Passwords “are starting to fail us”, says PayPal security chief

Discussion in 'other security issues & news' started by SweX, May 11, 2013.

Thread Status:
Not open for further replies.
  1. SweX

    SweX Registered Member

    Joined:
    Apr 21, 2007
    Posts:
    6,429
    http://www.welivesecurity.com/2013/...arting-to-fail-us-says-paypal-security-chief/
     
  2. Mman79

    Mman79 Registered Member

    Joined:
    Sep 19, 2012
    Posts:
    2,016
    Location:
    North America
    So if passwords are failing, why does he go on to say what should be known, that passwords haven't themselves failed, people are just stupid? That's the answer right there. Lots of technologies and things in general are fine until people as a whole get a hold of them. It isn't the fault of the password if some idiot uses the name of their cat or rolls their face across the keyboard. There aren't any financially feasible or easier ways, there are no safer, more secure ways that won't end up costing something else like privacy and the industry knows it.

    Hell, many breaches don't occur because of bad passwords, but because of badly secured databases and websites. Otherwise, pray tell how the hackers get a hold of these password databases to copy. I've heard this same song and dance from more than just this guy, and every leader of the known world could get on TV and repeat it and it would still be bull.
     
  3. Nebulus

    Nebulus Registered Member

    Joined:
    Jan 20, 2007
    Posts:
    1,582
    Location:
    European Union
    I have rarely seen such a collection of inept ideas in such a short article.
     
  4. Mman79

    Mman79 Registered Member

    Joined:
    Sep 19, 2012
    Posts:
    2,016
    Location:
    North America
    Yeah, it's a bunch of crap. But it's from..*chuckle*..Paypal security. Surely their expertise is invaluable. Of course passwords IT departments consider strong are vulnerable. A good portion of them use the same damned idiotic password naming. I've also noticed that a lot of "warning" articles in the last couple of years have made it a point to use "90%". Hooray for reaching deep into your rectum and pulling numbers out. I don't even take that percentage seriously anymore or those who throw it around. Passwords impeding the development of the internet, huh? Oh yes, out of all the things slowing down progress, passwords are the biggest threat :rolleyes:

    Why are people like this given these kinds of jobs in companies?
     
  5. aztony

    aztony Registered Member

    Joined:
    Sep 9, 2012
    Posts:
    547
    Location:
    USA Southwest
    It's no longer about what you know, but who you know.
     
  6. Mman79

    Mman79 Registered Member

    Joined:
    Sep 19, 2012
    Posts:
    2,016
    Location:
    North America
    There has never been a time when that didn't apply to an extent.
     
  7. SirDrexl

    SirDrexl Registered Member

    Joined:
    Apr 14, 2012
    Posts:
    545
    Location:
    USA
    I think this is the key part of the article:

    Obviously it's in his best interest to talk down the strength of passwords.
     
  8. J_L

    J_L Registered Member

    Joined:
    Nov 6, 2009
    Posts:
    8,516
    I don't know what to say, other than I wonder if my comment will pass moderation. It includes ~ Snipped as per TOS ~, selling his ideas, GTFO, incompetent fool, and you can't fix stupid like this, all directed at Mr. Barrett.
     
    Last edited by a moderator: May 12, 2013
  9. Mman79

    Mman79 Registered Member

    Joined:
    Sep 19, 2012
    Posts:
    2,016
    Location:
    North America
    I knew JR was on the way :D But yeah, I completely agree with you, JL. This FIDO group has decent enough intentions, but you know what the road to Hell is paved with. Plus, none of their suggestions so far are feasible nor worth the cost and hassle for neither websites nor users.
     
  10. wat0114

    wat0114 Registered Member

    Joined:
    Aug 5, 2012
    Posts:
    1,985
    Location:
    Canada
    They look like outright lies to me.
     
  11. TheWindBringeth

    TheWindBringeth Registered Member

    Joined:
    Feb 29, 2012
    Posts:
    2,089
    Regardless of how flawed their arguments may be, the fact remains that numerous powerful corporations are banding together in an effort to design a new global, Internet-centric, system for login/authentication. This could have, over time, significant consequences for us all. Not only is there potential for security weaknesses, there is potential for *catastrophic* privacy consequences.

    Imagine, for a moment, if the system actually did become a very widely supported standard... all the major sites we visit use it... and its operation revolved around a globally unique, device hardware embedded (or derived) token that would be passed to all of those sites where you create an account. Theoretically, said token could even be passed to those sites you merely visit. Such a token would be akin to a cross-site hardware cookie... all sites would see the same globally unique ID (regardless of how you connected to the site, for example via VPN) and that would make tracking, correlating activity across sites, exchanging/linking personal information to that activity, etc extremely trivial. You could even call that an automatic by-product of the system's design. A generally unnecessary one from the security POV I would say, but a very highly desirable consequence from the POV of companies *wanting* to do such things.

    The FIDO Alliance has a website (http://www.fidoalliance.org/) which includes some overview material: http://www.fidoalliance.org/how-it-works.html. I see some red flags. Do you? Has anyone come across more detailed information to help assess this thing?
     
  12. Nebulus

    Nebulus Registered Member

    Joined:
    Jan 20, 2007
    Posts:
    1,582
    Location:
    European Union
    More about this here: http://arstechnica.com/information-technology/2013/05/paypal-exec-aims-to-obliterate-passwords-from-the-face-of-the-planet/

    From the article:
    Can someone explain me how is this different than two-factor authentication that is implemented now? :rolleyes:
     
  13. SirDrexl

    SirDrexl Registered Member

    Joined:
    Apr 14, 2012
    Posts:
    545
    Location:
    USA
    What's different is how they want to make it a unified standard, with many sites using the same system of authentication. The way it is now, only a handful of sites use 2FA, and they have different systems so it's not all tied together.
     
  14. TheWindBringeth

    TheWindBringeth Registered Member

    Joined:
    Feb 29, 2012
    Posts:
    2,089
    Various systems already exist, but lets focus on the common man case for a second...

    - Baseline security involves "something you know", namely a password that gets sent to the website for validation.
    - Enhanced security comes via "something you have", such as a phone that can receive a special code.

    It looks to me as though the FIDO system basically reverses that to be...

    - Baseline security involves "something you have", namely a hardware embedded/derived "token" and information from that ("a globally unique token id and a user identifier") are sent to the website for validation.
    - Enhanced security come via "something you know" (password) or "something you are" (biometric) and these are supposedly only used locally to unlock the token so that its information can be sent to the website.

    Edit: There is more to it than that, so do read what you can at the FIDO website, etc.
     
    Last edited: May 13, 2013
  15. Mrkvonic

    Mrkvonic Linux Systems Expert

    Joined:
    May 9, 2005
    Posts:
    8,703
    Ignore and move on. Any article that starts with X, Y of company Z is useless.
    If it has money involved, be sure it's going to taste of brown matter.
    Mrk
     
Loading...
Thread Status:
Not open for further replies.