Operations //

Identity & Access Management

Why FIDO Alliance Standards Will Kill Passwords

50%
50%

Bill Gates predicted the demise of passwords more than a decade ago. But the FIDO Alliance believes its proposed new authentication standards are a game changer that will transform the computing landscape in just three years. Phillip Dunkelberger, President & CEO of Nok Nok Labs, tells why he believes that the time is finally ripe for a password-free computing experience.

Comment  | 
Print  | 
Comments
Newest First  |  Oldest First  |  Threaded View
DonT733
50%
50%
DonT733,
User Rank: Apprentice
3/31/2014 | 8:02:10 PM
Just wondering when the FIDO Presentation might have some more content.
In a word, the presentation just affirmed VPN certificates with passwords to unlock them.  Thanks for revisiting private password key stores for the protection of digital certificates.  Is there any more content?

Passwords are not good, there just cheap.  My MacBook Air Pro, due to flashram drives acheived 6 billion password combinations per second in August of 2013.  This pretty much means passwords less than 12 places with full complexity have less than 50/50 odds to remain uncracked in less than 90 days.  

Please send IT Auditors to me.  I want to present what I have and am offerring a voluntary pledge.  "I will never again claim that an 8 place password is an adequate security meaure."  For those that must use only numbers in their passwords, 18 places are needed to compensate for the lack of complexity.  At least, so says my Mac -- running a Windows 7 VM running John the Ripper at 6 Billion Combinations per Second, while the Mac side runs AV and edits word simultaniously.

You know, the second factor tool account password cracked and the full Pen Test Check Mate of their Domain Controller fell out rather quickly after that.

Yes, I would say that 8 place passwords are closer to public endangerment rather than InfoSec security.    

 

 

 

 

 

 
windk
50%
50%
windk,
User Rank: Apprentice
3/19/2014 | 4:29:35 PM
Re: Couldn't happen too soon!
A good fiction (but apparently soon to be non-fiction) read about this is Dave Eggers' The Circle : "The Circle, run out of a sprawling California campus, links users' personal emails, social media, banking, and purchasing with their universal operating system, resulting in one online identity and a new age of civility and transparency." (Alfred A. Knopf, 2013).
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
2/27/2014 | 8:31:38 AM
Re: Couldn't happen too soon!
Hi Spaz! I just gor my new iPhone with the biometric fingerprint reader. So I can tell you first hand how user friendly it is. Stay tuned!
Spaz
50%
50%
Spaz,
User Rank: Apprentice
2/26/2014 | 10:46:49 PM
Re: Couldn't happen too soon!
Nothing is infallible I suppose. While I don't know the technical aspects of fingerprint readers.  Apple feels very good about fingerprint scanners and so does Samsung. They both allow you to access your device with the fingerprint scanner. I imagine that one would have to get some training in how to pick up fingerprint. You'd need to buy fingerprint kits as well. I am definitely not for retina scanners since they have a lot of radiation. 
SeanKelly
50%
50%
SeanKelly,
User Rank: Apprentice
2/26/2014 | 5:26:39 PM
Re: Couldn't happen too soon!
I agree with your comment on corporate passwords but I disagree strongly with the comment on fingerprints. Fingerprints are not a password replacement. Fingerprints are usernames. Fingerprints aren't secret, you leave them everywhere and you can't change them (easily) when they have been compromised. Fingerprints should never be used as passwords.
Spaz
0%
100%
Spaz,
User Rank: Apprentice
2/22/2014 | 5:02:05 PM
Re: Couldn't happen too soon!
passwords especially corporate passwords are a complete pia. it's frustrating how the passwords have to be changed so often and how they have to fall within certain parameters eg. 8 charaters, has to containt this and that, etc. until another worthy solution is provided, we all need fingerprint readers instead. this will certainly help both the IT admins and employees as well.
ANON1241486907214
100%
0%
ANON1241486907214,
User Rank: Apprentice
2/21/2014 | 9:56:36 AM
Re: Couldn't happen too soon!
Can imagine what technology would make private keys safe. At least with passwords, the NSA has to spend some effort in guessing or intercepting them.  Any kind of centralized system  would immediately fall prey to government security agencies, and eventually to other players.
djameson910
100%
0%
djameson910,
User Rank: Apprentice
2/20/2014 | 3:22:42 PM
Stolen Device
So, if someone steals my device, they have access to all my stuff?  How does my device know me from an interloper?
Marilyn Cohodas
100%
0%
Marilyn Cohodas,
User Rank: Strategist
2/18/2014 | 4:14:40 PM
Couldn't happen too soon!
Phil, I doubt that there's a consumer or IT person on this planet that doesn't pray for the day that passwords will be replaced with a manageable autentication process. But what are some of the hurdles that the industry has to overcome to reach that point? Is there broadbased agreement on the FIDO standards or are there competing technologies or ideas?  
Election Websites, Back-End Systems Most at Risk of Cyberattack in Midterms
Kelly Jackson Higgins, Executive Editor at Dark Reading,  8/14/2018
Intel Reveals New Spectre-Like Vulnerability
Curtis Franklin Jr., Senior Editor at Dark Reading,  8/15/2018
Data Privacy Careers Are Helping to Close the IT Gender Gap
Dana Simberkoff, Chief Compliance and Risk Management Officer, AvePoint, Inc,  8/20/2018
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Flash Poll
New Best Practices for Secure App Development
New Best Practices for Secure App Development
The transition from DevOps to SecDevOps is combining with the move toward cloud computing to create new challenges - and new opportunities - for the information security team. Download this report, to learn about the new best practices for secure application development.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2018-15601
PUBLISHED: 2018-08-21
apps/filemanager/handlers/upload/drop.php in Elefant CMS 2.0.3 performs a urldecode step too late in the "Cannot upload executable files" protection mechanism.
CVE-2018-15603
PUBLISHED: 2018-08-21
An issue was discovered in Victor CMS through 2018-05-10. There is XSS via the Author field of the "Leave a Comment" screen.
CVE-2018-15598
PUBLISHED: 2018-08-21
Containous Traefik 1.6.x before 1.6.6, when --api is used, exposes the configuration and secret if authentication is missing and the API's port is publicly reachable.
CVE-2018-15599
PUBLISHED: 2018-08-21
The recv_msg_userauth_request function in svr-auth.c in Dropbear through 2018.76 is prone to a user enumeration vulnerability because username validity affects how fields in SSH_MSG_USERAUTH messages are handled, a similar issue to CVE-2018-15473 in an unrelated codebase.
CVE-2018-0501
PUBLISHED: 2018-08-21
The mirror:// method implementation in Advanced Package Tool (APT) 1.6.x before 1.6.4 and 1.7.x before 1.7.0~alpha3 mishandles gpg signature verification for the InRelease file of a fallback mirror, aka mirrorfail.