Google Ring?
January 19, 2013 2:25 AM   Subscribe

If special hardware can crack all your passwords, if people have a hard time remembering them anyway, if people don't implement them in the first place, it is no wonder Google (with Yubico) is "declar[ing] war on the password."

Yubico on GitHub.

Is it 2008 already?

previously: At 5:00 PM, they remote wiped my iPhone. At 5:01 PM, they remote wiped my iPad. At 5:05, they remote wiped my MacBook Air. and The Age Of The Password Has Come To An End
posted by the man of twists and turns (76 comments total) 22 users marked this as a favorite

 
Well this could get dystopic quickly
posted by Blasdelb at 2:34 AM on January 19, 2013 [3 favorites]


I just have a 35 character logon password for my PC, which then generates 16 char passwords for websites and the like.

I think at that point it's more likely that any determined cracker will attempt to use an 0-day.
posted by jaduncan at 2:43 AM on January 19, 2013 [1 favorite]


Yeah, the single best thing you can do is to enable two-factor authentication on your Google account. So many people use their Gmail password elsewhere that when one of those databases falls, the keys to your email account basically fall with it, all without Google ever being breached at all.

The wife received a notice that someone attempted to access her Gmail account from Mexico today and had been stopped. It wasn't clear if they were guessing the right password and stopped because it was a fraudulent bit of activity (unlikely, could just as well be legitimate) or if it was someone trying to log in several times with what they thought was her password.

So I enabled two-factor on her account. Unless you have her phone AND know her password, you're not going to be able to hack her email account, and as everyone knows, the email account is the linchpin: once it falls, hackers can trigger password reset requests which all flow directly into your email and you have something like what happened to Mat Honan.

I'm not sure I'd quite want a physical token like they're suggesting here, in the sense that I'm not entirely sure how different that is than my phone, except that it'd be less optimal than just unlocking my phone and opening the app there...
posted by disillusioned at 2:50 AM on January 19, 2013 [7 favorites]


The problem with having a physical token as a password is that one can loose it, forget it or have it stolen. Also - it is not really a new technology, even if it is in Wired. One of the more promising solutions to the problem I have read about recently is the idea of using procedural memory as a form of authentication. We are unable to tell anybody else the information that we have store in procedural memory, it can generate a unique pattern and it requires no physical hardware to bring with us (it does require us to be taught a particular skill however - and we will gradually forget that skill - so that has to be accounted for).
posted by rongorongo at 2:51 AM on January 19, 2013 [3 favorites]


My passwords are pretty weak, since I have a shit memory. Don 't have an identity worth stealing, though, unless somebody wants to pretend be one of the most annoying guys on the Internet.
posted by Charlemagne In Sweatpants at 3:16 AM on January 19, 2013 [5 favorites]


This thing will make a great McGuffin in the next Mission Impossible movie.
posted by Charlemagne In Sweatpants at 3:18 AM on January 19, 2013 [3 favorites]


I think the idea of a ring (if it looks like a piece of jewelry) as a high-tech authentication device is excellent! Also funny considering that rings are surely as old as human history.
posted by faustdick at 3:30 AM on January 19, 2013 [1 favorite]


Ideally, you should only use open-source password and key management tools, such as KeePassX and KeePassX for website passwords. Apple's KeyChain is open source, which is a pleasant surprise, but the fact that nobody rebuilds it adds some risk.
posted by jeffburdges at 3:31 AM on January 19, 2013 [1 favorite]


I do think that two-factor with phone is a much better idea than this doodad. If I'm visiting a friend or in a different city, and something comes up, I'm about 90% likely to have my phone with me, and about 0% likely to be carrying a one-function doohicky around on the chance that I'll need it. I lose gizmos. I break watchamacallems. I accidentally swallow thingies while looking for that kajigger that I need.
posted by forgetful snow at 3:34 AM on January 19, 2013 [9 favorites]


I'm about 90% likely to have my phone with me, and about 0% likely to be carrying a one-function doohicky around on the chance that I'll need it. I lose gizmos. I break watchamacallems. I accidentally swallow thingies while looking for that kajigger that I need.

And a phone is not a 'gizmos, watchamacallems, thingies or a kajigger'?
posted by rough ashlar at 4:06 AM on January 19, 2013 [5 favorites]


Nope.
posted by ninebelow at 4:13 AM on January 19, 2013 [9 favorites]


Ideally we'd be moving towards biometrics rather than small devices that are easy to lose. We're already putting cameras in everything, just make them recognize retinas or fingerprints, and give it allowances so that I could say remotely use my phone to remotely unlock my computer if need be. There's some stuff that would have to be worked out but I'd rather have that than something like this.
posted by graymouser at 4:15 AM on January 19, 2013


I don't like the idea of having to tote a Google-provided device around everywhere I go, just to access my email. Nor, am I in-love with giving Google my phone number for two-factor ID. While security may be their come-on for these...it's Google.
posted by Thorzdad at 4:46 AM on January 19, 2013 [5 favorites]


Ideally we'd be moving towards biometrics rather than small devices that are easy to lose.

Apple seems to be approaching the problem through fingerprint authentication.
posted by Devils Rancher at 4:52 AM on January 19, 2013


I tried using Google two factor but I found I was using a number of apps on my phone, tablet, and desktop that couldn't take advantage of it. It became a pretty big hassle to authorize all these applications properly. Maybe I didn't do it right, but it was pretty darned inconvenient.
posted by monkeymadness at 5:15 AM on January 19, 2013 [3 favorites]


Using LastPass, loving it.
posted by oneironaut at 5:20 AM on January 19, 2013


Passwords are not a hassle if you use Keepass or something like it. It works nicely with Dropbox.
posted by Foosnark at 5:21 AM on January 19, 2013 [1 favorite]


He slowly drew out from the wallet a single and insanely exciting piece of plastic that was nestling among a bunch of receipts.

It wasn't insanely exciting to look at. It was rather dull in fact. It was smaller and a little thicker than a credit card and semitransparent. If you held it up to the light you could see a lot of holographically encoded information and images buried pseudoinches deep beneath its surface.

It was an Ident-I-Eeze, and was a very naughty and silly thing for Harl to have lying around in his wallet, though it was perfectly understandable. There were so many different ways in which you were required to provide absolute proof of your identity these days that life could easily become extremely tiresome just from that factor alone, never mind the deeper existential problems of trying to function as a coherent consciousness in an epistemologically ambiguous physical universe. Just look at cash machines, for instance. Queues of people standing around waiting to have their fingerprints read, their retinas scanned, bits of skin scraped from the nape of the neck and undergoing instant (or nearly instant -- a good six or seven seconds in tedious reality) genetic analysis, then having to answer trick questions about members of their family they didn't even remember they had and about their recorded preferences for tablecloth colors. And that was just to get a bit of spare cash for the weekend. If you were trying to raise a loan for a jetcar, sign a missile treaty or pay an entire restaurant bill, things could get really trying.

Hence the Ident-I-Eeze. This encoded every single piece of information about you, your body and your life into one all-purpose machine-readable card that you could then carry around in your wallet, and it therefore represented technology's greatest triumph to date over both itself and plain common sense.
Douglas Adams, Mostly Harmless
posted by davidjmcgee at 5:29 AM on January 19, 2013 [33 favorites]


There are three candidate factors appearing when discussing two factor security : knowledge, possession, and biometrics. What does each factor offer?

Knowledge factors (passwords) cannot be taken without user interaction, occasionally even offering immunity from government compulsion. Knowledge factors are limited in entropy by the user's memory.

Possession factors create measure control over the authenticating device and offer unlimited entropy. In theory, these dongles contain a private key that does not exist anywhere else in the world, even those possessing the public key for authentication cannot duplicate your dongle. In Germany, online bank transactions employ a hardware device that reads your screen, reports the transaction amount, and give you an approval code.

Biometric factors enhance security when the authenticating device itself is under control, like a secure doorway, but seemingly fail to improve security when the authenticating device cannot be controlled, such as a laptop or phone, making them almost the opposite of a possession factor.

Biometric factors are historically fairly easy to spoof because users reveal them unintentionally. Also, they cannot be revoked without revoking access entirely, making them the weakest factor by far. Worse, we cannot afaik guarantee any particular minimum entropy for any known biometric authentication mechanism. If I know you are Korean, how much information do I learn about your fingerprint?

In other words, biometrics are perfectly find for unlocking your phone several hundred times per day to prevent friends from posting jokes on your facebook, and they're probably great for government office doors, but one should never view biometrics as replacing a public key dongle and long password for bank accounts, etc.
posted by jeffburdges at 5:29 AM on January 19, 2013 [9 favorites]


Thank you for including Yubico in your write up. I read the article yesterday and was disappointed that Wired didn't include the title, especially since their pic is a pic of one of their products.

I do the two-factor thing, too. I have unique passwords for Google and for financial accounts. I have multiple passwords for common accounts. I remember all of my passwords back to 82. Still,passwords, are not a great solution.
posted by grimjeer at 5:30 AM on January 19, 2013


Google purity ring : You go through a ceremony where a creepy leering old guy makes you promise to always use your real name on the internet.
posted by jeffburdges at 5:32 AM on January 19, 2013 [17 favorites]


It's 2013. Pick up a password manager like LastPass, use strong single-site-specific passwords everywhere, and don't worry about buying some new thingamabob.
posted by ellF at 5:34 AM on January 19, 2013 [1 favorite]


It's 2013. Pick up a password manager like LastPass, use strong single-site-specific passwords everywhere, and don't worry about buying some new thingamabob.

This just moves the problem one step up the chain. What happens when someone gets hold of your LastPass password? Password managers are great solutions to the problem of being unable to remember all of your passwords. They do not, however, solve the problem of other people gaining access to your passwords and using them for nefarious purposes.
posted by decathecting at 5:58 AM on January 19, 2013 [4 favorites]


This sure seems like a classic case of one of those Things People Will Not Use in the Real World. Things that sound interesting on paper to someone, and companies spend millions on, that the average person just isn’t going to use whether they know it or not. I guess I could have just said CueCat.
posted by bongo_x at 6:03 AM on January 19, 2013 [2 favorites]


The other issue is that I don’t really use or like Google much anymore, how’s this going to help with the rest of the internet? Everyone has to get on board? Not going to happen. It’s been around forever and you can’t get the companies or the customers to agree on the iLok or any other software dongles.

I admit I didn’t pay much attention, but I had no idea the reason Google was asking me for my phone number all the time was for some sort of two step authentication. I seriously thought they were just trying to collect more information and wanted to send me some great offers exclusive to Google insiders, or some kind of thing to make my security weaker like my health care insurer trying to force me to set up "security questions".

Not explained well. And I can’t understand why I’d trust them with all my security.
posted by bongo_x at 6:17 AM on January 19, 2013


I was a little worried when Google's new mission statement concluded with:

...and in the darkness, bind them.
posted by ShutterBun at 6:37 AM on January 19, 2013 [15 favorites]


decathecting: This just moves the problem one step up the chain…

LastPass also supports a wide range of two factor authentication schemes so it doesn't *have* to be. I do expect quite a lot of people just use a long password on their LastPass accounts though.
posted by public at 6:43 AM on January 19, 2013 [1 favorite]


What happens when my Ring of Access to My Online Identity breaks? How are new ones issued? How do I prove my identity to the dongle distributor, and how easily could someone else impersonate me? How long will it take to receive a new dongle, and what am I supposed to do until the new one arrives?

Similarly, what happens if the ring is stolen? Can it be deactivated like a credit card? How do I prove that I have the right to deactivate it, and can someone else pretending to be me do it?
posted by JDHarper at 6:45 AM on January 19, 2013 [2 favorites]


It's good that a trustworthy company is advocating this.
posted by cjorgensen at 6:45 AM on January 19, 2013 [1 favorite]


I have always wanted a secret spy decoder ring.
posted by windykites at 6:47 AM on January 19, 2013


Also is this the appropriate time and place to complain about being forced to use a "strong" password for various accounts that are exceptionally unimportant to me? If I want to be unsecure that should be my choice goshdarnit.
posted by windykites at 6:49 AM on January 19, 2013 [10 favorites]


...and in the darkness, bind them.

Future AskMe: I've had my Precious stolen by someone I trusted. How can I ever see LOLCats again? Also, fishes.
posted by arcticseal at 7:18 AM on January 19, 2013 [7 favorites]


12345

Sometimes I change it up 2580. No one would guess that!!
posted by Fizz at 7:36 AM on January 19, 2013 [1 favorite]


Rats! I wanted an embedded RFID chip in my hand.
For the record, I've had one of those SecureID tokens for the last two years and haven't lost it. It works like a darn.
posted by sneebler at 7:56 AM on January 19, 2013


I work on the principle that there is so much low-hanging fruit to be had that any thoughtful steps I take to be secure puts me way down the list to be hacked. I've used KeePass for years and, recommend it highly. I use KeePassDroid on my phone and tablet, and backup my password database regularly on my Dropbox and Box accounts. And, 99.99% of the time, any device I am using to connect with the interwebs is connected through my VPN and using HTTPS Everywhere. Just being harder to hack than the average guy makes the biggest difference, I think.
posted by Benny Andajetz at 7:59 AM on January 19, 2013 [1 favorite]


decathecting:
This just moves the problem one step up the chain. What happens when someone gets hold of your LastPass password?
True, that's a weakness. But a magic security dongle has the same weakness, except that it's easier to steal the dongle from my pocket than the master password from my brain.
posted by pont at 8:04 AM on January 19, 2013 [2 favorites]


MOUNTAIN VIEW, California — Want an easier way to log into your Gmail account? How about a quick tap on your computer with the ring on your finger? This may be closer than you think.
Wow, if only they had come up with this fifteen years ago.
posted by Ogre Lawless at 8:07 AM on January 19, 2013 [1 favorite]


rongorongo: The problem with having a physical token as a password is that one can loose it, forget it or have it stolen.
FWIW, unless the thieves also know your Gmail login name, having it stolen is no more dangerous than losing it - unlike a password crack, which implicitly means they're already at your account. The lack of access in those events is still a dealbreaker for me.

No physical keys. Personal confirmation of unusual activity is the solution, IMO, like the aforementioned two-factor authentication.
posted by IAmBroom at 8:40 AM on January 19, 2013


I use google's two factor authentication system for gmail, my one gripe with it is it doesn't require me to remember a portion of the Pin like RSA does. Like, google authenticator provides six digit number XXXXXX, and I should have to append four digit pin YYYY that is in my head and only I know. If you get my phone you get my email, then it's over.
posted by the theory of revolution at 8:40 AM on January 19, 2013 [3 favorites]


We've been using Yubikeys at work for about two years now for both online two-factor authentication and local full-disk encryption, they're excellent devices, and well worth the minimal cost. Plus, the system can be fully reprogrammed for internal use with your own key management system, and there's an RFID version for further integration with physical access systems. I love them.
posted by odinsdream at 8:49 AM on January 19, 2013


This just moves the problem one step up the chain. What happens when someone gets hold of your LastPass password?

How is that going to happen? Unless you're a super secret NSA analyst nobody is ever going to go through the immense trouble of obtaining your password file and then cracking what should be an extremely strong password which exists only in your brain. It would cost millions of dollars so that someone can see your porn or whatever.
posted by Justinian at 8:49 AM on January 19, 2013


I'm still not exactly clear how something like Lastpass is more secure than what I do, based on something I think I read in Slate a while ago: use a formula to come up with a unique complex password for each site, based on that site's URL.

Something like firstletter+45+thirdletter+xyz...etc.

So I just have to remember the formula, not each pw.
posted by gottabefunky at 8:51 AM on January 19, 2013 [6 favorites]


Also, regarding loss, it's smaller than a house key, so it goes right on the keyring, and it's a hermetically sealed, solid device. You can run it through a washing machine without any risk of failure, and there's no moving parts to fail because the only interface is a capacitive pad.
posted by odinsdream at 8:54 AM on January 19, 2013


Ogre Lawless: "Wow, if only they had come up with this fifteen years ago."

Or earlier still. Plus ça change.

You know you've been in tech a long time when you start noticing the 10-15 year cycles. Last time for me was a huge presentation on "business rules platforms" that I had sat through a decade previously under the name of "workflow management". That was about 6 years ago, so I know it'll be back again in about 4-5 years.

Sure as shootin'.

(sits back, puffs pipe reflectively, rocks in chair)
posted by jquinby at 9:00 AM on January 19, 2013 [3 favorites]


Make it cock ring and I'm in.
posted by mazola at 9:04 AM on January 19, 2013 [3 favorites]


disillusioned:Yeah, the single best thing you can do is to enable two-factor authentication on your Google account. So many people use their Gmail password elsewhere that when one of those databases falls, the keys to your email account basically fall with it, all without Google ever being breached at all.
I'm not a security-biz expert, but I think two-factor has been over-sold as some sort of silver bullet for people who don't have the time, the background, or the inclination to undertand the issue in any depth, or who don't have the energy to practice good security habits. And really, who could blame them? How much time and effort does anyone want to put into making painful login processes even more painful? But two-factor is no silver bullet:

Trojan bypasses two-factor authentication, steals $46.5 million

RSA SecurID two-factor authentication comprimised

I know someone whose 2-factor phone authentication was hacked…

The latest wave of hype for two-factor authentication got a huge boost from the Mat Honan story, but there's little reason to think two-factor (presumably using his Apple phone) would have saved him; Apple tech support was one of the weak links the hacker exploited, after all. Two-factor in practice just means your digital identity is every bit as safe as the kind-hearted, honorable geniuses who run your cell service provider can make it.

I'd say the single best thing you can do is to avoid re-using passwords, so that a single chink in the armor of your collective digital identity doesn't cause it to all unravel like so much knitting. If that means the actual service passwords are impossible to remember without software assistance (LastPass, KeePass, 1Password, A free password-generator bookmarklet, etc.) then so be it. (Like anyone else, I don't always practice what I preach, but I try to ensure my email and financial accounts all have unique passwords.)

Ideally it would be very difficult to reset passwords as well. My bank has a "forgot password?" link on its login page, which leads to an automated process for password reset. That link probably shouldn't exist. Losing or forgetting credentials for bank accounts, email accounts, and cell phone accounts should be a big deal, like losing a passport. But of course such a policy would encourage us sloppy, lazy humans to just use the same password for everything.i
posted by Western Infidels at 9:04 AM on January 19, 2013 [1 favorite]


I do think that two-factor with phone is a much better idea than this doodad. If I'm visiting a friend or in a different city, and something comes up, I'm about 90% likely to have my phone with me, and about 0% likely to be carrying a one-function doohicky around on the chance that I'll need it. I lose gizmos.

Great idea. Until you travel outside of the United States and discover the joys of mobile phone network incompatibility and can't use your phone or your email. Combine that with the tendency of your bank and credit card being cut off by algorithms that detect unusual purchase patterns and you have the perfect storm I like to call "Hungry in Venice."
posted by srboisvert at 9:06 AM on January 19, 2013 [7 favorites]


Until you travel outside of the United States and discover the joys of mobile phone network incompatibility and can't use your phone or your email.

Google's Authenticator app doesn't need an internet connection.
posted by Memo at 9:12 AM on January 19, 2013 [2 favorites]


I use Google Authenticator with LastPass & Google, and VeriSign VIP Access for PayPal. Both work algorithmically rather than requiring phone SMS or Internet access. My only complaint is that the step where I fire up my phone and then the App could probably be reduced with some BlueTooth communication between my computer and my phone. Of course, maybe there are eavesdropping concerns there.

It is also worth noting that Google Authenticator is open for anyone to use for authentication purposes. You can even use it with SSH.
posted by pashdown at 9:30 AM on January 19, 2013


Now when you're robbed the thief can also steal your online identity! Win-win!
posted by user92371 at 9:33 AM on January 19, 2013


Combine that with the tendency of your bank and credit card being cut off by algorithms that detect unusual purchase patterns

Too bad these fucking advanced algorithms can't seem to detect the pattern created by me buying a plane ticket to $_COUNTRY and reserving a few hotel rooms in various locations in that same country. Somehow it comes as a complete surprise to them when my credit card is then used in that same country. LIKE OMG who ever could POSSIBLY have predicted this? NO ONE SURELY, there was simply no evidence! None!
posted by elizardbits at 9:34 AM on January 19, 2013 [6 favorites]


Now when you're robbed the thief can also steal your online identity! Win-win!

Two-factor is not just the key on your keychain. It is also the password in your head in combination with they key on your keychain. The lock doesn't open without both. The key on your keychain makes the password much more secure, so you don't need to use something ridiculous like "6LGm6NcfcqcsGPF2Ujpqmtrf", you can use "bananacheese" and still be more secure than a password alone.
posted by pashdown at 9:43 AM on January 19, 2013 [5 favorites]


Two-factor is not just the key on your keychain. It is also the password in your head in combination with they key on your keychain.

This. I don't see people complaining about their ATM cards. You need the physical token and the pin. This ring is just the same thing, and I think it sounds awesome.
posted by rifflesby at 9:51 AM on January 19, 2013 [1 favorite]


I use google 2-step and I use lastpass (and those are the only 2 passwords I remember these days). I know lastpass was breached last year and I'm expecting that that was in fact a good thing in the great scheme in terms of them making their security much much better and the like. But I must admit I've never gone ahead to read around to find out just how solid a fortress they now are or how they stack up versus the other services. But I agree with someone up thread: if you bolster your practises to at least a fairly solid level of security then you're outside the norm and at a lower risk of breach (or I tell myself so anyway).
posted by peacay at 9:58 AM on January 19, 2013


I'm interested in the Google decoder ring as long as there's an option to engrave it with "Be sure to drink your Ovaltine."
posted by fifteen schnitzengruben is my limit at 10:52 AM on January 19, 2013 [1 favorite]


...Unless you're a super secret NSA analyst ... cracking what should be an extremely strong password which exists only in your brain.

In which case, no need to crack if they can use enhanced interrogation.
posted by Twang at 11:25 AM on January 19, 2013


I officially hate Google Two-Factor, because my husband has it set up and he gets up really early in the morning and then goes and logs in to his email but he has two-factor on and we don't have texting on our phones so he gets a normal phone call and he has inexplicably decided to have his phone "announce" the caller which means that instead of ringing, his phone, in a super-distorted, really loud voice through the crappy external speaker, says, "CALL FROM! TWO! FIVE! EIGHT! FIVE! FIVE! FIVE! FOUR! SIX! ONE! SEVEN!" except it's so distorted you can't really understand the words so it's just this urgent mechanical squawking and did I mention that he keeps forgetting to take his phone with him when he gets up, so his phone is basically screaming this at me from the nightstand like two feet from my head at six in the morning when I don't even have to get up until seven and I jump straight up in the air panicking about who the hell must have died so that we're getting a phonecall at six a.m.



On reflection this might be a personal problem.
posted by BrashTech at 11:39 AM on January 19, 2013 [10 favorites]


What do you do when you have multiple personalities and thus several different accounts with different passwords?

Or you purposely share an account with someone else?
posted by jb at 12:13 PM on January 19, 2013


srboisvert: Great idea. Until you travel outside of the United States and discover the joys of mobile phone network incompatibility and can't use your phone or your email.

That's weird, not only do I often travel outside the United States, I have never been to the United States.

I don't use two-factor any more, since changing email accounts and deciding to go with the 'algorithmic password' approach instead (with a few additions: static elements, an element based on the year I made the account, which is usually trivial for me to deduce, and an element based on which of several mental categories the site falls into.)
Usually, though, I have a pool of 3-4 poor passwords that I use for most throwaway sites with low security (gated forums, downloads etc), because my reasoning is that if crackers gain access, it's better for them to potentially have access to a lot of unimportant accounts than to have access to the password algorithm for the crucial sites tied to my real identity or finances.
posted by forgetful snow at 12:46 PM on January 19, 2013


I use KeePass and Dropbox. I have the desktop version installed on my main computers, KeePassDroid on my phone which lets me use it there, and I have a stand-alone version on a thumbkey that I carry on my keychain for when I have to use a public terminal. Dropbox synchronizes my password archive, though I do have to occasionally manually copy it over to the thumbdrive. I know that Dropbox doesn't have a perfect security record, but my archive is massively encrypted and my KeePass password (the only one that I have to actually remember) is very strong.

It took a little while to set up but it's a very convenient system (it takes almost no time to enter a password in KeyPass, though KeePassDroid is a bit cumbersome) that is definitely easier to deal with than trying to remember which of the five-ish kinda-crappy passwords that I used to use for every goddamn thing I happened to have used on any given site. Even websites that I only intend to ever use once get a 16-character randomly-generated alphanumeric sequence that I never have to worry about remembering.

It's a good deal.
posted by Scientist at 1:24 PM on January 19, 2013


I officially hate Google Two-Factor, because my husband has it set up and he gets up really early in the morning and then goes and logs in to his email but he has two-factor on and we don't have texting on our phones so he gets a normal phone call

They have an application that means that texts/calls are not required. It's also using an open standard, so even unusual phone OSes tend to have a compatible app.

Either that or your husband could stop being inconsiderate and switch the phone on silent before logging in.
posted by jaduncan at 1:26 PM on January 19, 2013 [1 favorite]


The biggest problem with things like this is basically that likely none of the people in this conversation probably need it.

On the other hand, people like my parents*, who are the most likely to use weak passwords or leave themselves logged in, are the least likely to use solutions like this.

Two-factor authentication? Like most people, they don't have smartphones and aren't going to get them.
USB keys? They'll forget to put them in and wonder why things don't work.
KeepPass? 'Why do I need to put in my password to get my password? Why can't I type it in once?'

They are the low-hanging fruit that scammers will continue to target.

*For 'my parents', read a subset of people over the age of 60ish. My actual parents are not that bad.
posted by madajb at 1:31 PM on January 19, 2013


If there's such a thing as a solution to this problem, I think it will look something like the various wallet managers on *nix systems--KWallet, Seahorse, that kind of thing. They're basically similar to KeePass & friends, but they're part of the operating system, and therefore get unlocked when you log in; automagically supply the right password to the right app; and so on.

This approach requires software vendors to accept some kind of standard API for password management. If your browser does it wrong, it will let random javascript snippets grab all your passwords.

As with most technical problems, this is all quite trivial for anyone with an unlimited supply of money and labor.
posted by LogicalDash at 1:53 PM on January 19, 2013 [1 favorite]


LogicalDash, if I'm understanding correctly, doesn't that leave you with the issue of only being able to log in from your home machine?
posted by forgetful snow at 2:45 PM on January 19, 2013 [1 favorite]


Brashtech, thank you, you made me laugh really hard but I'm on the bus so now I look crazy. It was your description of the phobe voice. Just... perfect. My voicemail puts me through that every damn time I want to listen to a message.
posted by windykites at 2:51 PM on January 19, 2013 [1 favorite]


Anyone remember the Java Ring from Sun?
http://www.javaworld.com/jw-04-1998/jw-04-javadev.html

I would lose a dongle, but a ring would be safely stuck on my finger ('cause of my crazy swollen knuckles).
posted by wenestvedt at 4:08 PM on January 19, 2013


forgetful snow, nope, KWallet still stores things in a file. This can be synchronized between machines, as is already the case with LastPass, though this facility does not presently exist in KWallet in particular.

Actually, you don't really need to be on the same machine that has the passwords. Authentication schemes like OpenID let you prove that you operate a particular machine, whether you're at it or not. Using OpenID instead of passwords for everything would work just fine, if everyone on the internet operated their own webserver.

Actual actually, come Internet Protocol 6, bundling a webserver with every internet device might be practical.
posted by LogicalDash at 7:25 PM on January 19, 2013


That's weird, not only do I often travel outside the United States, I have never been to the United States.

I was playing to the primarily american audience here. In your case you will experience the incompatibilities when/if you travel to North America.
posted by srboisvert at 8:34 PM on January 19, 2013


The problem with 2-factor authentication on your smartphone is that it doesn't help your security if your smart phone is stolen, unless perhaps you log out of Gmail each and every time you access it on your phone and never let your password be saved. Unless you do so, you lose your smartphone, you lose your security - they can log in whether you have 2-factor set or not. (Yes, you have a passcode set for your phone... but is it a long alphanumeric one or a 4-digit one that's basically meant to keep honest people honest?)

At least if the authentication item was a separate dongle, if it is lost or stolen, they still don't know your password, hopefully. And maybe not even what username it's attached to.
posted by IndigoRain at 8:50 PM on January 19, 2013


Whatever happened to that technology Microsoft was working on where you present an image then tap it to form a pattern? For example, I'll tap all the red squares, then all the blue triangles, but NOT any of the other colours or the red squares. Or I'll tap all the aliens faces, but not the humans faces, unless the human has blue eyes, or I'll rub along the kittens back, but tap the puppies noses? It sounds a lot easier to remember then a random sequence, and no physical item to forget.

Or there is the other problem; What happens when the computer you are using doesn't have a compatible card, like a lot of work computers?
posted by Canageek at 10:15 PM on January 19, 2013


>Yeah, the single best thing you can do is to enable two-factor authentication on your Google account.

Don't make any bets on two-factor authentication.

If they have your password, they probably have your name as well, and for a lot of people that makes two factor authentication easy to beat.

As mentioned above, the Honan article does nothing to discredit the use of passwords.

Google ring - This is just Google en route to the billing relationship that they (and every other internet company) so desperately want with you.
posted by w.fugawe at 2:29 PM on January 20, 2013


Or there is the other problem; What happens when the computer you are using doesn't have a compatible card, like a lot of work computers?

The Yubikey emulates a USB keyboard. It will work on any computer that uses a USB keyboard, even ones with administrative restrictions on attaching USB devices.

they probably have your name as well, and for a lot of people that makes two factor authentication easy to beat.

It sounds like you're confused about what two-factor authentication is, because it's not about asking secret questions and answers. I can't figure out why knowing someone's name would be helpful to an attacker, please explain.
posted by odinsdream at 2:49 PM on January 20, 2013


France proposes a tax on collecting personal information
posted by jeffburdges at 9:09 AM on January 21, 2013


IndigoRain: "(Yes, you have a passcode set for your phone... but is it a long alphanumeric one or a 4-digit one that's basically meant to keep honest people honest?)"

No I don't, I have a pattern lock that I can't actually tell you how to recreate. I could show you, but to do that you'd have to take these goddamned handcuffs off and then I would have to kill you.
posted by wierdo at 11:15 AM on January 21, 2013


U.K. starts using PayPal as identification for government services
posted by jeffburdges at 11:46 AM on January 21, 2013


Grammar badness makes cracking harder the long password
posted by the man of twists and turns at 6:06 AM on January 24, 2013 [1 favorite]


« Older This week the FDA announced that they were approvi...  |  Tim Gowers has announced a ser... Newer »


This thread has been archived and is closed to new comments