What is Digg?Sponsored by Travelzoo
All-time Low Fares for Thanksgiving, Christmas & New Year view!
travelzoo.com - Flights $52 and up. Nifty all-airline calendar identifies absolute cheapest dates to fly.
119 Comments
- inactive, on 08/10/2008, -2/+85The problem with that approach is that all you're doing is verifying that the machine is what it says it is. Therefore, anyone with access to the machine or data card can go anywhere. It's like stealing someone's car keys. At least now if someone steals my laptop they're not necessarily into all of my online accounts because they need the master password.
What's to stop hackers from building hardware that can spoof another machine? - inactive, on 08/10/2008, -1/+64This is a stupid idea
- megaton, on 08/10/2008, -1/+46There are 3 types of security: Proximity, information, and person.
Proximity requires the physical presence of an object, such as a key.
Information requires knowledge of a secret piece of data, such as a password
Person requires proof of a biological entity authorized to access the secure location, such as a person.
Any one alone can be compromised--a hacked password, a spoofed fingerprint, a copied key--but combine any two of the methods, and the protection is exponentially improved. Grab their fingerprint from a discarded glass, but don't have access to their key. Steal their key, but don't have their password. Observe their password, but don't have their fingerprint.
There is no truly safe way to protect anything, but multiple layers of verification make front-door attacks far less feasible. - ldjarmin, on 08/10/2008, -1/+22Anyone else concerned at how the author of the article made no mention of how this system interacts if you aren't at your "home" computer? This system would be fine if each person was locked to one computer and one computer only--but I know that I want to sign onto a website on my laptop, in a university computer lab, and on a Mac Pro at the Apple Store. How does this system solve for that?
(And regardless of the ability of the system to solve this issue, the author seems to happily ignore this obvious problem.) - DeathJux, on 08/11/2008, -1/+13911 is on their way.
- LucasVB, on 08/11/2008, -1/+12I wonder who are these "experts" they are talking about.
- MistaMatt90, on 08/11/2008, -0/+11WRONG. Writing down your passwords is actually quite secure. If someone is trying to break into whatever account is at hand, 99 to 1 it will be a remote attacker who doesn't know you. The longer and more complex the password is, the harder it is for the attacker to attain. See rainbow tables.
- KingGorilla, on 08/11/2008, -5/+15I tried using PENIS as my password but it said it was too short
-Bash.org - t3rmv3locity, on 08/11/2008, -0/+10I just want to clear something up about modern public key cryptography (PGP, RSA)...it is SECURE. All the attacks are publicly known (mostly because anybody smart enough to crack a modern cryptosystem is typically a leader in the field), and if you use a sufficient key size, it will take an attacker longer then the universe's age to decrypt your message.
I think most of the problems encountered with software security models have more to do with the specific technical implementations of key distribution and delayed updates to the 'standard', not with the underlying sanctity of cryptology. - inactive, on 08/11/2008, -0/+9Experts at what, exactly?
I've been using passwords for a long time now. Not once have I had any problems, nor do I see my passwords ever becoming a problem in the future.
Just another sensationalist NYT article to try to make you feel insecure. - Unlgued, on 08/11/2008, -0/+8The same basket? Seems like a great place to keep eggs.
- Swipecat, on 08/11/2008, -0/+7Agreed. A PIN only blocks somebody who's sneakily using your laptop when you're not looking. If they steal your laptop, then a locally authenticated PIN can be cracked with a try-all-permutations password cracking program in a split second.
- Matri, on 08/11/2008, -0/+7The issue is that there are idiots who effectively make all these layers of security a big fat waste of space.
Password? They'll just let their browser save their login info.
Key? Just leave the key in the lock, can't be bothered to remove it every time.
Fingerprint? Either carry around a convenient cast or hack the reader to accept anything.
Their reasons for doing so? Too much hassle. Until this mindset changes, no advancement will do any good. - inactive, on 08/11/2008, -1/+7Hey, that is on my t-shirt! Damn hackers using my webcam again!
- maxgoedjen, on 08/11/2008, -0/+6Psh, what do these guys know about security? Next thing you know, they'll be telling me my pet walrus isn't good for protecting my home.
- acrodev, on 08/10/2008, -0/+6Apparently you haven't kept up with the latest DNS bug news. It's insecure pretty much by design and even with the latest port randomization techniques, it can still be cracked. Story and exploit code linked to from http://tech.slashdot.org/tech/08/08/09/123222.shtm ...
Still feeling secure? - synystar, on 08/11/2008, -0/+6The worst problem is that users are willing to give their passwords to complete strangers. All I have to do is ask them. They think "He's that computer guy and he's fixing my problem." But they don't know me. Why are they so willing? It's very convenient for me, I don't have to ask every time, but now I have dozens of passwords memorized because I use them often.
I have documented all of my customers configurations to better support them. Folders full of firewall configs. These are mostly small businesses, but I have full remote access to several large companies that I'd think would be more concerned. I've told told them so. They don't seem worried. - inactive, on 08/11/2008, -0/+5SSL certificates can be spoofed during a man-in-the-middle attack, which is admittedly a scenario unlikely to happen. However, a bigger problem is XSS, which can and has compromised the security of many people using SSL. So no, you are not guaranteed to be secure.
- virtualonliner, on 08/10/2008, -3/+7The article is dead on about OpenID. The only reason I have not signed up and will probably never is it puts all my eggs in one basket.
This Information Cards technology seems to do the same, except mode of authentication is different. I do not see this as inherently immune to phishing. What is stopping phishers from intercepting the "clicks" like they do keypresses? It just seems to make it little harder but not impossible. - mozert, on 08/11/2008, -0/+4The only problem here is the overload, and the initial retrieval of the host key.
- grumpyrain, on 08/11/2008, -0/+4I have no problem with routers including WEP; it is needed for some legacy hardware, but I am sick of how easy it is to set on most routers. I mean it should be hidden behind a bunch of confusing menus, directing end users to WPA2 by default.
- joerite, on 08/11/2008, -0/+4A bank with no doors in very safe but useless. Criminals have a will and will find a way to crack the system. Constant struggle. Defense has to protect all holes but offense just has to exploit one. Listen to Schneier.
And on complicated passwords: If it's something you type everyday you will memorize it. It might just take a little preliminary effort. - Murdats, on 08/11/2008, -0/+4security comes at a cost, not everyone is willing to pay that cost because they either don't have much worth securing or because they are lazy.
- LiberalKid, on 08/11/2008, -0/+4Meh as long as you throw a few random characters into your password its gonna be near impossible for it to be guessed or brute-forced.
For instance
Lily$Tigger1
Is probably about as secure as
1rf325fa
Either one is going to be extremely hard for a hacker or program to guess or figure out. Considering most programs are going to use a dictionary hack, or just run through a bunch of commonly used passwords. - CanTheSpam, on 08/11/2008, -3/+709 F9 11 02 9D 74 E3 5B D8 41 56 C5 63 56 88 C0
Passwords work? - yoda133113, on 08/11/2008, -2/+6That was actually addressed in the article, you would have a PIN that you'd have to type in such situations, though that goes back to the password idea. Really if you are going to criticize the idea, at least read the whole article.
- devolved, on 08/11/2008, -0/+3Well, you have to consider the nature of the basket you're putting your eggs into, that's for sure.
But how many people out there use the same username/password for every site? So it's still one basket. Or if you save all your passwords in Firefox / IE with a weak (or no) master password. Same diff. - grneye53, on 08/11/2008, -0/+3I'm with you on this one,buy the time they figure out your password maybe just enough time to change all your accounts. If your really savvy you can actually program your laptop to phone you and let you know where it is.
- Stalks, on 08/11/2008, -0/+3I use the PassworkMaker plugin for Firefox. Using one master password, it creates a hash based on the website address (eg. digg.com) and the master password.
Producing a unique password for each website automatically generated from random characters. You can specify the hash alogrithm and the character pool to use along with other options.
http://www.passwordmaker.org/ - chrispr, on 08/11/2008, -0/+3play-doh exploit ftw.
- Plasmodia, on 08/11/2008, -0/+3Gattaca.
- mitch37, on 08/11/2008, -0/+3No one wants to bruteforce your Neopets password
- kjcdude, on 08/11/2008, -0/+3it's pretty obvous, anyone with access to that computer will have access to everything. Passwords require the user to be there. It's the users fault if they create a bad password.
- megaton, on 08/11/2008, -0/+3I'm all for password management systems, to be honest. It decreases security, obviously, but it increases the likelihood that users will use more elaborate measures on a per-site basis. (Which is better than not using anything, or the same password for everything.) However, it's critical that a master password is used, regardless. Of course, none of the mainstream browsers encourage master passwords for the horde...
Either way, requiring physical proximity to crack a user's accounts, *in addition to* their password or biometric information, is STILL safer than any one of them alone. But I agree, laziness leaves one vulnerable. - radiofrequency, on 08/11/2008, -0/+3etrade gives me a device I carry on a keychain that changes a 6-digit number every minute. In order to log in, I need my username, password and the 6-digit number. I like this scheme.
- MistaMatt90, on 08/11/2008, -1/+4Other than the excessiveness of that method, your passwords are still not secure. What if someone from your ISP is sitting between you and your target with a packet sniffer? What if your wireless connection isn't as secure as you thought it was? What if the target wasn't storing your long and impossible password securely and they had a security breech?
Only 50% of security can be down from your end. The other half we leave up to those who hold our accounts. - inactive, on 08/11/2008, -1/+4Like, WEP.
- tama00, on 08/11/2008, -0/+3They are the Microsoft security team. Having it pre-installed in Vista is the give-away..
- inactive, on 08/11/2008, -1/+4Stop, yer gonna blow their cover. So what if it means someone can access all your accounts by compromising one piece of information. It will make it more fun for the rest of us that want to log into all your accounts and take your identity. Sorry, been cheesing, can't type well.
- goldendome92, on 08/11/2008, -1/+4Experts?
- Murdats, on 08/11/2008, -0/+3i think by passphrases he means something that isnt just g36#g2^! but
7h!5i5MyPa5sw0rd
which still contains letters, numbers and symbols but has meaning to the person. - inactive, on 08/11/2008, -0/+3Well, I was talking about the strenght of our password. You are raising an unrelated issue with the packet sniffing, which you are toast anyway whether your password is the name of your dog or a long pass phrase. That's what SSL is for.
You suggested writing down the password is quite secure earlier. You see, that is still constraining yourself to a relatively short password because you don't want to spend the night typing it. If you generate a lenghty string of random characters as long as the remote auth allows, let's say a 5000 characters long password if you wish, then there's no way in the world the resulting MD5 or SHA hash can be brute forced at the remote end if their database was compromised. Nobody is generating rainbow tables for every combinations of random 5000 characters passwords, I don't even think it would be physically of financially possible.
The KeePassX and TrueCrypt part of my post was simply to clarify that you don't want to save your password in plain text on your hard drive or USB flash drive in case it get stolen. - inactive, on 08/11/2008, -1/+4I have a program on all the computers I touch that not only captures keystrokes, but copies anything that inserted, USB key, CD, DVD, all will be silently copied in the background. I can limit it to small files or certain file patterns. That is how I deal with people using keys on USB keychains.
- PullingTeeth, on 08/11/2008, -1/+4Nothing can beat the letter 'a'. It's impenetrable.
- DforSpiD, on 08/11/2008, -0/+3"Experts: Passwords may not be BEST online defense" would be more appropriate...
As it is the title's like saying condoms may not be a good defense against pregnancy...
Just because it doesn't work 100% of the time doesn't mean it isn't a good defense, especially as a first line of defense... - tama00, on 08/11/2008, -0/+3Actually the most insecure part of most websites is the secret question and answer! Why guess a password when you can have a better change of guessing an answer to a question! Also to add to that most questions that sites use are like, 'whats my fav sport team?' or 'what high school did i attend?'. Some of these questions if you can have a good shot and guess correct, other questions google may have the answer for! got their username, google it (they probably have used their username on more than one site.. psst this also gives you more questions to answer :P) discover their name, google that or myspace it, BAM you know their highschool fav sport team whatever.
Thanks to myspace and google, this is why identity fraud has skyrocketed.
In the end, passwords are safe, users are idiots. p.s use facebook and or set myspace to private. and never have a secret question! - inactive, on 08/11/2008, -1/+4Shhhhh, let em build it. *evil grin*
- OrangeSoda31, on 08/11/2008, -0/+3*insert generic approval comment here*
- deadbaby, on 08/11/2008, -0/+3RSA dongles work great for sites that actually require high security but most sites don't want to spend the money on it. I'm still looking for a good national bank that offers RSA dongles instead of a thousand layers of stupid questions
- TonyLocNE, on 08/11/2008, -1/+3Passwords, psssssh... I use attack dogs to protect my interwebz
-
Show 51 - 100 of 120 discussions
Browsing Digg on your phone just got easier with our enhancements to the 
© Digg Inc. 2009
— Content created and posted by Digg users is