Perimeter
9/16/2011
05:26 PM
Rob Enderle
Rob Enderle
Commentary
50%
50%

Intel Demonstrates Potential Password-Killers

Intel presented two possible ways it plans to make passwords obsolete

I've never been a fan of passwords. For some time we have known that trivial passwords can be remembered but are easily compromised, and folks who write down complex passwords make them easy to find and copy. In fact, way back in the 1980s while I was working security audits in IBM, we’d regularly argue that passwords were largely an ineffective way to secure anything that was truly sensitive -- and that was long before the Internet.

Well, Intel might have come up with something that is on the cusp of eliminating passwords and making those of us who buy the next generation of PCs and tablets far more secure.

We all carry cell phones, and an increasing number of us carry smartphones, so why don't we use a cell phone as a second factor to validate we are who we say we are? At its recent developer conference, this was actually a compelling demonstration by Intel and could be done with an app on a smartphone, a unique text message generating a one-time key, or even a clickable (on the cell phone) message that validated the person who was logging in also had the cell phone tied with the account.

With that one move, the user's password could be the number one or "password," and it would be far more secure than the cryptic mess we advise users to have today. But Intel didn't stop there: It showcased a BIOS-based technology that would allow a Web page to bypass the buffer and send an image directly to the graphics system on a registered PC. The demonstration entailed the use of a randomized virtual keypad where a PIN number would be entered. Anyone cloning the screen would only see a black box, and while he might see the cursor, he would have no idea what the cursor was pointing at and couldn’t repeat the PIN. This pretty much eliminates buffer attacks as a way to get access to this class of identification information.

Now if the PIN was also single-use and sent to the cell phone, the level of security that could be provided to the user would likely exceed significantly what most high security systems provide today and be consumer-friendly.

We’ve been trying -- largely unsuccessfully -- to kill off passwords for decades. Intel is one of the few firms with enough power to actually make this happen, and the technologies it showcased were compelling. Given how entrenched passwords are, I doubt we’ll see them go away before 2025, but Intel might make them redundant in two years. And that's good enough for me.

Rob Enderle is president and founder of The Enderle Group. Special to Dark Reading

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Cartoon
Latest Comment: nice one
Current Issue
Flash Poll
Title Partner’s Role in Perimeter Security
Title Partner’s Role in Perimeter Security
Considering how prevalent third-party attacks are, we need to ask hard questions about how partners and suppliers are safeguarding systems and data.
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2015-0702
Published: 2015-04-20
Unrestricted file upload vulnerability in the Custom Prompts upload implementation in Cisco Unified MeetingPlace 8.6(1.9) allows remote authenticated users to execute arbitrary code by using the languageShortName parameter to upload a file that provides shell access, aka Bug ID CSCus95712.

CVE-2015-0703
Published: 2015-04-20
Cross-site scripting (XSS) vulnerability in the administrative web interface in Cisco Unified MeetingPlace 8.6(1.9) allows remote attackers to inject arbitrary web script or HTML via unspecified vectors, aka Bug ID CSCus95857.

CVE-2015-1235
Published: 2015-04-19
The ContainerNode::parserRemoveChild function in core/dom/ContainerNode.cpp in the HTML parser in Blink, as used in Google Chrome before 42.0.2311.90, allows remote attackers to bypass the Same Origin Policy via a crafted HTML document with an IFRAME element.

CVE-2015-1236
Published: 2015-04-19
The MediaElementAudioSourceNode::process function in modules/webaudio/MediaElementAudioSourceNode.cpp in the Web Audio API implementation in Blink, as used in Google Chrome before 42.0.2311.90, allows remote attackers to bypass the Same Origin Policy and obtain sensitive audio sample values via a cr...

CVE-2015-1237
Published: 2015-04-19
Use-after-free vulnerability in the RenderFrameImpl::OnMessageReceived function in content/renderer/render_frame_impl.cc in Google Chrome before 42.0.2311.90 allows remote attackers to cause a denial of service or possibly have unspecified other impact via vectors that trigger renderer IPC messages ...

Dark Reading Radio
Archived Dark Reading Radio
Join security and risk expert John Pironti and Dark Reading Editor-in-Chief Tim Wilson for a live online discussion of the sea-changing shift in security strategy and the many ways it is affecting IT and business.