Why your next 'Passw0rd' might not be a password

thanks for the article ronjor as usual

nonetheless i still think appropriate passphrases are yet your best bet all things considered exspecially since even these new "high tech" authentication methods still have the same weakness ...they can be copied , well except for the behavioral authentication methods with dots in a puzzle that would kinda be like passphrases that would be a nice way to have 2 factor authentication

reason why you never ever store sensitive passphrases yes i said it phrases not words, in an offline database for example keepass , then theres noone that can simply just hack your passphrases like that, given theres been according privacy countermeasures taken in advance , reason why ive

moved from online to offline database as mentioned , and your safe , and the real sensitive ones are always recommended to be memorized with some sort of pattern that wouldnt even be able to be cracked from your brain even under torture , depending on where you live and what threat level youre working with and what your private data is worth to you

 

Thanks for the article.

 

The weakness with biometrics at least in 2012 is they are too literal. They take the "something you are" to the extreme and most currently do not account for changes in that metric, be it biological or environmental. Because of this they usually are used in conjunction with other authentication controls.

While just the password may be leaving us, it won't be phased out for a long time to come and not just due to financial reasons. For those in cybersec currently you should be seeing the rise in corporate environments/government agencies/ and financial institutions of two and three factor authentication, be it a password used in conjunction with a smart card loaded with public/private keys, or a password tied to a OTP token sent through another communication tunnel, or even gps coordinates.

Example to log into site X you need a password, and a mobile phone that receives an sms text with your OTP, additionally you will have to be within your targeted GPS region and or biometric match.

However you can still argue the user is the weakest link in this case, and that all comes down to what you are trying to protect? Is your linkedin account worth implementing 2-3-4 factor auth? Probably not. Is your financial institution? etc.

Also keep in mind you could have the most secure password in the world on site x, but reused it several times on site Y and Z which keep their DBS in plaintext or use weak hashing algorithms and your password is simply another addition on a word list.

 

The consumer fingerprint password applications are easily broken. I've seen videos where Silly Putty was used to fool a fingerprint scanner on an HP laptop.