Stunned pundit agrees with Gates over passwords

Biometrics and smartcards are the future

  • alert
  • submit to reddit

High performance access to file storage

Sometimes people make mistakes, and have to admit that they made a mistake. One of the most interesting mistakes I know of was made by Hartmann Schedel, a physician and cartographer who lived in Nuremberg (in what is now Germany) in the late 15th century.

Schedel's most famous work was published in 1493: Liber Chronicarum, or as it is more famously known, the Nuremberg Chronicle, an illustrated history and geography of the world from Creation to Schedel's present day. The Chronicle was an amazing achievement. Not only was it one of the first map collections created using the then still-new invention of the printing press, but it also contained many maps of countries, and even cities, that hitherto had never been drawn.

Schedel was a devout Christian of his time, and he believed that history could be divided into seven Ages:

  1. Creation to Noah
  2. Noah to Abraham
  3. Abraham to David
  4. David to the Babylonian Captivity
  5. Babylonian Captivity to the birth of Jesus
  6. Birth of Jesus to the Last Days
  7. The Age of the Antichrist

Schedel believed he was living in the 6th age, the Last Days of the world, and that the Antichrist would return soon for the final battle, which would precipitate the Last Judgment and the end of time. Consequently, he figured that the Chronicle was pretty much the final word on the earth's - and humanity's - history. Being a sensible man, however, he left a few pages blank at the end of the Chronicle, so that if anything interesting happened during the Last Days, readers could fill it in.

Actually, something kind of important happened after the Chronicle was published, and, unfortunately for Schedel, a couple of blank pages weren't enough: Columbus' discovery of the New World was announced shortly after the publication of Schedel's work. Oops.

To my knowledge, Schedel, who died in 1514, never admitted his mistake.

I wish to admit an error that I've made, though: I am hereby admitting that Bill Gates is right.

Just a few days ago, the Microsoft maestro had this to say about the passwords that we have to deal with all of the time:

"A major problem for identity systems is the weakness of passwords. Unfortunately, with the type of critical information (protected by) these systems, we aren't going to be able to rely on passwords. Moving to biometric and smart cards is a wave that is coming, and we see our leading customers doing this."

Now, I often don't agree with Gates - in fact, I quite rarely agree with him, or with Microsoft - but I must grudgingly give him credit for the above statement. He's right.

Bill's Gates

Anyone reading this knows that passwords are a real hassle, for a wide variety of reasons.

  • Sheer numbers of passwords

We all have to remember far too many passwords. Websites, email, websites, computer log ons, web ites, root or Administrator access, websites, and did I mention websites? We either try to remember all these different passwords, which is impossible, or we write them down, or store them in a Palm or a password safe-deposit box-type program, or we just re-use the same passwords over and over, thus opening ourselves up to catastrophic loss if one password is compromised.

  • Users suck at password management

Anyone who's ever pulled time doing sysadmin tasks knows that to be true. Users try to slide by with passwords that a ten-year-old could crack, or they write them on sticky notes, or (it's my favorite and I know it's yours) they forget them constantly so you have to re-enter them. Every week. And I'm not even going to talk about the users who are willing to give up their passwords for chocolate bars.

  • Unique identification

Passwords don't uniquely identify me. Anyone who knows my username and password can access resources intended for me, even if they're not really me. A password, after all, is just a string of characters. How does that uniquely identify the real me?

  • Flimsy protection

My online banking records are protected by that same string of characters, and that's it. If you can finagle from me, or guess, or steal, those characters, then you're in like Flynn, baby. My finances are yours. Or my personal data on my computers. Or my email. And on and on. That's not much real protection, is it?

There's gotta be a better way, and I think Gates may be on to something. Bank ATM cards work securely because they combine two forms of authentication: something you have (an ATM card) and something you know (a PIN). It doesn't matter that most people's PINs are easy - in order to make use of that information, you must have the ATM card, and that presents an additional hurdle that's often enough to make simple ATM fraud difficult.

Asking people to use a two-factor form of authentication would go a long way toward alleviating a lot of the problems I outlined above. Instead of asking folks to remember strings of characters, a card and a thumbprint would vastly simplify things while providing much more certainty that the person is who she says she is.

I have my concerns, of course. When it comes to biometrics, I'm concerned. It's far too easy to fool biometric systems, although things will undoubtedly continue to improve. A better question concerns what is done with the biometric data, and what kinds of biometric data are used. Thumbprint? I'm a little queasy at it, but not much, especially since most biometric systems don't actually store the print itself, just a mathematical "hash", if you will, of the print. But DNA? Uh-uh. No way. I agree with those opposed to the idea of governments being able to access the DNA of anyone they arrest for a felony; I have even less fervor for the idea of corporations, under far less oversight than governments, having access to the building blocks of our bodies.

The idea of smart-cards intrigues me, however. Believe it or not, even AOL, with it's famously technologically-sophisticated user base (yes, I'm being sarcastic), has gotten into the act. For only $2 per month, AOL customers can use an RSA Secure-ID card to authenticate themselves to access potentially-sensitive areas of the AOL environment. Jokes aside, this is a good thing. The price is reasonable, although if every service charged $2 for the ability to use a Secure-ID token, the average consumer would be overwhelmed with payments.

The biggest problem, as always, comes down to an open standard. A universal scheme to ensure better authentication through the use of smart cards, or even smart cards plus biometrics, will only succeed if Microsoft doesn't own the standard, or the patent, or anything else that it intends to use to control this new direction in security. And for "Microsoft", you can substitute the company or organization of your choice. If we want a better scheme to work, then it must be an open standard - and open in the sense that open source developers can use it, without fear of licensing or patent issues. Without an open standard, we're looking at discreet archipelagos of authentication, instead of a universal, and universally useful, method of improving the ways we verify who are. I can't say I'm hopeful. Patent greed seems to be clouding the judgement of every company involved in IT these days.

We're not in the Last Days - it's been over 500 years since Schedel left those pages blank at the end of the Liber Chronicarum - but we're hopefully seeing the last days of passwords and all the annoyances they bring. As for me, I say the sooner the better. How about you? Would you be willing to carry around a smart card if it meant one less password? Or would you willingly use biometrics to verify yourself, if that meant fewer passwords? Add a comment and tell us your thoughts.

Copyright © 2004, SecurityFocus logo

Scott Granneman is a senior consultant for Bryan Consulting Inc. in St. Louis. He specializes in Internet Services and developing Web applications for corporate, educational, and institutional clients.

Related stories

Complacent UK corporates 'easy meat' for crooks
Register backs Blunkett drive for trust in government
ID card doubts - Blunkett blames dead German philosopher

High performance access to file storage

More from The Register

next story
Parent gabfest Mumsnet hit by SSL bug: My heart bleeds, grins hacker
Natter-board tells middle-class Britain to purée its passwords
Obama allows NSA to exploit 0-days: report
If the spooks say they need it, they get it
Web data BLEEDOUT: Users to feel the pain as Heartbleed bug revealed
Vendors and ISPs have work to do updating firmware - if it's possible to fix this
Samsung Galaxy S5 fingerprint scanner hacked in just 4 DAYS
Sammy's newbie cooked slower than iPhone, also costs more to build
One year on: diplomatic fail as Chinese APT gangs get back to work
Mandiant says past 12 months shows Beijing won't call off its hackers
Call of Duty 'fragged using OpenSSL's Heartbleed exploit'
So it begins ... or maybe not, says one analyst
Snowden-inspired crypto-email service Lavaboom launches
German service pays tribute to Lavabit
German space centre endures cyber attack
Chinese code retrieved but NSA hack not ruled out
prev story


Securing web applications made simple and scalable
In this whitepaper learn how automated security testing can provide a simple and scalable way to protect your web applications.
Five 3D headsets to be won!
We were so impressed by the Durovis Dive headset we’ve asked the company to give some away to Reg readers.
HP ArcSight ESM solution helps Finansbank
Based on their experience using HP ArcSight Enterprise Security Manager for IT security operations, Finansbank moved to HP ArcSight ESM for fraud management.
The benefits of software based PBX
Why you should break free from your proprietary PBX and how to leverage your existing server hardware.
Mobile application security study
Download this report to see the alarming realities regarding the sheer number of applications vulnerable to attack, as well as the most common and easily addressable vulnerability errors.