Sign in with
Sign up | Sign in

Google is Pushing to Kill Passwords

By - Source: Wired | B 34 comments

Google is proposing various ways to avoid the need for long and numerous passwords.

One of the big problems surrounding identity theft and account hacking is that people tend to use poor passwords (AKA easy to figure out), and/or the same password across multiple accounts. To make matters worse, the typical web surfer has logins for numerous accounts ranging from social to banking to online shopping which typically hold credit card or other sensitive information.

That said, no one really wants to use hard-to-remember passwords with letters, capitals, numbers and symbols, and they definitely don't want to keep up with more than a few. Google totally understands this, and is aiming to eliminate the password altogether by developing a makeshift ring-finger authenticator. This is expected to not only alleviate the need to remember passwords, but make accounts even more secure.

"Along with many in the industry, we feel passwords and simple bearer tokens such as cookies are no longer sufficient to keep users safe," Google Vice President of Security Eric Grosse and Engineer Mayank Upadhyay state in a new research paper. It's slated to be published later this month in the engineering journal IEEE Security & Privacy Magazine.

One of the new methods Google is proposing is a tiny YubiKey cryptographic card that can automatically log users into Google when slipped into a USB port. There's no software to download on the computer side – support will be built into Chrome. To set it up, the user simply loads the Chrome browser, log into Google, plug in the USB stick and register it with a single mouse click.

Google already incorporates the smartphone in its two-step authentication process. Every thirty days, a user is sent a special code that must be entered to verify the password. If you use a different browser or a different desktop/laptop/mobile device, another validation code is sent to the smartphone. In some cases, users must create application-specific passwords.

But using a YubiKey would make logging into Google much simpler. It would be even better if it used NFC technology so that users simply touch an NFC-compatible laptop or desktop. "We’d like your smartphone or smartcard-embedded finger ring to authorize a new computer via a tap on the computer, even in situations in which your phone might be without cellular connectivity," the paper adds.

To read the full report on Google's move to remove passwords, check out Wired's report here.

 

Contact Us for News Tips, Corrections and Feedback

Display 34 Comments.
This thread is closed for comments
Top Comments
  • 22 Hide
    Anonymous , January 18, 2013 6:10 PM
    I prefer using the "Middle Finger Authenticator" method
  • 16 Hide
    pocketdrummer , January 18, 2013 6:31 PM
    What happens when you lose the USB key?
  • 11 Hide
    mousseng , January 18, 2013 4:54 PM
    "no one really wants to use hard-to-remember passwords with letters, capitals, numbers and symbols"

    Then don't. :l
Other Comments
  • 11 Hide
    mousseng , January 18, 2013 4:54 PM
    "no one really wants to use hard-to-remember passwords with letters, capitals, numbers and symbols"

    Then don't. :l
  • 6 Hide
    Vorador2 , January 18, 2013 5:03 PM
    You can use KeePass, even using a file as password.
  • 8 Hide
    tirvon , January 18, 2013 5:05 PM
    This is a good idea, until people learn to steal the usb identities on public computers like they have been credit cards, by placing scanner devices over the magnetic strip readers on ATMs, and saving the person's card's data. Now all they have to do is copy that info. onto a frash drive, and plug it into a pc while logging into chrome and "hey look, my email got hacked....again."
  • 0 Hide
    sublime2k , January 18, 2013 5:25 PM
    Interesting concept, actually, I wouldn't mind if they actually implemented it.

    I have an "interesting" experience with 2-step verification. I used to receive SMS from Google when logging in on a new computer or device. I didn't have Authenticator for Android or backup codes. Then I changed my mobile phone number (so the old number got deactivated). I forgot to update my number in Gmail security settings which locked me out of my account for nearly a month. I contacted support 3 times to no avail. In the and, I had to reactivate my old number (luckily that was possible because it was postpaid) to get back the access to my account.

    This just made me realize how safe 2-step verification is. Now I'm using Authenticator and have backup codes stored in safe place and even if someone gets my password (which is complicated as hell) with keylogger or something, they won't be able to do a thing without hijacking my cell phone.
  • 22 Hide
    Anonymous , January 18, 2013 6:10 PM
    I prefer using the "Middle Finger Authenticator" method
  • 2 Hide
    jarred125 , January 18, 2013 6:12 PM
    tirvonThis is a good idea, until people learn to steal the usb identities on public computers like they have been credit cards, by placing scanner devices over the magnetic strip readers on ATMs, and saving the person's card's data. Now all they have to do is copy that info. onto a frash drive, and plug it into a pc while logging into chrome and "hey look, my email got hacked....again."


    Which is why people should stop using public computers to access sensitive accounts. A little common sense goes a long way. It is a completely un-trusted device and should NEVER be used for anything other than browsing junk.

    People can fix their own problems with a little effort, people too lazy to do it deserve what comes their way. I am all for this move to a device like the ubikey becoming the standard.
  • 0 Hide
    AzureFlash , January 18, 2013 6:19 PM
    How about some OpenID spread too? That would be great.
  • 16 Hide
    pocketdrummer , January 18, 2013 6:31 PM
    What happens when you lose the USB key?
  • -1 Hide
    assasin32 , January 18, 2013 6:36 PM
    Personally I prefer the LastPass route. Been using it since Sony got hacked (I didn't even know I had an account at the time till I got an email) but I took that opportunity to update all my passwords to at least 64character of random stuff when this happened. Though admitably some website don't allow that such as Yahoo who I think capped me at something like 24 or something low.

    This works for 90% of the website out there as LastPass unfortunately doesn't work with all of them out there. For the rest I just save login info in LastPass and access it manually or I go the XKCD way and throw together random words like "Correct Horse Battery Staple" if I have to login to it often and without LastPass (login screen to laptops/desktops/etc).

    Having just read the wired description of how Google plans to use a Yubico device vs how Lastpass uses one. It just seems like Googles way of doing things is far less secure. It doesn't sound like it will ask you for a password if you use said device by default (or any mention of the option). Which means if you lose the device you just lost all your passwords which can now be easily used by ANYONE who finds it.
  • 2 Hide
    lebois kid , January 18, 2013 6:54 PM
    Why don't they just embed the YubiKey in your wrist, kinda liking chipping a dog...that way, in addition to application authentication via NFC, they can keep track of our whereabouts via turnstyles and building entryways.
  • 1 Hide
    jhansonxi , January 18, 2013 7:05 PM
    The movie Gattaca had a solution for this: http://en.wikipedia.org/wiki/Gattaca
  • 7 Hide
    thecolorblue , January 18, 2013 7:26 PM
    lebois kidWhy don't they just embed the YubiKey in your wrist, kinda liking chipping a dog...that way, in addition to application authentication via NFC, they can keep track of our whereabouts via turnstyles and building entryways.

    phones already provide that tracking service right now... today... for everyone.

    this is nothing more than a convenient way to link all accounts (email, bank, 2nd 3rd & 4th email accounts) back to you... so that Corporations and Governments can track you better.

    So much for "don't be evil"
  • 5 Hide
    Mav-VRX , January 18, 2013 7:38 PM
    Good idea. Once everyone is on board, all thieves have to do is steal your mobile/ring, and log into your bank account and take all your money!
  • 0 Hide
    frank_drebin , January 18, 2013 7:46 PM
    latest in nerd jewelry
  • 2 Hide
    topas , January 18, 2013 9:00 PM
    The Hitch-Hiker’s Guide to the Galaxy explains the function if the Ident-I-Eze card like this:
    There are so many different ways in which you are required to provide absolute proof of your identity these days that life can easily become extremely tiresome just from that fact alone, never mind the deeper existential problems of trying to function as a coherent consciousness in an ambiguous universe.

    Just look at cashpoint machines, for instance.

    Queues of people standing around waiting to have their fingerprints read, their retinas scanned, bits of skin scraped from the nape of the neck and undergoing instant genetic analysis.

    Hence the Ident-I-Eze.

    This encodes every single piece of information about you, your body and your life into one all-purpose machine-readable card that you can carry around in your wallet, thereby representing technology’s greatest triumph to date over both itself and plain common sense.
  • -1 Hide
    Shin-san , January 18, 2013 9:45 PM
    I agree. Passwords requirements are starting to become to where it's easier for a machine to figure out over the original creator
  • 1 Hide
    Anonymous , January 19, 2013 12:01 AM
    I use LasPass. I remember 1 difficult password to keep 50 secure. Guess that can also be considered a risk though?
  • 3 Hide
    Anonymous , January 19, 2013 1:28 AM
    I think the best method going is the one already mentioned by google. When you login to your bank you put in user name and password, then you are sent a text message with a code to type in. What is more secure than this that doesn't require purchasing any additional devices, its brilliant.
  • 1 Hide
    STravis , January 19, 2013 2:11 AM
    Passwords coupled with the 2nd factor authentication that Google currently uses is plenty - no need for some other type of method to replace the password.
  • 0 Hide
    STravis , January 19, 2013 2:12 AM
    Mav-VRXGood idea. Once everyone is on board, all thieves have to do is steal your mobile/ring, and log into your bank account and take all your money!


    It's really not that easy for someone to empty your bank account without being traced.
Display more comments