Security & privacy

Passwords: If we’re so smart, why are we still using them?

Cormac Herley, Paul van Oorschot and I recently led a panel discussion session at the Financial Cryptography and Data Security conference. The topic was passwords, which everyone agrees are problematic forms of authentication, but nobody seems to be doing much about it. We wrote up a summary of the issues and discussion at the conference and the paper is now available. Here is the Abstract:

While a lot has changed in Internet security in the last 10 years, a lot has stayed the same — such as the use of alphanumeric passwords. Passwords remain the dominant means of authentication on the Internet, even in the face of significant problems related to password forgetting and theft. In fact, despite large numbers of proposed alternatives, we must remember more passwords than ever before. Why is this? Will alphanumeric passwords still be ubiquitous in 2019, or will adoption of alternative proposals be commonplace? What must happen in order to move beyond passwords? This note pursues these questions, following a panel discussion at Financial Cryptography and Data Security 2009.

Citation: C. Herley, P.C. van Oorschot, A.S. Patrick. Passwords: If We’re So Smart, Why Are We Still Using Them? Financial Cryptography and Data Security (FC 2009), 13th International Conference, Rockley, Christ Church, Barbados, Feb. 2009 (post-proceedings to appear, Springer LNCS).

Passwords: If we’re so smart, why are we still using them? Read More »

Consumers know that passwords are unsafe

Here is a report from Australia of an opinion survey about using passwords for authentication. Just over 200 people were surveyed and about half of them felt that their password could be guessed. Moreover, personal information that is often used to confirm an identity (such as the infamous “mother’s maiden name” question) were felt to be unsafe by 67% of the participants. Perhaps of most interest, 75% of the people said they would be prepared to deal with more complex authentication procedures if it increased security.

Consumers Lack Faith In the Security of Passwords

Australian consumers are becoming increasingly concerned about issues of security and the methods organisations use to verify their identity, according to a new study by Sydney-based research company, callcentres.net.

The 2009 Salmat VeCommerce Identity Verification Study highlights consumers’ fears that traditional PINs and passwords do not provide adequate protection of their personal information, with 67 per cent of consumers reporting that they believe their security details are at risk.

Just over half (51 per cent) felt that someone else may be able to accurately guess their password, PIN or security details for interactions over the phone, while 59 per cent said they believe someone else may actually know these details.

Consumers know that passwords are unsafe Read More »

Limitations of iris biometric systems

This article from researchers at the University of Notre Dame discusses some of the limitations of iris biometric systems. Pupil dilation, for example, is found to affect the accuracy of iris recognition, especially if the amount of dilation is different at enrollment than at verification. Wearing contact lenses, especially cosmetic lenses designed to change the color and appearance of the eye, can also decrease recognition rates. The researchers also find that the false rejection rate increases over the four-year time span they have tested.

This is important because iris-based systems are often considered the most accurate and stable forms of biometric identification. Clearly, more research into the limitations is needed.

Toward the next generation of iris biometrics science

Many factors complicate the use of iris biometrics, such as differences in pupil dilation, the presence of contact lenses, and the eye’s natural aging.

Limitations of iris biometric systems Read More »

Forensic science methods and systems seriously flawed

There is a new report out of the National Academies in the US on forensic science methods, including identification technologies based on fingerprints, DNA, etc.

The report suggests, not for the first time, that many of the methods used in forensic science have never undergone rigorous scientific testing, and that standards for methodology and accuracy are lacking.

Due to the heavy use of forensic identification in the legal system, there seems to be a serious reluctance to do any kind of research on the accuracy of the methods and results. We should be doing the opposite and making sure that these methods are thoroughly questioned and tested. This report calls for a new National Institute for Forensic Science to do that testing.

‘Badly Fragmented’ Forensic Science System Needs Overhaul; Evidence to Support Reliability of Many Techniques is Lacking

A congressionally mandated report from the National Research Council finds serious deficiencies in the nation’s forensic science system and calls for major reforms and new research. Rigorous and mandatory certification programs for forensic scientists are currently lacking, the report says, as are strong standards and protocols for analyzing and reporting on evidence. And there is a dearth of peer-reviewed, published studies establishing the scientific bases and reliability of many forensic methods. Moreover, many forensic science labs are underfunded, understaffed, and have no effective oversight.

Forensic evidence is often offered in criminal prosecutions and civil litigation to support conclusions about individualization — in other words, to “match” a piece of evidence to a particular person, weapon, or other source. But with the exception of nuclear DNA analysis, the report says, no forensic method has been rigorously shown able to consistently, and with a high degree of certainty, demonstrate a connection between evidence and a specific individual or source. Non-DNA forensic disciplines have important roles, but many need substantial research to validate basic premises and techniques, assess limitations, and discern the sources and magnitude of error, said the committee that wrote the report. Even methods that are too imprecise to identify a specific individual can provide valuable information and help narrow the range of possible suspects or sources.

Forensic science methods and systems seriously flawed Read More »

Two-factor authentication using an iPhone: Killer security app?

When thinking about replacing or strengthening traditional passwords, one alternative is to add a hardware device that proves the users are in possession of a token. RSA has done this for years with their SecurID product, but people with multiple accounts have to carry multiple SecurID tokens. Now VeriSign has come out with an iPhone application that does the same thing, and already supports three different account types. Is this the solution to adding “something you have” to the authentication process, without requiring that people “have” too many things? Will the application be secure, or just another attack vector for the bad guys?

What’s the Password? Only Your iPhone Knows

As of Tuesday, you can now download an iPhone application that will generate a password for your AOL, eBay and PayPal accounts. It’s optional and free to consumers, but if you sign up, no one can get in your account without your user ID, your password and the six-digit number generated by your phone.

Two-factor authentication using an iPhone: Killer security app? Read More »

Turing’s code breaking machine reproduced

Do you know who Alan Turing is? Mathematician, cryptanalyst, and perhaps the father of modern computing. His work is widely considered to be responsible for shortening WWII by at least two years.

His code breaking machines, long before the days of modern computers, allowed the Allies to decrypt and analyze German communications, even though the Germans were using the “unbreakable” Enigma machines. It is easy to forget just how impressive and important this work was.

In this story one of the code breaking machines, a 6-foot tall electrical and mechanical “computer”, has been reproduced. I think this is a fitting tribute.

Code breaking machine that shortened the Second World War by two years

The rows of silver dials and tangle of scarlet wires look more like a telephone exchange.

But this is the inside of the Turing Bombe, the part-electronic, part-mechanical code-breaking machine and forerunner of the modern computer, which cracked 3,000 messages a day sent on Nazi Enigma machines during the Second World War.

There were 210 such bookcase-like Bombes that gave Britain advance warning of Hitler’s plans and shortened the conflict by two years.

Turing’s code breaking machine reproduced Read More »

Credit card fraud in Washington restaurants


Restaurants are often the source of stolen credit card information. The waiter takes your card when you pay and swipes it twice; once in the legitimate machine and once in a surprisingly small skimming machine that can be carried in a pocket. The waiter can make good money for each card that they swipe, and the result is that bad guys gather all the card information and make fake cards. It is good to see some of these people getting caught, but I think it is far more common than this one case represents.

Washington D.C. Restaurants Become Credit Card Cloning Hot Spots

With unobserved access to diner’s credit cards, restaurant wait staff have long been the source of a steady stream of stolen magstripe data. It takes only a second to swipe a customer’s card through a tiny skimming device purchasable over the internet, which is easily concealed in pocket or apron.

Credit card fraud in Washington restaurants Read More »

The safest place to store your data?

Here is an article on data storage that quotes Anil Somayaji from Carleton University. As he says, the answer to the question depends on what you are protecting against. It the case of protecting confidentiality, the article fails to mention the importance of encryption.

I am becoming a big fan of encrypted containers on laptop hard drives and USB keys. This gives me confidentiality and integrity for my important files. If you have not tried this, check out TrueCrypt.

The safest place to store your data

Given the conflicting information, what is the safest place to store your data?

“It all depends on what you define as safe,” says Anil Somayaji, an associate professor at Carleton University who specializes in computer security.

Typically, people consider three things, he says:

1. Confidentiality: Making sure your private information stays private.
2. Integrity: Making sure your data isn’t damaged.
3. Availability: Making sure your data isn’t lost.

In a related article, FEMA is moving to protect data on its laptops.

Thanks to flyinghamster for the tweats.

The safest place to store your data? Read More »

Stranger danger: Approaching strangers versus having them approach you


Schneier makes an obvious and valuable point: when assessing risk there is a big difference between a stranger approaching you and you approaching the stranger. In the first case you don’t know their motivations, while in the second you do know your motivations and, chances are, the stranger will not be dangerous.

I was thinking about this over the weekend when I happened upon a child wandering in a large hotel complex in San Diego. The small girl had that all-too-recognizable look of increasing panic on her face — it was clear that she was lost. As I approached her to ask if I could help, I could not help thinking about what this would look like to her and to anybody else nearby.

As it turned out, she was waiting for someone and was not sure she had the right meeting place. Within a minute or two her face changed dramatically as she saw the person she was waiting for, and off she ran with obvious relief. I wonder what the conversation was like when she got in the car with her adult caregivers.

Schneier on Security: The Kindness of Strangers

When I was growing up, children were commonly taught: “don’t talk to strangers.” Strangers might be bad, we were told, so it’s prudent to steer clear of them.

And yet most people are honest, kind, and generous, especially when someone asks them for help. If a small child is in trouble, the smartest thing he can do is find a nice-looking stranger and talk to him.

Stranger danger: Approaching strangers versus having them approach you Read More »

Program changes at the NRC (ouch!)


The NRC has decided to make some program changes, and that includes canceling my program on Information Security, a program on Software Engineering, and a third one on Acoustics. They are also making significant changes to the science and technical library (CISTI).

So, this means that some of Canada’s top experts in these fields are now looking for new positions.

In the Information Security area, we have 8 people who are experts in conducing R&D in a variety of areas, including:

  • agent technologies
  • biometrics
  • cryptographic key management
  • data mining
  • human-computer interaction
  • privacy protection and compliance
  • risk analysis and visualization
  • secure software
  • security protocols
  • security systems
  • social networks and work flow analysis
  • trust management
  • usable security
  • web crawling
  • web services and e-services

If you know of anyone interested in advanced R&D in these areas, please let me know.

Program changes at the NRC (ouch!) Read More »