The End of the Password

I spend time playing an online game and they announced today they are replacing their already tight security with something much better.

The existing method works by sending a text message to the phone you’ve registered any time that you try to play the game using a computer or browser that is not already registered.

I think most of us know how problematic passwords are – to have bunches of them and then having to keep them secure.

What Runescape didn’t mention was their new Authenticator is from Google. Roughly speaking, it is using your cellphone like the old SecureID cards used by highly sensitive accounts with strong abilities you don’t want in the wrong hands

Every 30 seconds, the app on your phone generates a new 6 digit random number based on unique values tied to your device and the account you are trying to access. Once enabled, in addition to userid and password, you have to enter the current 6 digit Code.

Google was the folks who found the Heartbleed problem, and with OpenSSL mired down in lack of resources and a weak product has taken the initiative to replace OpenSSL. Google has the brains and resources to make things happen.

Expect pressure from Google soon to lock down your Google accounts using the same technology. Just Passwords or cookie tokens isn’t good enough.

NPR broke another huge secret. Hackers can pretend to be an AT&T or Comcast “free” wifi server and your iPhone will blindly trust it. Allowing the fake wifi hotspot to snoop at everything you do using a man in the middle attack.

This entry was posted in Mobile Streaming, Online Gaming, Technology. Bookmark the permalink.

25 Responses to The End of the Password

  1. popsmayhem says:

    The thing I do not like is giving google phone numbers. I just do not trust google that much they have 1984 orwelian powers and their ‘do no harm’ policy does not keep me at ease.
    Leo Laporte who use to be on tech tv before it was G4 now does his shows online.
    Steve gibson was just talking about open ssl, and while I wont pretend to understand
    it all, he is good at explaining it.

    • Art Stone says:

      Leo is an interesting guy. I watch his iPad today show on a regular basis. He’s still doing his weekend radio show, but I don’t expect that to last much longer.

    • Art Stone says:

      Steve Gibson (who I remember running Shields Up in the 1990s) mentioned that Time Magazine’s cover says to Eat Butter to avoid heart disease. The truth has gone mainstream.

    • Art Stone says:

      I watched almost all of it – one thing Leo needs to start considering is the time of his viewers is important. If anyone is going to visit this to hear about authenticated encryption, skip the first hour and 10 minutes where Leo is talking about his fear of Roller Coasters and his visit to Knots Berry Farm.

      I understood most of what Steve Gibson was saying – I’m not a crytography expert, but maybe could have wound up there if I hadn’t been an accounting major instead 🙂

      I remember him from way back and never have seen him other than his online text. I am a bit like him, except I don’t program Windows programs in Assembler – that’s just plain nuts!

      Two takeaways from his discussion of authenticated encryption

      1) Process is not a substitute for competence

      I’m a big process guy – the thing with the Heartbleed flaw is not to focus on the programmer who made the error and one person who reviewed his change before it was rolled out into massive distribution with no further review. An effective process can catch mistakes, but it can’t turn a programmer who makes mistakes into one who doesn’t. The root cause of the problem is that the “Open Source” movement relies on the kindness of strangers. It’s hard to organize volunteers, and even harder to get them to do work they don’t want to do. I think Google et al have got the message that “free” has a price. A very big price.

      2) Perfect is the enemy of the good

      Steve Gibson gives a half hour monologue about what authenticated encryption is and why it is important. He goes into painful detail about how the cryptographic community works tirelessly to create the perfect unbreakable encryption that can’t even been fooled by a man in the middle attack. With governments putting taps into fiber optic cables to gather data, at some level that may be necessary – but it has become its own cottage industry with meetings, conventions, competitions, forums – all for the purpose of designing the “perfect” unbreakable encryption. While that was going on, 1 programmer on News Year’s Eve created the biggest security hole in the history of civilization and not only did it reach the world, it was not detected by anyone for 2 years (or not reported).

      • popsmayhem says:

        You know, when it gets that technical, I just sit and listen in awe. I am no where near computer illiterate, but just the vast information and always changing atmosphere, I get lost in all of it. Leo use to always be selling an anti-virus program, I usually always used what he suggested. I started watching the security now program about 2 years or so ago, and found out, anti-virus does not protect you from getting a virus… It is not even good at getting rid of smart viruses that hide in separate parts of your computer. You have to wipe the drive, the only way to know it is really gone, total reformat.

        In more technical shows, I agree with you art, the “life” talk leo does, is too much.

      • CC1s121LrBGT says:

        I have had the same trouble each time I have tried listening to his radio show. He is more knowlegble and attracts a more technical audience than Kim Kommmando and her fluff, but Kim is much more entertaining and a better background noise to my weekend activities.

        Cnet, now part of CBS, has some decent podcasts. I generally don’t listen to them as I am mainly a streaming type of person rather than a podcast type of person but those I have listened to have been quite worthwhile:

        • popsmayhem says:

          Not to mention the month of december kim gives away very expensive electronics to the people who get on the show!!! I listen to kim all december and try to get in.. it is very difficult but maybe one day..

  2. Art Stone says:

    Google is using an ISO standard. The underlying principle is your phone is given an 80 bit shared key that Google generated and your phone knows. The key is not transmitted over the Internet. A QR image is displayed on your desktop screen and the app grabs the shared key visually. To steal the shared key, you would have to be watching the same screen at the one time during the key exchange.

    Google is at least making a show they won’t tolerate NSA snooping. Given their history, call me skeptical – but disclosing the heartbleed hole might suggest they are serious. Snooping on us is google’s job, after all – not the governmebt’s job

  3. Nidster says:

    Is this a correct reading? In addition to userid and password, you would need to enter the current 6 digit Code sent to your cellphone every 30 seconds?

    Would a retinal scan in addition to a typical userid and password work better as an authenticator?

    • Art Stone says:

      You have confused iris scan with retina scan. Assuming you have a front facing camera, try to take a picture of your eye and you’ll see the problem. Samsung was hoping to do that and gave up last year. Iris scanners are special purpose devices with a very short focal length

      Of course, new iPhones come with fingerprint readers.

      Google’s solution is platform agnostic which is the value it adds, and “free”. To break into my “valuable” runescape account, you would have to know my user name, the email account I used, the answers to my secret questions, and physical control of my cell phone with the keyboard unlocked.

      A secondary reason that would not apply to other situations is that it is against the rules for people to share an account. Sometimes children hand out their password to a “friend” only to have that friend steal all their virtual “stuff”.

      It is initially voluntary – the default is to require entering the 6 digit number every time you login. You can relax it so it won’t force that for 30 days on a device / browser you identity as secure (ie you don’t have a little brother who knows your password and thinks it would be funny to give away all your stuff you worked for 5 years to “earn”)

      • CC1s121LrBGT says:

        Those iris and retina scanners work for now. So do the fingerprint scanners…. for now.

        Wait until I break into their scan database, and send the files to my 3D printer. Then hold the eyeball and finger up to the detector. It is as good as knowing your mother’s maiden name AND your favorite teacher!

        Now this is a technology that will be unbeatable, even with my 3D printer, courtesy of the billion dollar genome project:

      • Nidster says:

        This is getting to the point where it’s getting a bit scary to have online accounts where lots of personal, financial and/or medical info is stored. I knew things were going to go badly when al-Obama wanted every persons medical records digitized, although he promised, and swore to his ‘god’ that everything would be OK, and we just need to trust him. Isn’t that just like what the snake said to the woman under that tree in the garden? Her husband was duped too.

        • Art Stone says:

          Were Adam & Eve married?

          • CC1s121LrBGT says:

            What about Steve?

            • Nidster says:

              The accounts we have from the ancient literature claim the 1st humans were created by the gods, Elohim, plural in the 1st chapter of Genesis. Then in the 2nd chapter the 1st human was created by God, singular and then the woman was formed from the flesh and bone of the man. In the 3rd chapter it is written, “And Adam called his wife’s name Eve.” So, I guess they were husband and wife.

              The Summerian account is similar to some of the Genesis accounts with the difference being some of the flesh of the gods was combined with an existing creature, seems it was a splice job.

              There is the account from the book of Enoch whereby the gods descended to Earth, took human wives and their offspring were called Nephlim.

              Genetics indicate all of humanity can trace their lineage to a single, common mother. Of course that does not mean there are no other creatures or entities in the universe. I’ve always been curious about the lineage of the Banksters. Seems they trace their lineage to a very ancient race of creatures, whether they were humans or not is up for debate, but that is my own speculation.

            • CC1s121LrBGT says:

              It is kind of interesting that science in the last decade or so has shown that identical twins do not have identical genes… and in fact over time, their RNA differs more and more as their environments differ.

              There seems to be genetic material transfer between humans and nonhumans on this level- mainly germs but perhaps including food ingested, etc.

              Disclaimer – As I had posted earlier, I am not a medical doctor and I don’t even play one on SRG.

        • CC1s121LrBGT says:

          Think Thomas Eagleton.

        • lasong says:

          In the age of Gov’t snooping passwords are just a sense of false security. FBI or anyone with the now how can get into your facebook, email, banking. Everything we do online is collected forever unless you work for the IRS and thing somehow just happened to get lost.

  4. CC1s121LrBGT says:

    Serious response:

    “The existing method works by sending a text message to the phone you’ve registered any time that you try to play the game using a computer or browser that is not already registered.”

    Two of the financial institutions I have been using have been doing this for years. Problem is that they use cookies and I clear mine so each time I try to log in, they make me go through this routine. It is worse than that, actually, they seem to believe that I only have one computer/browser and it the the most recent one I used. If I switch to back to the previous one, it it “new” again. Very annoying.

  5. CC1s121LrBGT says:

    Margaret McGloin’s husband died?

Leave a Reply