Google wants Password123 in Museum of Bad Headaches

Jan 19, 2013 by Nancy Owano weblog
Credit: Wikipedia.

(Phys.org)—Should typed passwords ever make their way into the Memory Bin, no tears will be shed in certain quarters at Google. The search giant is taking a serious look at a computing future where users have a safer environment that can secure their online information and accounts via physical passwords, perhaps in the form of finger rings or USB sticks or keys. Google's Vice President of Security Eric Grosse and engineer Mayank Upadhyay have presented their suggestions for better hardware authentication in an upcoming research paper to be published in Security & Privacy magazine.

has been investigating alternatives to typed , which includes a Yubico log-on device slid into a USB reader as part of Google's quest to help strengthen password security. Google's eyes are on future login techniques that will be primarily device-centric. Wired, in a sneak peek at the research paper set for publication, reported that the paper explores several physical device options, to make a password process that will be easy to accommodate but also sufficiently secure.

Google's suggestions include a ring worn on the finger. and the YubiKey device from Yubico. In the YubiKey scenario, it would be programmed so that it can automatically log a user into that user's Google account. (Yubico was founded in 2007 with a prototype of its YubiKey for securing online identities. The devices are manufactured in Sweden and the U.S.)

"Along with many in the industry, we feel passwords and simple bearer tokens such as cookies are no longer sufficient to keep users safe," Grosse and Upadhyay wrote in their paper, according to Wired.

Their project focus is none too soon, as, beyond Google and within the general Internet community, hacker fever has turned into password-reset fatigue. Users have complained over wiped out mail accounts and stolen data from their hacked accounts. Security experts have argued that no passwords are really secure enough, and even CAPTCHA schemes to prove the user is human have been found lacking in keeping users safe.

Media attention to the password impasse grew widespread in November, when Wired senior writer Mat Honan wrote, "This summer, hackers destroyed my entire digital life in the span of an hour. My Apple, Twitter, and Gmail passwords were all robust—seven, 10, and 19 characters, respectively, all alphanumeric, some with symbols thrown in as well—but the three accounts were linked, so once the hackers had conned their way into one, they had them all. They really just wanted my Twitter handle: @mat. As a three-letter username, it's considered prestigious. And to delay me from getting it back, they used my Apple account to wipe every one of my devices, my iPhone and iPad and MacBook, deleting all my messages and documents and every picture I'd ever taken of my 18-month-old daughter."

Google's Grosse does not see the utter obliteration of the password but instead a situation where users can be freed from the need to implement and re-enter complex passwords. "We'll have to have some form of screen unlock, maybe passwords but maybe something else," he said. Nonetheless, he added, the primary authenticator will be some piece of hardware.

Grosse and Upadhyay acknowledged that others have tried similar approaches and actually did not achieve much success in the consumer world, but the two authors of the are not deterred. Success may come with wider cooperation outside Google. "Although we recognize that our initiative will likewise remain speculative until we've proven large scale acceptance, we're eager to test it with other websites."

According to Wired, Google has created a universal protocol for device-based that is able to work independent of Google's own services; just a web browser is needed to support the standard.

Explore further: Wall Street Journal takes computers offline after hacking

Related Stories

Wired reporter hack reveals perils of digital age

Aug 10, 2012

The perils of modern dependence on Internet-linked gadgets and digitally-stored memories remained a hot topic on Friday in the wake of a hack that wiped clean a Wired reporter's devices.

Password breach spreads beyond LinkedIn

Jun 07, 2012

More websites admitted security breaches Thursday after LinkedIn said some of its members' passwords were stolen, and experts warned of email scams targeting users of the social network. ...

Gawker hack underscores flaws with passwords

Dec 19, 2010

The fallout from a hacking attack on Gawker Media Inc. a week ago underscores a basic security risk of living more of our lives online: Using the same username and password for multiple sites is convenient, but costly.

Recommended for you

Google made failed bid for Spotify

10 hours ago

Internet titan Google tried last year to buy streaming music service Spotify but backed off for reasons including a whopping price tag, the Wall Street Journal reported on Tuesday.

Thieves got into 1,000 StubHub accounts

10 hours ago

(AP)—Cyber thieves got into more than 1,000 StubHub customers' accounts and fraudulently bought tickets for events through the online ticket reseller, a law enforcement official and the company said.

Putin signs law seen as crimping social media

22 hours ago

President Vladimir Putin on Tuesday signed a law requiring Internet companies to store all personal data of Russian users at data centres in Russia, a move which could chill criticism on foreign social networking ...

User comments : 20

Adjust slider to filter visible comments by rank

Display comments: newest first

Doug_Huffman
1.9 / 5 (9) Jan 19, 2013
Unfortunately G00gle's previous dishonest actions make any project suspect for G00gle's involvement alone. It's about like M$, or deFacedbook or Tweeter promising to protect privacy, said the spider to the fly.
SDrapak
3.5 / 5 (8) Jan 19, 2013
Unfortunately G00gle's previous dishonest actions make any project suspect for G00gle's involvement alone. It's about like M$, or deFacedbook or Tweeter promising to protect privacy, said the spider to the fly.


Ok, anyone out there willing to comment that doesn't have the intellect of a 5 year old? And can write in legible English?
SDrapak
5 / 5 (5) Jan 19, 2013
It would be far superior to have a login method that can't be misplaced or intentionally stolen. But anything that helps people stem the damage being done is welcome.
kochevnik
1 / 5 (2) Jan 19, 2013
What's wrong with fingerprint readers? The swipe types are adequate for use in public along with disc encryption. Since they are USB devices they can be added onto legacy computers
axemaster
5 / 5 (4) Jan 19, 2013
What's wrong with fingerprint readers? The swipe types are adequate for use in public along with disc encryption. Since they are USB devices they can be added onto legacy computers

No offense, but in my experience cheap fingerprint readers work very poorly, if at all.
gaa
5 / 5 (3) Jan 19, 2013
And what happens if you lose this security device or it is stolen? What security system will be used to get a replacement?
evropej
3 / 5 (3) Jan 19, 2013
This is hilarious. The giant who steals personal information while you surf the web and then sells it wants to make it more secure for you to log into the web. This is an attempt to better keep track of people rather than IPs or PCs which go on the internet. Its a way of filtering the identity even further in a household or domain. If thieves post an article on how to better homes security, an eye brow must be lifted. Pure comedy.
anono_mouser
5 / 5 (1) Jan 19, 2013
I have a really hard time believing someone that doesn't know enough to back up their "entire digital life" when they say they used secure passwords. And he's a Wired senior editor? Smeesh!

Google already has two-factor authentication, which is plenty secure. If they want to make it better, however, how about an app so that when my token comes back on my smartphone it automatically sends it (via Bluetooth maybe) to a device that enters it so I don't have to do it manually.
decourl
4 / 5 (1) Jan 19, 2013
Passwords can be reasonably secure if chosen properly, not transmitted insecurely, if the account locks out after N invalid attempts, and if the file of hashed passwords doesn't leak.

Adding some sort of physical device to the equation isn't a bad idea, but those devices have their own sets of vulnerabilities. People can't take your password while you sleep, or take them from you while you're going through customs.

I think that with various one-time password keyfobs, biometric scans and whatnot, the solution to the problem is already known and has been known for some time.

But something like a ring or a USB stick replacing passwords outright? You can probably harden it against skimming, replay attacks, etc. using some decent cryptography, but I think you still need a password component. "Something you know" (a password) plus "something you have" (e.g. a keyfob)... not one or the other.
wilf_tarquin
5 / 5 (1) Jan 19, 2013
Always ask "who benefits". Why does google care about passwords and authentication?
Because faked or stolen online personas dilute their information harvesting. Google of course don't care about the safety of your pr0n collection, but their business model hinges on being able to target you with the right type of adsense ads.

And they can't do that if they don't know who you really are.
soo
not rated yet Jan 19, 2013
People may decide to implant chips. I think some electronic device (like a chip or a scan-able ID) should be combined with a fingerprint, or palm swipe, now that screens "see". You might even use a toe print if you are really paranoid.

and then a very personal question that you yourself set up.

I can imagine laying a scan-able id on a fingernail and covering it with nail polish. It could be quite invisible, really. Could be a matter of that plus the correct print (not one the police have on record.)
dav_daddy
2.3 / 5 (3) Jan 19, 2013
Always ask "who benefits". Why does google care about passwords and authentication?
Because faked or stolen online personas dilute their information harvesting. Google of course don't care about the safety of your pr0n collection, but their business model hinges on being able to target you with the right type of adsense ads.

And they can't do that if they don't know who you really are.


I don't understand all of the hostility toward Google for earning money? They offer many, many products and services at no cost. In exchange they send you ads based on what they think you may be interested in.

In my mind that is a fair exchange, heck when I'm looking to purchase a product or service I'll do a Google search specifically for the adwords results. It saves me time from having weed through links to products that are out of stock or unavailable.

If it really bothers you don't use gmail, google drive, docs, search, android OS, or youtube.
ringoes_man
not rated yet Jan 20, 2013
Don't these sites lock you out after 3 failed attempts? How do hackers get around that?
Virsante
not rated yet Jan 20, 2013
It facinates me how people don't care that anyone can get their personal information. People actually believe that the reason that google wants your information is for ads? Wake up people! Information is potential power and on the wrong hands and for the wrong reasons, you are selling your soul to the devil sort of speak. Too bad that YOU only see what is sold to the consumer and not the companies real objectives. But who cares about your future since you can get this nifty shiny object right now. So as a result lets BEG these companies to collect our information so that we can play with our toys right now. Sad, sad, day!
frajo
not rated yet Jan 20, 2013
I can imagine laying a scan-able id on a fingernail and covering it with nail polish. It could be quite invisible, really. Could be a matter of that plus the correct print (not one the police have on record.)
They grow, you know.
See http://en.wikiped...9#Growth .
alfie_null
not rated yet Jan 20, 2013
Where I work, we've been fiddling around with two-factor single sign-on for more than a decade. And yet we still have at least three different multi-purpose authentications (two of which can be set to use only passwords). In an illusory attempt to increase security, the passwords have to be changed at frequent intervals and have password content requirements that effectively make them impossible to memorize.

It's not easy to make all authenticators work with a single solution. Maybe with Google's weight behind it, a solution can be pushed into wide spread acceptance.

Regarding suspicions about Google's motivation: if people feel that they can rely on Internet based services (i.e. little risk of being hacked), they will use the Internet more. The more people use the Internet, the more opportunity Google has to generate a profit off Internet use. Nothing nefarious. Win-win as far as I can see.
alfie_null
not rated yet Jan 20, 2013
Passwords can be reasonably secure if chosen properly, not transmitted insecurely, if the account locks out after N invalid attempts, and if the file of hashed passwords doesn't leak.

Physical access.

Covert channels.

Trojan horses.

Social engineering.

etc.

To be fair, two-factor wouldn't be proof against some of these either. But the point is that if the break-in process is made sufficiently difficult, would-be perps will go somewhere else.
packrat
1 / 5 (1) Jan 20, 2013
I'll stick with the long oddball passwords. I stopped using software that required dongles years ago and I do not want to go back to that at all.
ValeriaT
1 / 5 (1) Jan 20, 2013
Before some time Google asked me for my phone number, which "would allow my password restoration" in "safe way". The only problem is, if I wouldn't give Google my real phone number, I would lost the access to my account at all, because Google validates this number immediately through SMS (fake number cannot be used here). I've blog with Blogger service (which was bought with Google before some time) - so I was forced to give Google my personal contact for not to lose my blog account - although I'm pretty sure, I can never forget my password.

The problem apparently is, Google is using the care for for user security as an apparent evasion for collecting of personal information about users of its services and for deeper integration of Big Brother technologies into its web services (selling of personalized ads for future) - and it does it in very systematical and elaborated way.
vidyunmaya
2 / 5 (2) Jan 21, 2013
Google plus is messing up with Goggle mail. How do you establish Trust?
Any fair use must be implemented in practice.