Hitoshi Kokumai

2年前 · 2 分の読書時間 · visibility ~10 ·

chat 著者への問い合わせ

thumb_up 関連性 message コメント

Cyber Predicament by Text-Only Password Systems

Cyber Predicament by Text-Only Password Systems 

Abstract

It is obvious that we can no longer continue to rely on the conventional form of password systems. Nor can the conventional forms of deploying biometrics, ID-federations and multi-factor authentications that have relied on the conventional password, as a fallback means, a master-password and one of the factors respectively. However, we do not have to despair. There exists an incredibly simple solution to it, though little known to the public as yet. 

The global password predicament will melt away when people are offered a broader password choice.

Password Predicament

You are probably aware of the huge data breach that a student brought about in Germany. A NYT report on 8/Jan (*1) reads "A 20-year-old German student took advantage of passwords as weak as “ Iloveyou” and “1234” to hack into online accounts of hundreds of lawmakers and personalities whose political stances he disliked, officials revealed Tuesday, shaking Berlin’s political establishment and raising questions about data security in Europe’s leading economy."

If attacking the targets with the passwords such as "Iloveyou” and “1234” is like taking candy from a baby for a student, it must be like taking candy from a sleeping baby for organized criminals. What happened in Germany could no doubt have happened everywhere else.

Half-baked Propositions

We now anticipate that a number of security professionals will be yet more ardently urging people to

1. throw away easy-to-remember passwords while neither writing down the passwords on a memo nor re-using the same passwords across many accounts, in other words, do what humans are unable to do.

2. take up biometrics instead of passwords, probably without mentioning that the biometrics has to be deployed together with a password in a security-ruining'multi-entrance' method (*2).

3. adopt a password-manager, probably without mentioning that it comes with a risk of creating a single point of failure like putting all the eggs in a single basket and that a high-entropy password is indispensable as the master-password.

4. consider a multi-factor authentication, probably without mentioning that the password would be the last resort when something-to-possess is broken, left behind, lost, copied and stolen.

5. eliminate the use of passwords altogether, probably without mentioning that we would be thrown into a 1984-like dystopia when identity authentication happens without our knowledge or against our will.

And, tech/biz media will be busy with yet more loudly spreading all those wrong or inaccurate perceptions and suggestions.

However, the real picture is actually so plain and clear; the current password predicament is caused by the conventional password systems that do not allow people to use anything but numbers/characters.

Expansion of Password System

There exists an incredibly simple solution to it. The existence of this solution is little known to the public as yet, though, largely because it does not offer big incentives to the people who have been advocating, endorsing and promoting the above (1) to (5) propositions.

It is called ‘Expanded Password System’ and an OASIS project is progressing for the standardization in view of such desirable features as follows.

- It is not only stress-free for users but fun to use, as opposed to the dread and overhead that come today with creating, memorizing and storing passwords

- It turns a low-entropy password into high-entropy authentication data

- It eases the burden of managing the relationship between accounts and passwords

- It deters phishing attacks

- It can be deployed under any type of circumstance, including combat

- It supports existing schemes, such as:

    - Biometrics which require passwords as a fallback means

    - Two/multi-factor authentications that require passwords as one of the factors

    - ID Federations such as password managers and single-sign-on services that require passwords as the master-password

    - Simple pictorial/emoji-passwords and patterns-on-grid can be deployed on this platform.

- It is relevant whenever text passwords and pin numbers are in use

- And, nothing would be lost for people who want to keep using text passwords

- Last but not least, it continues to rely on free will.

The proposition of Expanded Password System is in the ‘Draft Proposal’ stage at OASIS OpenProjects (*3). Should you be concerned about the current status of identity assurance, you might be interested to keep an eye on it and help us where possible.


Footnote

*1 German Man Confesses to Hacking Politicians’ Data, Officials Say

https://www.nytimes.com/2019/01/08/world/europe/germany-hacking-arrest.html

*2 Horrific Distinction between ‘Multi-Layer’ and ‘Multi-Entrance’ Deployments

https://www.linkedin.com/pulse/horrific-distinction-between-multi-layer-deployments-hitoshi-kokumai

*3 Draft Charter

https://docs.google.com/document/d/1lHFWGMmFHN4xwm9q6ajQ1vZtFFaKNNgHJKHMnvcNS0s/edit#

                        (Shot ofExpanded Password System Deployed on Mobile Phone)

"
thumb_up 関連性 message コメント
コメント

その他の記事 Hitoshi Kokumai

ブログを見る