It's an interesting optimization problem for the attacker.
The most common passwords are problematic. They will frequently work, but they will work for the other guy, too. So then the question is "how do you pull up the ladder?"
Changing the password is simple, but likely to get the machine reimaged.
Looking at the login history would give an allowlist of subnets, which can be used to deny other attackers access, but hopefully without inconveniencing the owner into reimaging.
I've never seen it used in this context; it usually is used in reference to a social program (i.e. you benefitted from something and then advocate for it to be abolished).
I would assume the harder looking passwords actually came from a "known backdoor" incident. Like where a manufacturer of IOT or router puts in backdoors for development then forgets to remove before production
Contents of the canonical URL appears to change over time by showing the latest blog post, which is currently this[1] that was just published today, not what was originally submitted.
Passwords should be dead soon and this article should be irrelevant soon after.
PSA: For most basic and routine websites/apps of low-value, please, please use the FaceID/TouchID protected platform authenticators for passwordless authentication.
And for those archaic sites that still insist on passwords (why? tell them about passwordless by writing feedback/app reviews), use the platform built-in password managers. Don't do passwords by memory.
For higher value things like banks, please use a different user-id/e-mail-id and passwords stored in password-manager (or write down the password in a book kept safely at your home – this is so much safer than weak passwords you try to scheme up and remember). And, always use 2FA – preferably a hardware FIDO key that you can enroll at least 2 of them and keep them safe. In India, regulator insists banks use mobile SMS OTP. In such case, keeping your phone secure from SMS sniffing malicious apps is critical. If you are really paranoid, get the simplest modern feature phone with a phone number dedicated for receiving such critical SMS!
The day when all financial institutions use passwordless auth with FIDO2 MFA cannot come soon enough!
> please use the FaceID/TouchID protected platform authenticators for passwordless authentication.
No, thank you, I don't wear my passwords on my face or my fingers because they need to be secret to serve their purpose. I don't really feel like wearing a balaclava and gloves all the time.
Also sometimes I need to change them (if they get compromised, if computing progress made them easier to bruteforce, etc.), and I don't really want to have to use cosmetic surgery when that happens.
Biometrics are closer to a username than a password in this regard.
> Don't do passwords by memory.
We can agree on this (and the disaster that SMS OTP is due to lousy carrier security mostly), you will still need a password for that password manager usually though. You can have a key based setup but you still need a way to store/remeber that key. So passwords will not die just based on this, they might become less ubiquitous.
It sounds like you want to trivialize a problem that has existed for way longer than computer science and systematically relies at some point on human memory if you want a certain level of security and secrecy.
Obviously if you decrease these requirements, you can get away with weaker authentication mechanisms... but you will not secure whatever that password was securing as well then.
To clarify, biometrics are only used for local authentication against the platform authenticator. An attacker still needs the authenticators private data, too. The authentication against the service is using public key crypto.
Also, you should be able to use a platform authenticator with a PIN.
I think understanding this distinction is going to be one of the main challenges for mainstream WebAuthn adoption over passwords as the default authentication method.
You can be scammed into entering your password into a random textbox and then relayed on the actual website/app. This is too basic. In case of FaceID/TouchID, the acquiring platform (your mobile phone) has secure device binding and FaceID/TouchID is a local authenticator on that device to use that secure device binding to authenticate. If FaceID/TouchID becomes fakeable, we will move on to some other more secure local authenticator. The point is, you have a rich multi-sensor mobile device as your authenticator.
> Also sometimes I need to change them (if they get compromised, if computing progress made them easier to bruteforce, etc.), and I don't really want to have to use cosmetic surgery when that happens.
That's not how it works. Each hardware device that acquires your FaceID or TouchID (or Iris ID etc) do it in a way that's unique to them. Even mission impossible style face mask can't fool these modern FaceIDs. Like all things in security, it is a game of making it really expensive to break it and not really about it being impossible.
I didn’t know Jason Bourne posted on HN. In all seriousness, where’s the threat of someone taking extremely high resolution scans of your iris unless you are truly rich/powerful/connected.
Fingerprint scanning is going mainstream, heres a post about Amazon using palm scans on point of sale systems [1]. It seems reasonable that point of sale systems will get hacked or skimmers will get installed (common problems impacting normal people today). The current fix is to issue a new card. Unfortunately, you cannot have a new finger/palm print issued, so the threat appears unmitigated.
The problem is not the high resolution scan of black hats it's that every company and your mom wants to store your biometric data in the future... and as we see with passwords most of them can't be trusted.
The bad guys don't need to scan your biometrics. Every site you log into with TouchID or whatever already has. Passwords get leaked all the time, and when you find out, you change them. You can't change your biometrics.
You’re fundamentally misunderstanding how TouchID or FaceID work.
The biometrics authenticate you with the Secure Enclave in your phone. The enrolled biometric data is stored within the Secure Enclave and practically unrecoverable. Authentication is done directly within the Secure Enclave. The connection between the sensor (fingerprint, camera) and Secure Enclave is direct and encrypted.
Conceptually, this is identical to using a passcode or password to unlock your device.
Once the Secure Enclave is unlocked, your phone can use it to sign requests, decrypt data (e.g., stored passwords), etc. The signed request or decrypted password is what’s transmitted to the app, website, or whatever else you’re authenticating against.
Your biometric data never leaves a secure encrypted channel between the sensor and Secure Enclave, and within the Secure Enclave’s own storage.
It’s some seriously cool hardware and the lengths it goes to to mitigate a lot of common and uncommon attacks is impressive. (It has a separate built in voltage and clock monitor with a wider operating envelope so if you try and voltage glitch it, it can lock and disable itself and require a reset. Bet Nintendo wishes they had thought of that.)
There are a _lot_ of details published about this.
> It sounds like you want to trivialize a problem that has existed for way longer than computer science and systematically relies at some point on human memory if you want a certain level of security and secrecy.
Assuming the "problem" you are referring to is authentication, this is not necessarily true. "Something you know" is just one auth factor of several. Using a thumbprint (something you are) to grant access to a private key stored on a device to sign a challenge does not rely on human memory, and is probably more secure than using a password in most cases.
An argument can also be made that using a password manager implies that you are specifically doing the opposite of relying on human memory for authentication.
That said, I also disagree with the premise of the original comment that "Passwords should be dead soon and this article should be irrelevant soon after." They will be around for a while, although I hope passwordless mfa can soon replace them as the default choice.
But for the average website, passwordless is confusing for the end user.
I've researched WebAuthn for a web game to see if I could make the login natively and seamless. And it sucked. In Windows, it would prompt a confusing window asking for either an USB key, Windows Hello (So, a PIN or face, and most of people don't have this feature enabled), or to use a QR code. The average user won't know what they should do, so they won't be able to register.
Also, it's really hard to use your account on other devices. Like, if you log in first with a Google phone, then yeah, you'll be able to use your key by scanning a QR when prompted on your computer. But if you log in with a computer first, you won't be able to use your key anywhere else because exporting keys isn't implemented anywhere yet.
I've ended up just implementing Google and Apple OAuth, since WebAuthn requires accounts anyways to store your keys (Microsoft on Windows, Google on Android, Apple on Mac/ios), so why not just log in with them directly?
Because the goal of WebAuthn is to not depend on any companies infrastructure.
And there's work being done in that direction. Apple supports passkeys from third-party password managers, 1Password has a Passkey beta and KeePassXC has a pull request working on passkey support. [0]
That independence is a design goal of passkeys, because they want to replace passwords and passwords are independent by their nature.
Define soon. Passwords, for all their annoyances, will probably be around for a long time.
While they are not brilliant at anything, they are good enough on many dimensions. Some disadvantages of the things you mention are:
* They don't require specialised hardware
* They don't require complicated recovery mechanisms if that hardware is lost, stolen or broken.
* Arguably, biometrics should not be used for authentication. Once a biometric system is compromised, you have no way to recover. You can't change your biometrics.
I suspect that what's supposed to be going on there is that what protects your account is law enforcement and the fact that financial transactions are traceable.
Right, and what you recommend in those situations where, due to unusual circumstances (flat battery, whatever), you need to access to, say, your online banking or airline site or email or whatever using another device that would have no way of knowing who you are?
If there's a way to access a web-based password manager securely from any device, then surely there's a way to access whatever application you actually need access to securely too...
FWIW I use a password manager of sorts, but only to remember "hints". Once I see the hint I can reliably recall what the full password is, but there's no way reasonable way for someone else to do so. It's only passwords I use very rarely I even really need such hints for.
The most common passwords are problematic. They will frequently work, but they will work for the other guy, too. So then the question is "how do you pull up the ladder?"
Changing the password is simple, but likely to get the machine reimaged.
Looking at the login history would give an allowlist of subnets, which can be used to deny other attackers access, but hopefully without inconveniencing the owner into reimaging.