Feeds

Stunned pundit agrees with Gates over passwords

Biometrics and smartcards are the future

  • alert
  • submit to reddit

Next gen security for virtualised datacentres

Sometimes people make mistakes, and have to admit that they made a mistake. One of the most interesting mistakes I know of was made by Hartmann Schedel, a physician and cartographer who lived in Nuremberg (in what is now Germany) in the late 15th century.

Schedel's most famous work was published in 1493: Liber Chronicarum, or as it is more famously known, the Nuremberg Chronicle, an illustrated history and geography of the world from Creation to Schedel's present day. The Chronicle was an amazing achievement. Not only was it one of the first map collections created using the then still-new invention of the printing press, but it also contained many maps of countries, and even cities, that hitherto had never been drawn.

Schedel was a devout Christian of his time, and he believed that history could be divided into seven Ages:

  1. Creation to Noah
  2. Noah to Abraham
  3. Abraham to David
  4. David to the Babylonian Captivity
  5. Babylonian Captivity to the birth of Jesus
  6. Birth of Jesus to the Last Days
  7. The Age of the Antichrist

Schedel believed he was living in the 6th age, the Last Days of the world, and that the Antichrist would return soon for the final battle, which would precipitate the Last Judgment and the end of time. Consequently, he figured that the Chronicle was pretty much the final word on the earth's - and humanity's - history. Being a sensible man, however, he left a few pages blank at the end of the Chronicle, so that if anything interesting happened during the Last Days, readers could fill it in.

Actually, something kind of important happened after the Chronicle was published, and, unfortunately for Schedel, a couple of blank pages weren't enough: Columbus' discovery of the New World was announced shortly after the publication of Schedel's work. Oops.

To my knowledge, Schedel, who died in 1514, never admitted his mistake.

I wish to admit an error that I've made, though: I am hereby admitting that Bill Gates is right.

Just a few days ago, the Microsoft maestro had this to say about the passwords that we have to deal with all of the time:

"A major problem for identity systems is the weakness of passwords. Unfortunately, with the type of critical information (protected by) these systems, we aren't going to be able to rely on passwords. Moving to biometric and smart cards is a wave that is coming, and we see our leading customers doing this."

Now, I often don't agree with Gates - in fact, I quite rarely agree with him, or with Microsoft - but I must grudgingly give him credit for the above statement. He's right.

Bill's Gates

Anyone reading this knows that passwords are a real hassle, for a wide variety of reasons.

  • Sheer numbers of passwords

We all have to remember far too many passwords. Websites, email, websites, computer log ons, web ites, root or Administrator access, websites, and did I mention websites? We either try to remember all these different passwords, which is impossible, or we write them down, or store them in a Palm or a password safe-deposit box-type program, or we just re-use the same passwords over and over, thus opening ourselves up to catastrophic loss if one password is compromised.

  • Users suck at password management

Anyone who's ever pulled time doing sysadmin tasks knows that to be true. Users try to slide by with passwords that a ten-year-old could crack, or they write them on sticky notes, or (it's my favorite and I know it's yours) they forget them constantly so you have to re-enter them. Every week. And I'm not even going to talk about the users who are willing to give up their passwords for chocolate bars.

  • Unique identification

Passwords don't uniquely identify me. Anyone who knows my username and password can access resources intended for me, even if they're not really me. A password, after all, is just a string of characters. How does that uniquely identify the real me?

  • Flimsy protection

My online banking records are protected by that same string of characters, and that's it. If you can finagle from me, or guess, or steal, those characters, then you're in like Flynn, baby. My finances are yours. Or my personal data on my computers. Or my email. And on and on. That's not much real protection, is it?

There's gotta be a better way, and I think Gates may be on to something. Bank ATM cards work securely because they combine two forms of authentication: something you have (an ATM card) and something you know (a PIN). It doesn't matter that most people's PINs are easy - in order to make use of that information, you must have the ATM card, and that presents an additional hurdle that's often enough to make simple ATM fraud difficult.

Asking people to use a two-factor form of authentication would go a long way toward alleviating a lot of the problems I outlined above. Instead of asking folks to remember strings of characters, a card and a thumbprint would vastly simplify things while providing much more certainty that the person is who she says she is.

I have my concerns, of course. When it comes to biometrics, I'm concerned. It's far too easy to fool biometric systems, although things will undoubtedly continue to improve. A better question concerns what is done with the biometric data, and what kinds of biometric data are used. Thumbprint? I'm a little queasy at it, but not much, especially since most biometric systems don't actually store the print itself, just a mathematical "hash", if you will, of the print. But DNA? Uh-uh. No way. I agree with those opposed to the idea of governments being able to access the DNA of anyone they arrest for a felony; I have even less fervor for the idea of corporations, under far less oversight than governments, having access to the building blocks of our bodies.

The idea of smart-cards intrigues me, however. Believe it or not, even AOL, with it's famously technologically-sophisticated user base (yes, I'm being sarcastic), has gotten into the act. For only $2 per month, AOL customers can use an RSA Secure-ID card to authenticate themselves to access potentially-sensitive areas of the AOL environment. Jokes aside, this is a good thing. The price is reasonable, although if every service charged $2 for the ability to use a Secure-ID token, the average consumer would be overwhelmed with payments.

The biggest problem, as always, comes down to an open standard. A universal scheme to ensure better authentication through the use of smart cards, or even smart cards plus biometrics, will only succeed if Microsoft doesn't own the standard, or the patent, or anything else that it intends to use to control this new direction in security. And for "Microsoft", you can substitute the company or organization of your choice. If we want a better scheme to work, then it must be an open standard - and open in the sense that open source developers can use it, without fear of licensing or patent issues. Without an open standard, we're looking at discreet archipelagos of authentication, instead of a universal, and universally useful, method of improving the ways we verify who are. I can't say I'm hopeful. Patent greed seems to be clouding the judgement of every company involved in IT these days.

We're not in the Last Days - it's been over 500 years since Schedel left those pages blank at the end of the Liber Chronicarum - but we're hopefully seeing the last days of passwords and all the annoyances they bring. As for me, I say the sooner the better. How about you? Would you be willing to carry around a smart card if it meant one less password? Or would you willingly use biometrics to verify yourself, if that meant fewer passwords? Add a comment and tell us your thoughts.

Copyright © 2004, SecurityFocus logo

Scott Granneman is a senior consultant for Bryan Consulting Inc. in St. Louis. He specializes in Internet Services and developing Web applications for corporate, educational, and institutional clients.

Related stories

Complacent UK corporates 'easy meat' for crooks
Register backs Blunkett drive for trust in government
ID card doubts - Blunkett blames dead German philosopher

The essential guide to IT transformation

More from The Register

next story
Goog says patch⁵⁰ your Chrome
64-bit browser loads cat vids FIFTEEN PERCENT faster!
Chinese hackers spied on investigators of Flight MH370 - report
Classified data on flight's disappearance pinched
NIST to sysadmins: clean up your SSH mess
Too many keys, too badly managed
Scratched PC-dispatch patch patched, hatched in batch rematch
Windows security update fixed after triggering blue screens (and screams) of death
Researchers camouflage haxxor traps with fake application traffic
Honeypots sweetened to resemble actual workloads, complete with 'secure' logins
Attack flogged through shiny-clicky social media buttons
66,000 users popped by malicious Flash fudging add-on
prev story

Whitepapers

Top 10 endpoint backup mistakes
Avoid the ten endpoint backup mistakes to ensure that your critical corporate data is protected and end user productivity is improved.
Implementing global e-invoicing with guaranteed legal certainty
Explaining the role local tax compliance plays in successful supply chain management and e-business and how leading global brands are addressing this.
Backing up distributed data
Eliminating the redundant use of bandwidth and storage capacity and application consolidation in the modern data center.
The essential guide to IT transformation
ServiceNow discusses three IT transformations that can help CIOs automate IT services to transform IT and the enterprise
Next gen security for virtualised datacentres
Legacy security solutions are inefficient due to the architectural differences between physical and virtual environments.