Tag Archives: passwords

8 cutting-edge technologies aimed at eliminating passwords

In the beginning was the password, and we lived with it as best we could. Now, the rise of cyber crime and the proliferation of systems and services requiring authentication have us coming up with yet another not-so-easy-to-remember phrase on a near daily basis. And is any of it making those systems and services truly secure?

One day, passwords will be a thing of the past, and a slew of technologies are being posited as possibilities for a post-password world. Some are upon us, some are on the threshold of usefulness, and some are likely little more than a wild idea, but within each of them is some hint of how we’ve barely scratched the surface of what’s possible with security and identity technology.

The smartphone

The idea: Use your smartphone to log into websites and supply credentials via NFC or SMS.

Examples: Google’s NFC-based tap-to-unlock concept employs this. Instead of typing passwords, PCs authenticate against the users phones via NFC.

The good: It should be as easy as it sounds. No interaction from the user is needed, except any PIN they might use to secure the phone itself.

The bad: Getting websites to play along is the hard part, since password-based logins have to be scrapped entirely for the system to be as secure as it can be. Existing credentialing systems (e.g., Facebook or Google login) could be used as a bridge: Log in with one of those services on your phone, then use the service itself to log into the site.

The smartphone, continued
The idea: Use your smartphone, in conjunction with third-party software, to log into websites or even your PC.

Examples: Ping Identity. When a user wants to log in somewhere, a one-time token is sent to their smartphone; all they need to do is tap or swipe the token to authenticate.

The good: Insanely simple in practice, and it can be combined with other smartphone-centric methods (a PIN, for instance) for added security.

The bad: Having enterprises adopt such schemes may be tough if they’re offered only as third-party products. Apple could offer such a service on iPhones if it cared enough about enterprise use; Microsoft might if its smartphone offerings had any traction. Any other takers?

Biometrics
The idea: Use a fingerprint or an iris scan — or even a scan of the vein patterns in your hand — to authenticate.

Examples: They’re all but legion. Fingerprint readers are ubiquitous on business-class notebooks, and while iris scanners are less common, they’re enjoying broader deployment than they used to.

The good: Fingerprint recognition technology is widely available, cheap, well-understood, and easy for nontechnical users.

The bad: Despite all its advantages, fingerprint reading hasn’t done much to displace the use of passwords in places apart from where it’s mandated. Iris scanners aren’t foolproof, either. And privacy worries abound, something not likely to be abated once fingerprint readers become ubiquitous on phones.

The biometric smartphone
The idea: Use your smartphone, in conjunction with built-in biometric sensors, to perform authentication.

Examples: The Samsung Galaxy S5 and HTC One Max (pictured) both sport fingerprint sensors, as do models of the iPhone from the 5S onwards.

The good: Multiple boons in one: smartphones and fingerprint readers are both ubiquitous and easy to leverage, and they require no end user training to be useful, save for registering one’s fingerprint.

The bad: It’s not as hard as it might seem to hack a fingerprint scanner (although it isn’t trivial). Worst of all, once a fingerprint is stolen, it’s, um, pretty hard to change it.

The digital tattoo
The idea: A flexible electronic device worn directly on the skin, like a fake tattoo, and used to perform authentication via NFC.

Examples: Motorola has released such a thing for the Moto X (pictured), at a cost of $10 for a pack of 10 tattoo stickers, with each sticker lasting around five days.

The good: In theory, it sounds great. Nothing to type, nothing to touch, (almost) nothing to carry around. The person is the password.

The bad: So far it’s a relatively costly technology ($1 a week), and it’s a toss-up as to whether people will trade typing passwords for slapping a wafer of plastic somewhere on their bodies. I don’t know about you, but even a Band-Aid starts bothering me after a few hours.


MCTS Training, MCITP Trainnig

Best Microsoft MCTS Certification, Microsoft MCITP Training at certkingdom.com

 

 

Why you should take hacked sites’ password assurances with a grain of salt

Beware of e-mails that play down the ease of cracking your leaked passcode.

Reputation.com, a service that helps people and companies manage negative search results, has suffered a security breach that has exposed user names, e-mail and physical addresses, and in some cases, password data.

In an e-mail sent to users on Tuesday, officials with the Redwood City, California-based company said the passwords were “highly encrypted (‘salted’ and ‘hashed’),” a highly vague description that can mean different things to different people. “Although it was highly unlikely that these passwords could ever be decrypted, we immediately changed the password of every user to prevent any possible unauthorized account access,” the e-mail added unconvincingly.

It’s unfortunate that companies make such assurances, because they may give users a false sense of security. As Ars has been reporting for nine months, gains in cracking techniques means the average password has never been weaker, allowing attackers to decipher even long passwords with numbers, letters, and symbols in them. Even Ars’ own Nate Anderson—a self-described newbie to password cracking—was able to crack more than 45 percent of a 17,000-hash list using software and dictionaries he downloaded online.

Jeremi Gosney, a password cracking expert with Stricture Consulting Group recently explained in an Ars forum post that it’s highly unusual for a leaked password list to go uncracked, as suggested by the Reputation.com e-mail.

“It definitely depends on the specific leak we’re talking about, but generally speaking, your average security expert/penetration tester/casual password cracker is probably only going to be able to recover at most 50-60% of passwords in any given leak,” he wrote. “Seasoned password crackers will likely recover 70-75%; and truly exceptional password crackers will recover 80% or more.”

Adding cryptographic salt to passwords is crucial to the safe storage of passwords because it forces password cracking programs to guess the plaintext for each individual hash, rather than guessing passwords for thousands or millions of hashes all at once. (Yes, it also thwarts rainbow-table attacks, but no one uses this method anymore.) But it’s easy to overstate the benefits of salting. It in no way slows down the cracking of a single hash, so if an attacker locates the hash belonging to a particular high-value Reputation.com user, the measure does nothing to thwart the cracking of that hash. The security value of salting alone only slows down cracking of large lists by a multiple of the number of unique salts, so that value decreases with each hash that is decoded.

A far more meaningful security measure is the type of algorithm that’s used to convert plaintext passwords into cryptographic hashes. If the company used SHA1, SHA3, MD5, or any number of other “fast” hashes, it’s extremely likely that at least some of the leaked password data has already been cracked. If, on the other hand, the company used bcrypt, scrypt, PBKDF2 or another “slow” algorithm specifically designed to hash passwords, the chances are significantly lower. Reputation.com makes no mention of the algorithm it used, so users should presume the worst. Anyone who used their Reputation.com password to protect one or more accounts on other sites should change those passcodes immediately. Passwords should be randomly generated by a password-manager, contain a minimum length of 11 characters, and include numbers, letters, and symbols. They should also be unique to each site.

For a deeper dive into the benefits of salting and hashing, see last Saturday’s story about the password breach that hit LivingSocial.com. Some of the user comments are especially illuminating.


MCTS Training, MCITP Trainnig

Best Microsoft MCTS Certification, Microsoft MCITP Training at certkingdom.com

Mcitp Training Online: Learn At Your Own Pace In Your Own Home

Mcitp Training Online Learn At Your Own Pace In Your Own Home

MCITP is the crowning accreditation in the I.T earth and today crapper be provided in the richness of your possess bag via a DVD. If you hit a agitated schedule or only favour the richness of acquisition in a old environment, computer-based acquisition is amend for you. These training DVDs module wage you with a outlay trenchant artefact of accessing this widely constituted professed accreditation, which enables you to officer Microsoft technologies in visit for you to boost your prospects in the impact place.

Experts module pass you finished a arrange of concepts and module utilise all of your senses for the prizewinning acquisition experience. Technology combines with this training information to wage you with flooded change videos, advice from the experts in the field, mutual labs and assessments that effort your skills and knowledge. To compound the acquisition process, the activity of MCITP DVDs pore on a step-by-step process, which is then improved by in-depth explanations and then finally, by swing your skills to the effort in the grave assessments.

A variety of training instruction are acquirable on DVD, including the MCITP database administrator course. On 19 DVD’s, individual key areas are proven on database administration, including feat and fix and database improvement as substantially as artful a database server infrastructure. The arrange includes, likewise the mutual material, printable instruction touchable and a springy mentor, who module respond all your questions. Additionally, training in database development, project administration and such more are all acquirable on DVD from around £500.

Or if you poverty to think on the go, some courses are today acquirable in individual assorted formats, including I-pod Video, MP3 Audio, WMV and AVI video. Perfect for the commuter, these formats enable you to utilise that constituent instance on open transport, acquisition new skills and rising your career prospects.

So wherever you are, whether it be on the train or at home, you today crapper meliorate your I.T skills and career prospects by labor this highly wanted after accreditation on DVD.

Interested in the MCITP Training and MCTS Training Course, hit a countenance at: https:://www.certkingdom.com