Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Operations //

Identity & Access Management

Why FIDO Alliance Standards Will Kill Passwords

50%
50%

Bill Gates predicted the demise of passwords more than a decade ago. But the FIDO Alliance believes its proposed new authentication standards are a game changer that will transform the computing landscape in just three years. Phillip Dunkelberger, President & CEO of Nok Nok Labs, tells why he believes that the time is finally ripe for a password-free computing experience.

Comment  | 
Print  | 
Comments
Newest First  |  Oldest First  |  Threaded View
DonT733
50%
50%
DonT733,
User Rank: Apprentice
3/31/2014 | 8:02:10 PM
Just wondering when the FIDO Presentation might have some more content.
In a word, the presentation just affirmed VPN certificates with passwords to unlock them.  Thanks for revisiting private password key stores for the protection of digital certificates.  Is there any more content?

Passwords are not good, there just cheap.  My MacBook Air Pro, due to flashram drives acheived 6 billion password combinations per second in August of 2013.  This pretty much means passwords less than 12 places with full complexity have less than 50/50 odds to remain uncracked in less than 90 days.  

Please send IT Auditors to me.  I want to present what I have and am offerring a voluntary pledge.  "I will never again claim that an 8 place password is an adequate security meaure."  For those that must use only numbers in their passwords, 18 places are needed to compensate for the lack of complexity.  At least, so says my Mac -- running a Windows 7 VM running John the Ripper at 6 Billion Combinations per Second, while the Mac side runs AV and edits word simultaniously.

You know, the second factor tool account password cracked and the full Pen Test Check Mate of their Domain Controller fell out rather quickly after that.

Yes, I would say that 8 place passwords are closer to public endangerment rather than InfoSec security.    

 

 

 

 

 

 
windk
50%
50%
windk,
User Rank: Apprentice
3/19/2014 | 4:29:35 PM
Re: Couldn't happen too soon!
A good fiction (but apparently soon to be non-fiction) read about this is Dave Eggers' The Circle : "The Circle, run out of a sprawling California campus, links users' personal emails, social media, banking, and purchasing with their universal operating system, resulting in one online identity and a new age of civility and transparency." (Alfred A. Knopf, 2013).
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
2/27/2014 | 8:31:38 AM
Re: Couldn't happen too soon!
Hi Spaz! I just gor my new iPhone with the biometric fingerprint reader. So I can tell you first hand how user friendly it is. Stay tuned!
Spaz
50%
50%
Spaz,
User Rank: Apprentice
2/26/2014 | 10:46:49 PM
Re: Couldn't happen too soon!
Nothing is infallible I suppose. While I don't know the technical aspects of fingerprint readers.  Apple feels very good about fingerprint scanners and so does Samsung. They both allow you to access your device with the fingerprint scanner. I imagine that one would have to get some training in how to pick up fingerprint. You'd need to buy fingerprint kits as well. I am definitely not for retina scanners since they have a lot of radiation. 
SeanKelly
50%
50%
SeanKelly,
User Rank: Apprentice
2/26/2014 | 5:26:39 PM
Re: Couldn't happen too soon!
I agree with your comment on corporate passwords but I disagree strongly with the comment on fingerprints. Fingerprints are not a password replacement. Fingerprints are usernames. Fingerprints aren't secret, you leave them everywhere and you can't change them (easily) when they have been compromised. Fingerprints should never be used as passwords.
Spaz
0%
100%
Spaz,
User Rank: Apprentice
2/22/2014 | 5:02:05 PM
Re: Couldn't happen too soon!
passwords especially corporate passwords are a complete pia. it's frustrating how the passwords have to be changed so often and how they have to fall within certain parameters eg. 8 charaters, has to containt this and that, etc. until another worthy solution is provided, we all need fingerprint readers instead. this will certainly help both the IT admins and employees as well.
ANON1241486907214
100%
0%
ANON1241486907214,
User Rank: Apprentice
2/21/2014 | 9:56:36 AM
Re: Couldn't happen too soon!
Can imagine what technology would make private keys safe. At least with passwords, the NSA has to spend some effort in guessing or intercepting them.  Any kind of centralized system  would immediately fall prey to government security agencies, and eventually to other players.
djameson910
100%
0%
djameson910,
User Rank: Apprentice
2/20/2014 | 3:22:42 PM
Stolen Device
So, if someone steals my device, they have access to all my stuff?  How does my device know me from an interloper?
Marilyn Cohodas
100%
0%
Marilyn Cohodas,
User Rank: Strategist
2/18/2014 | 4:14:40 PM
Couldn't happen too soon!
Phil, I doubt that there's a consumer or IT person on this planet that doesn't pray for the day that passwords will be replaced with a manageable autentication process. But what are some of the hurdles that the industry has to overcome to reach that point? Is there broadbased agreement on the FIDO standards or are there competing technologies or ideas?  
Where Businesses Waste Endpoint Security Budgets
Kelly Sheridan, Staff Editor, Dark Reading,  7/15/2019
US Mayors Commit to Just Saying No to Ransomware
Robert Lemos, Contributing Writer,  7/16/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: Now this is the worst micromanagment I've seen.
Current Issue
Building and Managing an IT Security Operations Program
As cyber threats grow, many organizations are building security operations centers (SOCs) to improve their defenses. In this Tech Digest you will learn tips on how to get the most out of a SOC in your organization - and what to do if you can't afford to build one.
Flash Poll
New Best Practices for Secure App Development
New Best Practices for Secure App Development
The transition from DevOps to SecDevOps is combining with the move toward cloud computing to create new challenges - and new opportunities - for the information security team. Download this report, to learn about the new best practices for secure application development.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2018-17210
PUBLISHED: 2019-07-20
An issue was discovered in PrinterOn Central Print Services (CPS) through 4.1.4. The core components that create and launch a print job do not perform complete verification of the session cookie that is supplied to them. As a result, an attacker with guest/pseudo-guest level permissions can bypass t...
CVE-2019-12934
PUBLISHED: 2019-07-20
An issue was discovered in the wp-code-highlightjs plugin through 0.6.2 for WordPress. wp-admin/options-general.php?page=wp-code-highlight-js allows CSRF, as demonstrated by an XSS payload in the hljs_additional_css parameter.
CVE-2019-9229
PUBLISHED: 2019-07-20
An issue was discovered on AudioCodes Mediant 500L-MSBR, 500-MBSR, M800B-MSBR and 800C-MSBR devices with firmware versions F7.20A to F7.20A.251. An internal interface exposed to the link-local address 169.254.254.253 allows attackers in the local network to access multiple quagga VTYs. Attackers can...
CVE-2019-12815
PUBLISHED: 2019-07-19
An arbitrary file copy vulnerability in mod_copy in ProFTPD up to 1.3.5b allows for remote code execution and information disclosure without authentication, a related issue to CVE-2015-3306.
CVE-2019-13569
PUBLISHED: 2019-07-19
A SQL injection vulnerability exists in the Icegram Email Subscribers & Newsletters plugin through 4.1.7 for WordPress. Successful exploitation of this vulnerability would allow a remote attacker to execute arbitrary SQL commands on the affected system.