Google joins FIDO's crusade to replace passwords

Discussion in 'privacy technology' started by ronjor, Apr 24, 2013.

Thread Status:
Not open for further replies.
  1. ronjor

    ronjor Global Moderator

    Joined:
    Jul 21, 2003
    Posts:
    57,776
    Location:
    Texas
    http://news.cnet.com/8301-1009_3-57581088-83/google-joins-fidos-crusade-to-replace-passwords/
     
  2. Rowmon

    Rowmon Registered Member

    Joined:
    Oct 11, 2012
    Posts:
    10
    This is great news for privacy.
    Awful news for anonymity.
     
  3. DesuMaiden

    DesuMaiden Registered Member

    Joined:
    Jan 25, 2013
    Posts:
    534
    How is this good for privacy? This is BAD for privacy and anonymity.
     
  4. Mman79

    Mman79 Registered Member

    Joined:
    Sep 19, 2012
    Posts:
    2,016
    Location:
    North America
    "including biometrics such as fingerprint scanners and voice and facial recognition". But of course Google would think of these things. Hey, Google, intend to pay for these fingerprint scanners and special hardware/software for end users? How about the millions of websites that would have to implement it? You plan on paying for that as well? Passwords aren't broken, they just fell victim to the disease that plagues all end users, laziness.
     
  5. Escalader

    Escalader Registered Member

    Joined:
    Dec 12, 2005
    Posts:
    3,710
    Location:
    Land of the Mooses
    well said! the issues are human sourced. bad code, bad habits, sloth the list goes on.

    Google can add my biometrics to their databases of personal information.:thumbd:


    Are no laws against invasion of privacy?
     
  6. Carver

    Carver Registered Member

    Joined:
    Feb 5, 2006
    Posts:
    1,827
    Location:
    USA
    Most websites ask passwords between 6 and 20 characters, my password for Skype is 20 characters, my bank asks for 12 characters. Websites have to modify their products to accept passwords with 32-50 Characters. My password for keepass is 50 characters and 291 bits. Modifying all existing products would cost websites money for programers, it would be cheaper to get the end user to pay for additional hardware.
     
  7. Mman79

    Mman79 Registered Member

    Joined:
    Sep 19, 2012
    Posts:
    2,016
    Location:
    North America
    Which you better come with some fantastic talking to get the public to do. That's the biggest problem, someone is going to have to pay for this stuff and unless it's the very big players (whom are a tiny portion of the entire net), it's not likely to be the websites footing the bill.
     
  8. atomomega

    atomomega Registered Member

    Joined:
    Jul 27, 2010
    Posts:
    1,285
    Once I knew Google had their own space program, I came to the conclusion that they can do ANYTHING they want to. It's an empire. I'm not saying that's good or bad, but spending money on hardware for this user profiling system, seems like something they could do with a finger snap.
     
  9. Rowmon

    Rowmon Registered Member

    Joined:
    Oct 11, 2012
    Posts:
    10
    I just assumed that this would make your accounts impossible to hack and eliminate the man-in-the-middle = privacy? however, you will always be identified as the same person = no anonymity.

    Maybe I'm thinking wrong, but then again I don't fear Google. I fear malicious users.
     
  10. Escalader

    Escalader Registered Member

    Joined:
    Dec 12, 2005
    Posts:
    3,710
    Location:
    Land of the Mooses

    Someday soon I suggest we READ and UNDERSTAND google's privacy policy.
     
  11. Wroll

    Wroll Registered Member

    Joined:
    Nov 29, 2011
    Posts:
    549
    Location:
    Italy
    Can you name the last successful attack using brute force?
     
  12. ronjor

    ronjor Global Moderator

    Joined:
    Jul 21, 2003
    Posts:
    57,776
    Location:
    Texas
  13. TheWindBringeth

    TheWindBringeth Registered Member

    Joined:
    Feb 29, 2012
    Posts:
    2,088
    Makes it sound privacy friendly, doesn't it? Anyone buying that?
     
  14. pajenn

    pajenn Registered Member

    Joined:
    Oct 26, 2009
    Posts:
    930
    I assume it's just a matter of time before everything works based on IRIS scans, facial/voice recognition and fingerprints. Maybe 20 years from now when you go buy gas or anything they will recognize you, scan your eyes for verification and deduct the necessary funds from your account. Like Minority Report.
     
  15. Reality

    Reality Registered Member

    Joined:
    Aug 25, 2013
    Posts:
    689
    Nope, not for a minute.:thumbd:
     
  16. noone_particular

    noone_particular Registered Member

    Joined:
    Aug 8, 2008
    Posts:
    3,798
    No matter how good the biometric devices might be, there's no way I'll believe that all of the software they need to function is exploit proof. What this will do is greatly increase the cost of failure. Exploit a vulnerable part of that software and an attacker gains access to everything that uses it. If reusing passwords is bad, how can this be good?

    I'm not only not buying it. I'm refusing to use it and won't add any device with such abilities to my system or network.
     
  17. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,148
    It's easy for end users to deal with passwords via managers, etc. The problem with passwords, and why they are always called 'broken', is more due to LDAP and Pass The Hash attacks, where hardware tokens are far more secure.
     
  18. Techwiz

    Techwiz Registered Member

    Joined:
    Jan 5, 2012
    Posts:
    539
    Location:
    United States
    No such thing as absolute security and any effort to make security and privacy convenient usually ends up making it much easier for the attacker as well. Even if you could build some kind of consolidated system, I wouldn't trust it. Diversity is your friend. Besides, users are at enough risk already. Even if you change passwords and security questions/answers religiously. There is always the chance your data could be exposed. We just had another plain text exposure last week. If companies can't secure the servers they are already using. How exactly are they going to pull this off?
     
  19. Taliscicero

    Taliscicero Registered Member

    Joined:
    Feb 7, 2008
    Posts:
    1,439
    It's okay, I can just cut off your thumbs at the ATM or in your home to hack into your things, hey it could be months before anyone missed you right? I could store the thumb in cold storage for whenever I need it. Which is why this system is dumb, and if it ever became mandatory, well goodbye internet.
     
  20. Nebulus

    Nebulus Registered Member

    Joined:
    Jan 20, 2007
    Posts:
    1,582
    Location:
    European Union
    From the FIDO Alliance's site, this appears to be just a draft for a public key cryptography method of authentication, and nothing else... I'm not saying that it is a wrong idea, but why is this considered something new?
     
  21. TheWindBringeth

    TheWindBringeth Registered Member

    Joined:
    Feb 29, 2012
    Posts:
    2,088
    Its hard to say how new/novel, if at all, their design is without detailed documentation. Earlier this year I carefully read all the public info at the FIDO Alliance website. It appears to me they've since changed their website and I don't see similarly detailed descriptions any more. FWIW, older copies of the "How it works" page are still available:

    http://web.archive.org/web/20130317011249/http://fidoalliance.org/how-it-works.html

    but I believe there was another page with descriptions and I can't find older copies of that one. I briefly commented on the subject back then:

    https://www.wilderssecurity.com/showthread.php?p=2228608#post2228608
    which touched upon what may be one twist that isn't inherent to public key cryptography based authentication... a design built around hardware embedded/derived tokens, which can help or hurt security depending on implementation and context. There was also mention of an Internet repository (IIRC, multiple repositories were mentioned somewhere) for registering tokens and that was a hmmm. I believe there was also mention of utilizing encryption which would be resistant to local machine compromise (and therefore possibly end user monitoring).

    I thought the descriptions I saw back then were fuzzy, and I don't know where their plans/designs stand now. Has someone found recent descriptions worth studying? Perhaps some would still say we've seen such techniques and combinations thereof before. Either way, though, it smells as though there will be something new as in "newly available implementations" being pushed out by these and other players.
     
Loading...
Thread Status:
Not open for further replies.