LinuxQuestions.org
Download your favorite Linux distribution at LQ ISO.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - News > Syndicated Linux News
User Name
Password
Syndicated Linux News This forum is for the discussion of Syndicated Linux News stories.

Notices


Reply
  Search this Thread
Old 04-07-2015, 06:51 AM   #1
LXer
LXer NewsBot
 
Registered: Dec 2005
Posts: 99,863

Rep: Reputation: 102Reputation: 102
LXer: Has the time come to kill the password?


Published at LXer:

How many passwords do you have? Probably more than you can easily remember or comfortably manage on your own. And Iím willing to bet that you dread coming up with new ones when you sign up for something online.Jonathan LeBlanc of PayPal is on a mission is to replace the password with something more secure and easier to use.read more

Read More...
 
Old 04-07-2015, 10:52 AM   #2
metaschima
Senior Member
 
Registered: Dec 2013
Distribution: Slackware
Posts: 1,982

Rep: Reputation: 491Reputation: 491Reputation: 491Reputation: 491Reputation: 491
Why not use public key cryptography for authentication ?
http://winscp.net/eng/docs/public_key
http://the.earth.li/~sgtatham/putty/.../Chapter8.html
 
Old 04-07-2015, 11:22 AM   #3
273
LQ Addict
 
Registered: Dec 2011
Location: UK
Distribution: Debian Sid AMD64, Raspbian Wheezy, various VMs
Posts: 7,031

Rep: Reputation: 2076Reputation: 2076Reputation: 2076Reputation: 2076Reputation: 2076Reputation: 2076Reputation: 2076Reputation: 2076Reputation: 2076Reputation: 2076Reputation: 2076
I don't think there is a "one size fits all" replacement for passwords. No way we could do without them at my place of work, for example, where we us two-factor authentication as it is.

Last edited by 273; 04-08-2015 at 01:01 AM. Reason: Typo's.
 
Old 04-07-2015, 11:35 PM   #4
veerain
Senior Member
 
Registered: Mar 2005
Location: Earth bound to Helios
Distribution: Custom
Posts: 2,524

Rep: Reputation: 319Reputation: 319Reputation: 319Reputation: 319
Passwords are simple, easy and great authentication mechanism. Those against may keep a electronic passbook or whatever. It is their problems/headache.
 
Old 04-08-2015, 04:35 PM   #5
metaschima
Senior Member
 
Registered: Dec 2013
Distribution: Slackware
Posts: 1,982

Rep: Reputation: 491Reputation: 491Reputation: 491Reputation: 491Reputation: 491
Quote:
Originally Posted by veerain View Post
Passwords are simple, easy and great authentication mechanism.
Not a great authentication method, in fact very weak. Challenge response protocols using public key cryptography or symmetric cryptography provide strong authentication.
 
Old 04-08-2015, 04:53 PM   #6
273
LQ Addict
 
Registered: Dec 2011
Location: UK
Distribution: Debian Sid AMD64, Raspbian Wheezy, various VMs
Posts: 7,031

Rep: Reputation: 2076Reputation: 2076Reputation: 2076Reputation: 2076Reputation: 2076Reputation: 2076Reputation: 2076Reputation: 2076Reputation: 2076Reputation: 2076Reputation: 2076
I'm not sure I understand what "challenge response" is in this context?
Unless you're using a password you're using a data storage device with a public key on it. A key is the only way to lock anything.
 
Old 04-08-2015, 05:06 PM   #7
metaschima
Senior Member
 
Registered: Dec 2013
Distribution: Slackware
Posts: 1,982

Rep: Reputation: 491Reputation: 491Reputation: 491Reputation: 491Reputation: 491
Quote:
Originally Posted by 273 View Post
I'm not sure I understand what "challenge response" is in this context?
Unless you're using a password you're using a data storage device with a public key on it. A key is the only way to lock anything.
https://en.wikipedia.org/wiki/Challe...authentication

A password provides weak unilateral authentication. More complicated protocols provide strong mutual authentication, which helps prevent a number of attacks.

Yeah, there is always a key, often derived from a password and salt. You could also keep the key on a storage device as long as it is secure.
 
Old 04-08-2015, 05:12 PM   #8
273
LQ Addict
 
Registered: Dec 2011
Location: UK
Distribution: Debian Sid AMD64, Raspbian Wheezy, various VMs
Posts: 7,031

Rep: Reputation: 2076Reputation: 2076Reputation: 2076Reputation: 2076Reputation: 2076Reputation: 2076Reputation: 2076Reputation: 2076Reputation: 2076Reputation: 2076Reputation: 2076
Ah, sorry, I see what you mean. I tend to think of "what I have to remember" as the "password" and while I know there are more secure ways of my supplying it, like my bank asking for certain digits, the "password" is still there and I need to know it.
So, yes, I agree that that kind of mechanism is more secure.
I'm just not sure how that helps the need to remember passwords which, to me, seems to be what everyone finds a problem with.
 
Old 04-08-2015, 05:23 PM   #9
metaschima
Senior Member
 
Registered: Dec 2013
Distribution: Slackware
Posts: 1,982

Rep: Reputation: 491Reputation: 491Reputation: 491Reputation: 491Reputation: 491
Pass phrases seem to work pretty well and are easy to remember. You could also keep a USB stick with the key on it with you.

There are also other methods like one time passwords, and biometrics.

Biometrics have their own issues. Fingerprint scanners can often be bypassed using some clever techniques. Other biometrics are harder to fake, but also harder to obtain because you need expensive hardware.
 
Old 04-08-2015, 05:34 PM   #10
273
LQ Addict
 
Registered: Dec 2011
Location: UK
Distribution: Debian Sid AMD64, Raspbian Wheezy, various VMs
Posts: 7,031

Rep: Reputation: 2076Reputation: 2076Reputation: 2076Reputation: 2076Reputation: 2076Reputation: 2076Reputation: 2076Reputation: 2076Reputation: 2076Reputation: 2076Reputation: 2076
"pass phrase" and "password" are interchangeable -- they're a remembered series of characters.
One-time passwords require some kind of pseudo-random number generator either on the device you're trying to log on with (i.e. an Android app which generates numbers for your bank web site) or a separate token. Both of which mean gaining access to the physical device means gaining access to the protected system -- unless the device is protected by a password...
Or, protected by a biometric which, yes, as long as they're robust enough are at least difficult to forge or steal. They also have the benefit of not requiring a good memory. Certainly where violence isn't likely they seems a pretty good solution and I've even seen a lot of mention of them being "salted" in such a way that it's not possible to work back from the key to recreate the actual biometric data.
 
Old 04-08-2015, 08:55 PM   #11
metaschima
Senior Member
 
Registered: Dec 2013
Distribution: Slackware
Posts: 1,982

Rep: Reputation: 491Reputation: 491Reputation: 491Reputation: 491Reputation: 491
Quote:
Originally Posted by 273 View Post
"pass phrase" and "password" are interchangeable -- they're a remembered series of characters.
Yeah, but a pass phrase is usually much easier to remember than something that must have a number, special character, upper and lower case characters. If it is long it is also usually stronger.
 
Old 04-09-2015, 12:55 AM   #12
273
LQ Addict
 
Registered: Dec 2011
Location: UK
Distribution: Debian Sid AMD64, Raspbian Wheezy, various VMs
Posts: 7,031

Rep: Reputation: 2076Reputation: 2076Reputation: 2076Reputation: 2076Reputation: 2076Reputation: 2076Reputation: 2076Reputation: 2076Reputation: 2076Reputation: 2076Reputation: 2076
Quote:
Originally Posted by metaschima View Post
Yeah, but a pass phrase is usually much easier to remember than something that must have a number, special character, upper and lower case characters. If it is long it is also usually stronger.
In that respect, yes, they often are. I think the old rules they employ that a number, capital letter and special character are silly but, then again, I also think not allowing them is silly. After all "Mary bought 2 large, white, donuts." must be moderately strong at least, for example.
 
Old 04-09-2015, 01:02 AM   #13
veerain
Senior Member
 
Registered: Mar 2005
Location: Earth bound to Helios
Distribution: Custom
Posts: 2,524

Rep: Reputation: 319Reputation: 319Reputation: 319Reputation: 319
Quote:
Originally Posted by metaschima View Post
Pass phrases seem to work pretty well and are easy to remember. You could also keep a USB stick with the key on it with you.

There are also other methods like one time passwords, and biometrics.

Biometrics have their own issues. Fingerprint scanners can often be bypassed using some clever techniques. Other biometrics are harder to fake, but also harder to obtain because you need expensive hardware.
Even all current public accessible biometry is fakeable.

Keys for symmetric/asymmetric crypto can be derived from passwords. If password uses all ASCII printable characters a 20 character long password produces 128 bit of security. And the most basic, easy and simple way would be passwords only. As they use simple, basic and available keyboards. And get to have the security in mind of the user not in some hardware key which can be stolen.
 
Old 04-09-2015, 09:49 AM   #14
metaschima
Senior Member
 
Registered: Dec 2013
Distribution: Slackware
Posts: 1,982

Rep: Reputation: 491Reputation: 491Reputation: 491Reputation: 491Reputation: 491
Quote:
Originally Posted by veerain View Post
Even all current public accessible biometry is fakeable.

Keys for symmetric/asymmetric crypto can be derived from passwords. If password uses all ASCII printable characters a 20 character long password produces 128 bit of security. And the most basic, easy and simple way would be passwords only. As they use simple, basic and available keyboards. And get to have the security in mind of the user not in some hardware key which can be stolen.
There was an article from Germany I believe, where in order to steal a biometrically secured car, a thief cut off the owner's finger.

There is also the possibility that if someone wants the password, they'll beat it out of you.

Instead, having your key stolen, isn't such a big deal, especially since you can revoke the key in a good cryptosystem (much like a stolen credit card).
 
Old 04-09-2015, 11:14 AM   #15
273
LQ Addict
 
Registered: Dec 2011
Location: UK
Distribution: Debian Sid AMD64, Raspbian Wheezy, various VMs
Posts: 7,031

Rep: Reputation: 2076Reputation: 2076Reputation: 2076Reputation: 2076Reputation: 2076Reputation: 2076Reputation: 2076Reputation: 2076Reputation: 2076Reputation: 2076Reputation: 2076
Keys are too easily lost, stolen and (generally) broken (physically) in my opinion. As mentioned we use two-factor authentication at work and, while that may justify the problems associated with smart cards, it means that our smart cards would simply be far to valuable if used alone. Bank tokens similarly would be too valuable to use alone. Think about how credit cards have PINs because if they didn't a piclpocket could easily wipe out your account before you get to the next station, for example.

Last edited by 273; 04-09-2015 at 11:17 AM.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
Wait for some time Then kill the process... g_paschoal Programming 7 07-26-2014 10:07 AM
LXer: How to kill a process in Linux - kill, killall, pkill, xkill LXer Syndicated Linux News 0 04-02-2013 12:01 PM
LXer: How to change the password remember time of sudo LXer Syndicated Linux News 0 02-20-2013 06:31 PM
LXer: Securing OpenVPN With A One Time Password (OTP) On Ubuntu LXer Syndicated Linux News 0 07-13-2011 07:40 AM
Some time to kill uselpa Slackware 2 02-09-2005 12:48 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - News > Syndicated Linux News

All times are GMT -5. The time now is 08:48 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration