to authenticate and then apple sells that information to china and facebook.
 
thecomputerguy said:
We just use the fingerprint module built into our device to authenticate and then apple sells that information to china and facebook.
Click to expand...

Which is precisely why many have deep, deep, deep reservations about biometrics. Once that data is sold, stolen, or whatever and can be piped directly in to unlock something, what then?

I don't use biometric verification because I don't trust what those who hold that data might do with it.

And if it becomes easy to send this information to anyone, at any time, it entirely loses its ability to be a secure verification. Perfect digital copies would make it useless (or, even worse, even more useful for getting at things).
 
britechguy said:
Which is precisely why many have deep, deep, deep reservations about biometrics. Once that data is sold, stolen, or whatever and can be piped directly in to unlock something, what then?

I don't use biometric verification because I don't trust what those who hold that data might do with it.

And if it becomes easy to send this information to anyone, at any time, it entirely loses its ability to be a secure verification. Perfect digital copies would make it useless (or, even worse, even more useful for getting at things).
Click to expand...

Who exactly is many? Every single person I've ever met who had an iPhone solely uses biometrics for authentication across the board whether it be to unlock the phone or to purchase something from the app store or other purchases that support biometrics. Bank of America allows biometric authentication to get directly into their app.
 
thecomputerguy said:
Who exactly is many?
Click to expand...

https://duckduckgo.com/?q=Is+biometric+verification+a+long+term+security+risk

Or choose your own search engine and search terms related to risk/risks and biometric verification. The application of straight logic would allow someone to come to the conclusion that the ability to perfectly digitally duplicate any individual's given biometric markers would raise a security concern. And those markers are being stored digitally.

Just like many are willing to give away every bit of their privacy in other ways to gain convenience, this is but another one. There are plenty of legitimate concerns whether you share them or not.

I'll be sticking with passwords/codes/phrases, thanks.
 
britechguy said:
the ability to perfectly digitally duplicate any individual's given biometric markers would raise a security concern. And those markers are being stored digitally.
Click to expand...
This. If anyone got a hold of the actual biometric data, that person would be screwed. You can change a password, but you're stuck with your fingerprints. All biometrics does is assign a number value (like a password) to your fingerprint and does a comparison using those numbers. If you were to feed it those numbers, you could unlock it without having to have the actual fingerprint.

As soon as there's a major breach of biometric data people will start to rethink this "genius" idea.
 
sapphirescales said:
You can change a password, but you're stuck with your fingerprints.
Click to expand...

This.

And if you create a lengthy portmanteau password/phrase the probability of it being cracked is so close to zero as to be zero. A well-constructed (and that's not hard) password that's not shared with anyone, and where any recording of same is kept secure, still works, and works well.

The main problem with passwords is that people were never taught how to create secure ones that they could remember, and thus, used things like 1234 and similar. Those are useless. 1267LamermoorTechnibble$ is not at all easily "crackable," via any means and if your first address was 1267 Main Street, your first address as an adult living on your own was on Lamermoor Drive, and $ is your special character, and only you know where you place each in a portmanteau, well, good luck to those trying to crack that!
 
Anyone in the security industry already knows this, biometrics are wonderful 2nd factors for authentication, but they cannot be used as primary factors. Precisely because once the digital hash is stolen, you can't just change a fingerprint to make a new one.

Passwords are still terrible primary factors too... but far more useful than biometrics.

P.S, if you're a phone user that secures your device with your fingerprint... you're an ABSOLUTE IDIOT.

In the US, cops can access your phone via forced imprint LEGALLY without a warrant. But if you have a password on it, they have to get a warrant, but even then they cannot force you to cough up a pin or a password.
 
Last edited:
britechguy said:
1267LamermoorTechnibble$ is not at all easily "crackable,"
Click to expand...
Perhaps not, but a passphrase is much easier to remember and much harder to brute force. Everything we've taught people about password security is WRONG. We should NOT be enforcing BS like "use a number, special character, capital, and make sure it's 8+ characters long." We should be encouraging the use of long passphrases, and blocking out the characters when you're entering a password shouldn't even be a thing. I mean, the quote in my signature would be a really strong password:

"There is no wrong way to fantasize" - Princess Celestia
Click to expand...
 
The current rules for passwords don't work well, that's for sure.

But I have no problem with rules that are easy to conform to but have a required minimum length. Like I have said many times, a personal portmanteau is dirt simple for the person using it to remember. The majority of it becomes "muscle memory" to type in. I only pick the portmanteau style I have because there are just too many sites that require at least one uppercase and lowercase character, at least one digit, and at least one special character.

I'm working within the constraints currently imposed, and unlikely to disappear. I don't think that those constraints, by necessity, result in a more secure password. But it's easy to create one within those constraints with a personal portmanteau where all the fixed elements are in precisely the same relative locations and the variable part is inserted in the same spot each time. Length is a better determiner than all else with regard to ability to easily crack a password provided someone doesn't, say, use their own name and address, which is easily guessed. Passwords still have to not be able to be easily guessed by anyone but the person using them. That's how I came up with "my system" in the first place; the resulting password/phrase is incredibly simple for one person, the one who created it, to either remember or, if they forget it, to make educated guesses at, while no one else in the world could.
 
I tell clients when I book appts to have all their passwords ready to go, many seem shocked. I'm reconing your Outlook and you need it, or else I become the most expensive password resetter on earth. Bam!
 
callthatgirl said:
you need it, or else I become the most expensive password resetter on earth.
Click to expand...
I've just given up on my clients. They have the password written down/memorized maybe half the time and 99% of the time it's wrong. I'm not just talking about Outlook here, I'm talking about literally everything that has a password. I just assume they don't have the password and work from that assumption.
 
I have finally accepted that most people simply do not keep record of passwords anymore, whether on paper or using a password manager. And as @sapphirescales indicated I work from that premise.

And, like @callthatgirl I am very frequently the world's most expensive password resetter.

One of the reasons I utterly despise "password memory" in browsers in particular is that it pretty much ensures that no one is going to remember a blessed one of them for those accounts, and there are clients who have their browsers remember their passwords for online banking. The minute they forget that laptop in an airport, coffee shop, . . . For all the emphasis on security this feature is one of the biggest potential breaches out there.
 
Double true if you use firefox, because you can open those saved passwords up, and reveal them at a click.
 
Eh two factor authentication has worked wonders for me personally. No matter how well your password is crafted, and how many millions of years it would take to brute force it, some company somewhere will store it in an unencrypted database, or use weak hashes, or their server will be the victim of a zero day, and it’ll be posted for all to see.

I’ve had passwords leaked in a few high profile data security incidents and the only thing that saved me was having 2FA enabled on all my accounts that I feasibly can.

Using biometric data will be the same, someone will gain access to the hashes, same old story.

SMS based 2FA can be defeated with a bit of know how, but as far as I know app based is pretty hard to beat. It’s not a perfect solution but it does make it much harder to get access.
 
I've used the portmanteau method for years now, even though I would prefer to move to passphrases. The problem is many sites still don't support it. In fact, the more important the data is (Banks, Brokerage houses, payroll companies, I'm looking at you) the more likely it is they are still using 1980s rules for passwords. It's maddening. Until companies are forced to make more modern passwords available for use, we'll never move forward.
 
Last edited:
You must log in or register to reply here.

Similar threads

britechguy
From the New York Times: The Chatbot Culture Wars Are Here
Replies
14
Views
899
Blues
Blues
Metanis
OMG! Password resets!
2
Replies
25
Views
2K
trevm999
trevm999
britechguy
New "Microsoft Virus Scare" Scam that looks relatively authentic to the uninitiated
Replies
13
Views
1K
ell
E
britechguy
Accessing a Windows 11 Computer with a Microsoft Account Linked Windows Account After the Owner's Death
Replies
16
Views
2K
fincoder
fincoder
GTP
Fed up with Youtube "Shorts?"
Replies
7
Views
2K
GTP
GTP
Back
Top