PDA

View Full Version : Your password security



rommel543
2010-Mar-31, 04:10 PM
So I was reading a very interesting article on lifehacker.com regarding the strength of passwords people use. Because of it I'm changing passwords on my accounts.



Pay particular attention to the difference between using only lowercase characters and using all possible characters (uppercase, lowercase, and special characters like @#$%^&*). Adding just one capital letter and one asterisk would change the processing time for an 8 character password from 2.4 days to 2.1 centuries.


http://lifehacker.com/5505400/how-id-hack-your-weak-passwords

Fazor
2010-Mar-31, 04:36 PM
Definitely. Despite knowing the importance of a "complex" password, I'd been using my same simple one I've had for, oh, probably 20 years. About a moth ago I had problems with my two hotmail accounts sending out spam. At first I thought it was a virus, as that's one thing those tend to do. Multiple scans didn't find any infections though, and I noticed they'd send at times when I wasn't even on a computer. Additionally, Tara also uses hotmail from the same machine and it wasn't sending spam under her accounts. I've updated my passwords to "stronger" passwords, and it's been fine since (at least, as far as I can tell).

I've since updated the rest of my passwords. It's annoying because the old password was easier to type; all the letters just happened to be on the left-hand side of the keyboard, and after 20 years of use, it took little more than a hand spasm to type the whole thing. Alas, security outweighs convenience.

rommel543
2010-Mar-31, 04:39 PM
The one thing I am glad about though is the password on my wireless router is 13 characters. It doesn't have symbols but it has numbers so I don't have to worry about people hacking into my wireless in the next couple thousand years.

Moose
2010-Mar-31, 04:58 PM
Those passwords aren't stronger. They're weaker. Often much weaker. It's counter-intuitive, but here's why.

1) There's an assumption that the special character or digit will be random and added into a random place in the password. They aren't. (Don't actually answer this.) Self-honesty check: Is your capital letter the first letter of your password? Is your digit a 1 and at the end of the password? Is your special character replacing an S for a $ or replacing an i with a ! or an a with an @?

2) If you have a fully randomized password that you have to change every three months and can't repeat any of your past ten passwords (etc), then here's another self-honesty check (again, don't actually post an answer to this.) Is your password written on a yellow post-it you've cleverly hidden under your mouse pad or under your keyboard? Is it posted openly on your monitor?

Because black-hats know this about you too, along with dozens of other psychological weaknesses about how people come up with bad passwords.

You're far better off making a memorable 3-5 (non-trivial, meaning nouns, adjectives, and verbs) word pass-phrase drawn from the English language. It's mathematically more secure, even if you tell the black-hat exactly how you created the password, and you're less likely to have to write it down in order to remember it.

Swift
2010-Mar-31, 05:06 PM
One problem I have with all passwords is remembering them. Just at work, for my network/computer log-in, and lots of different softwares (our timesheet system, our LIMs system, our Health insurance website, etc, etc.) I probably have 10 or 15 passwords, most of which force you to change the password every 30 to 90 days. Then there are all the ones I have for personal business and we are talking dozens. And yes, I do use the same password on some these, particularly the ones where security is less of an issue.

I have to keep a file (non-obvious name and somewhat hidden) where I list them all.

rommel543
2010-Mar-31, 05:11 PM
...I have to keep a file (non-obvious name and somewhat hidden) where I list them all.

That reminds me of a comic strip I read. The person had stored all his passwords on a password protected, encrypted file..but couldn't remember the password to get into the file to get his passwords.

Fazor
2010-Mar-31, 05:14 PM
2) If you have a fully randomized password that you have to change every three months and can't repeat any of your past ten passwords (etc), then here's another self-honesty check (again, don't actually post an answer to this.) Is your password written on a yellow post-it you've cleverly hidden under your mouse pad or under your keyboard? Is it posted openly on your monitor?
[. . .]
and you're less likely to have to write it down in order to remember it.
My company forces us to change PWs every . . . 10 weeks or so. And is exactly as you described. And we do have to write down the password each time, as it can't use any previous passwords in whole or in part. Between the constant changes of this main password, and similar treatment for the dozen or so outside systems we use (brokerage, services, etc) I've been making this very complaint for the last 10 years.
The constant changing of passwords might (though I'm not convinced) make over-network cracking more difficult, but if someone would break into the office, everything but my most often used log-in information is written down. They'd have to know how to get to the access sites and then have to know how to use the individual systems, but it'd be possible.

Swift
2010-Mar-31, 05:14 PM
That reminds me of a comic strip I read. The person had stored all his passwords on a password protected, encrypted file..but couldn't remember the password to get into the file to get his passwords.
IIRC, there is actually software out there to store passwords in. It is, of course, password protected, but the argument is that you then only have to remember the one password. I don't know what happens when you forget that one.

John Jaksich
2010-Mar-31, 05:14 PM
Those passwords aren't stronger. They're weaker. Often much weaker. It's counter-intuitive, but here's why.

....
Because black-hats know this about you too, along with dozens of other psychological weaknesses about how people come up with bad passwords.

You're far better off making a memorable 3-5 (non-trivial, meaning nouns, adjectives, and verbs) word pass-phrase drawn from the English language. It's mathematically more secure, even if you tell the black-hat exactly how you created the password, and you're less likely to have to write it down in order to remember it.

I have been under the (mistaken?) impression that a 8-12 number/letter, random pass-word is for the most part strong---would you be kind enough to direct me to sources?

PM is ok

Thanks in advance...

rommel543
2010-Mar-31, 05:19 PM
The only problem with a 8-12 random character password is attempting to remember it. Something like 'kittykitty123' would be easier to remember than 'we#nR56ks4@5'

HenrikOlsen
2010-Mar-31, 05:26 PM
I have been under the (mistaken?) impression that a 8-12 number/letter, random pass-word is for the most part strong---would you be kind enough to direct me to sources?
You missed the point that users, when faced with the upper/lowercase, number or special characters requirement, don't make random passwords, but rather tend to make a password where the uppercase letter is the first, a digit is at the end, and the actual password part is now 7 letters instead of 8 and is likely still a word, with a few predictable substitutions.

Brute forcing that compared to 8 lowercase passwords is only about twice as hard, rather than the mathematically claimed about 3000 times harder(assuming 9 usable special characters).

The mathematical argument that random passwords are stronger when you include upper and lower case plus digits and special characters doesn't address the unfortunate fact that people don't make random passwords.

8 lowercase letters has 26^8=208,827,064,576 possibilities
8 lower+upper+digits+9 special characters has 71^8=645,753,531,245,761 possibilities, this is the number used when claiming the strength difference
1 upper+6 lower and special characters+1 digit has 26*35^6*9(0 is unlikely to be used)=430,154,156,250 possibilities, this is closer to the actual difference in real life

John Jaksich
2010-Mar-31, 05:27 PM
I have my own systematic/ written down notation. I also don't use Windows/Mac.

I am aware of "script" that is downloadable that is called (?) John the Ripper http://www.openwall.com/john/

I noticed it when after "experimenting" with my Linux systems...it might be worth a look--

John Jaksich
2010-Mar-31, 05:31 PM
You missed the point that users, when faced with the upper/lowercase, number or special characters requirement, don't make random passwords, but rather tend to make a passwords where the uppercase letter is the first, a digit is at the end, and the actual password part is now 6 letters instead of 8 and is likely still a word, with a few predictable substitutions.

The mathematical argument that random passwords are stronger when you include upper and lower case plus digits and special characters doesn't address the unfortunate fact that people don't make random passwords.

Pardon my mistake...I did read it...and noticed it...Sorry

SeanF
2010-Mar-31, 06:20 PM
And we do have to write down the password each time, as it can't use any previous passwords in whole or in part.
Two questions:

First, how does that make you "have to" write down the passwords?

Second, "in part"? You can't use any letters you used previously? ;)

Fazor
2010-Mar-31, 06:28 PM
Two questions:
First, how does that make you "have to" write down the passwords?

There's only so many meaningful passwords one can come up with! Once you're to the point of resorting to things like changing the password to whatever you had for lunch that day and the number of calories (CottageCheese90?) without writing it down, there's no way I'll remember that the next time I need it; particularly for the systems that we only log into once or twice a month. The daily and multi-times-daily passwords I don't usually write down, because they get enough use to be remembered no matter how inane they may be.


Second, "in part"? You can't use any letters you used previously? ;)
;) That'll be in their next release. As of now, you can't use any words you've used before, though I don't know how many consecutive matching letters they count as a "word". Could I devise some cryptic system for progressive passwords that both meet the requirements and differ enough to be ineligible? Probably. But it's not worth doing.

To make it even more confusing, there's some systems that use an office-wide password that occasionally must be changed. I may go to log into one of these systems, only to find that the password was changed last week by someone else!

Moose
2010-Mar-31, 06:42 PM
The mathematical argument that random passwords are stronger when you include upper and lower case plus digits and special characters doesn't address the unfortunate fact that people don't make random passwords.

8 lowercase letters has 26^8=208,827,064,576 possibilities
8 lower+upper+digits+9 special characters has 71^8=645,753,531,245,761 possibilities, this is the number used when claiming the strength difference
1 upper+6 lower and special characters+1 digit has 26*35^6*9(0 is unlikely to be used)=430,154,156,250 possibilities, this is closer to the actual difference in real life

The idea behind pass phrases isn't that you're adding more characters (although you are if the black-hat has to resort to a brute-force attack), but that while you're using fewer atoms (^3 or ^5), you're drawing from a much larger vocabulary. How many non-trivial words in the English language? Drawing only three meaningful but not obvious words from a tiny 10,000 word vocabulary gets you there if the black hat knows exactly what you've done (other than the three words themselves), and has a copy of your dictionary. (It actually works out to be "only" a trillion, assuming ideal conditions for the black-hat.)

That's a 10,000 word vocabulary. OED claims to have full entries for 170,000 words.

PetersCreek
2010-Mar-31, 07:18 PM
I've been in the habit of using "strong" passwords for several years, since they've been required in my workplace. I have a personal algorithm that I use for constructing my passwords, which does not use capitals, symbols, or numbers in the previously mentioned, easier-to-guess ways.

Kadava
2010-Apr-01, 12:34 AM
Last place I worked, there were several different levels that all had passwords on them (computer login, network login, email login). To make life simpler, you'd put the same passwords on all. (I think it was even company recommendation that they were the same.)

But they all had different rules about what was an acceptable password, and a different frequency of password change. So you'd change one, then go and force a change on the others, only to find that the password you'd chosen wasn't acceptable on one of the other systems, so you'd have to try going back and changing the first password again...

That reduced the possibilities of passwords significantly.

(BTW, no, honestly, none of my passwords would put the capital first, or put a 1 at the end, or replace a letter with a number/symbol. They had other weaknesses, but not those.:shifty:)

tdvance
2010-Apr-01, 02:48 AM
There is a problem that---the more you force people to use secure passwords, the more they make them insecure so they can remember them. A better solution does require a little extra hardware:

you have multiple authentication. One is a pin (you choose it, easy to remember, and don't worry it can be exhausted over--like a bank pin), and a second level is a smart card---use a secure challenge-response system, NOT like in those "smart pass" or whatever they're called that gas stations issue, not even like most car remote unlock key fobs. But a real challenge-response system, with each smart card assigned a random key of fairly large size (real random, say from a diode, not from a software random number generator) so the computer generates a random challenge (with a diode), and the card combines it with an appropriate algorithm with the private key to produce a response, and the computer has your "public key "and can validate the response without knowing the private key (but could not simply generate the right response in, say, the age of the universe). Systems like that do exist on paper as algorithms, at least (no doubt multiple papers on it are in the Journal of Cryptology---I've read very few papers from that journal, but every kind of protocol you could imagine is written about--protocols for which you have n people with access, but the private keys owned by k or more need to be present to decrypt or authenticate--think Enterprise destruct sequence, n is # of officers of high enough rank, k is 3 or so so it's not done lightly). Thus, to get into the computer, an attacker either needs physical access or the smartcard itself, either of which is hard for the typical hacker (99.99% or so) to obtain. The pin is just an extra layer, so if some bozo leaves his smartcard on his desk, the guy who spots it would have to spend enough time with it he runs a good chance of getting caught. (And something simple, like first failed login attempt gives 1 microsecond delay, second in a row: 2 microsecond, third: 4 ms, fourth: 8ms, etc. means after 20 attempts, the delay is one second, after 40 attempts, delay is 1million seconds--on the order of a year or so, so at worst, the hacker is able to do a denial of service attack if he has the smart card, and even then, he has to spend about as much time as he's wanting to deny in order to perform that.)

mugaliens
2010-Apr-01, 08:31 AM
Password security will begin to become a thing of the past when password schemes begin alloing you to use all characters on your keyboard.

- Mugs

Delvo
2010-Apr-01, 05:10 PM
Do those of you who are talking about the numbers of words in a dictionary mean that the bad guys will be "guessing" words rather than any and all combinations of letters? I heard that once before, and came up with a string of letters that can be said out loud as if it were a word, but which isn't a word. The fact that it can be pronounced as one makes it easy for me to remember. (It also means I can drop numbers or other characters into it wherever I want to and have it be fairly easy to remember what the changes were from the original "word".) The fact that it isn't really a word would make it impossible to get to by a bad guy using a dictionary, but no harder than any other string of letters for a bad guy just trying all letter combinations.

I also applied the same thing for a while to real words that wouldn't be in a dictionary, just to amuse myself. At one point I needed to give a computer administrator my password and change it again when she was done, and the password I had at the time just happened to use "Glyptodon" in it. She asked what in the world that was and gave me a weird look when I told her it was an extinct animal species known from fossils. So, for the next several months (the rest of the time I worked there), every time I needed to change my password, I used other extinct, fossil species that started with a "G": Gigantopithecus, Gastornis, Gorgonopsid, Gallimimus... :D

rommel543
2010-Apr-01, 05:53 PM
...
I also applied the same thing for a while to real words that wouldn't be in a dictionary, just to amuse myself. At one point I needed to give a computer administrator my password and change it again when she was done, and the password I had at the time just happened to use "Glyptodon" in it. She asked what in the world that was and gave me a weird look when I told her it was an extinct animal species known from fossils. So, for the next several months (the rest of the time I worked there), every time I needed to change my password, I used other extinct, fossil species that started with a "G": Gigantopithecus, Gastornis, Gorgonopsid, Gallimimus... :D

But wouldn't this be falling into the issue of being in the word dictionary. Granted it may not be an English word but an enterprising hacker may add in stuff like scientific latin wording, which may or may not include fossils.

I know I'll create a password generator based on LOL speak.... :D
My new password is 'paswrzHurzMyIz'

tlbs101
2010-Apr-01, 06:02 PM
Years ago I worked at a plant that had a particular numbering system for some particular processes (being a vague as I can, here). That numbering system (of letters and numbers) became the basis for my password system. I added special characters and have a system that I have memorized and that can be changed every password-change cycle such that I can still memorize it. I can even remember passwords from years ago on accounts I had setup but rarely use (i.e. buy.com, sheetmusic.com). If I can't remember the password it is always within a range of a few passwords and I usually get it in a few tries (before requesting a forgotten password).

I recently figured out a way to make each password application/site specific, yet keep it easy to memorize. As I go through change cycles I am updating each password with the new application specific information.

So, I have lower-case, Upper-case, numbers (including zeros), and special characters (when they are allowed by the particular system), and the passwords are variable in length from 9 to 12 characters.
I'd say that's about a strong as it gets.

For the convenience to my heirs when I die, I do keep the base password written down, locked in my safe deposit box.

.

tdvance
2010-Apr-01, 06:25 PM
if by "guessing words", you mean software for cracking passwords, yep---they use dictionaries that try simple modifications of words, along with modifications like phonetic changes, leet-speak, etc. If the person gets access to the database itself, with the hashed passwords, that method works well, which is why such databases must be well protected. But in a world where a person uses the same password on his laptop (that the hacker just stole) as on a network with important info on it, and given that most laptops don't have encrypted drives (yet), this can be arranged.

Sitting at a terminal and trying passwords by hand (or remotely) only gets the worst passwords--moderate constraints, combined with lockout after too many failures, thwart that. Just don't have a system whose "forgot your password?" procedure merely asks where your high school was or something....

rommel543
2010-Apr-01, 06:39 PM
I think the ABSOLUTE WORST password system reset that I've ever had the displeasure of working on (and this is not by my design by any stretch of the imagination, in fact I whole heartedly tried to stop it's implementation) was where if the person forgot their password, they clicked the "forgot password" button and their password got reset to the user's birthday.

DonM435
2010-Apr-01, 08:12 PM
For many years, it bothered me that every time I logged into my office PC I had to type in the password "blind" -- you know, over a bunch of asterisks, without the keystroke results appearing on screen. It really was ridiculous, given that 99 per cent of the time no one else had the slightest chance of seeing my monitor. And everyone puts up with this, even if you have a room to yourself with no windows and your CRT facing a stone wall, and besides you're the only one there on tyhe weekend. I really thoughjt there should be a way to make the masking optional (say by holding down some other key), so that I could see what I was typing and never get locked out due to bad typing. On the 1 in 100 occasion that someone was standing behind me, well, then I could see activating it.

However, the past few years, due to advancing technology, I find myself occasionally typing my password into a system that's projected onto a big screen where anyone in the room can see it. So, the masking finally makes sense.

(That still doesn't excuse the huge waste of our time in years previous.)

ktesibios
2010-Apr-01, 09:34 PM
Where I work, when we need to add another user account on our ftp server we use a random password generator program run on a different computer. We prohibit punctuation marks (Mac OS doesn't like them), but the passwords always contain upper and lower-case letters and numerals. We do keep a record of them for the use of the admin, but to gain access to that record would require physical access to the very same room housing the server.

For my own personal use I usually resort to passwords based on some of my outside interests, so that in a pinch I can remember a couple of cues and the method of creating the password. For example, the password for my ISP email account contains upper and lower-case letters and numerals, but unless you're familiar with Frontinus' de re aquatici you're unlikely to be able to make a guess at it, while I can easily remember it.

Another one I created is based on my own rendition of an old IWW slogan into Middle Egyptian, written in manuel de codage (a standard format for encoding hieroglyphic text into ASCII) format. This produces a very non-English (or any other Indo-European language) assemblage of upper and lower-case letters with very few vowels (because the Egyptian writing system didn't explicitly encode vowel sounds, like some Semitic languages).

Because I had to do the work of figuring out how to render concepts which didn't exist in Pharaonic times into Egyptian, the password is pretty well burned into my brain. If I have a problem, all I need to do is to remember just how I translated certain colloquial English words and a few minutes with Wallis Budge's books will allow me to reconstruct it.

In fact, I have printed it out in hieroglyphic text, hand-colored the hieroglyphs and worn it on a T-shirt. Looked pretty snazzy too.

tdvance
2010-Apr-01, 11:53 PM
For many years, it bothered me that every time I logged into my office PC I had to type in the password "blind" -- you know, over a bunch of asterisks, without the keystroke results appearing on screen. It really was ridiculous, given that 99 per cent of the time no one else had the slightest chance of seeing my monitor. And everyone puts up with this, even if you have a room to yourself with no windows and your CRT facing a stone wall, and besides you're the only one there on tyhe weekend. I really thoughjt there should be a way to make the masking optional (say by holding down some other key), so that I could see what I was typing and never get locked out due to bad typing. On the 1 in 100 occasion that someone was standing behind me, well, then I could see activating it.

However, the past few years, due to advancing technology, I find myself occasionally typing my password into a system that's projected onto a big screen where anyone in the room can see it. So, the masking finally makes sense.

(That still doesn't excuse the huge waste of our time in years previous.)

I figure it came from even BEFORE then....when people used dumb terminals (while their elders told them how good they have it not to be using a card punch machine), and there might be one shared by many people (and where I work, the "old ones" say they shared desks too, and it was cramped). In such a case, blanked-out password fields were a really good idea.

HenrikOlsen
2010-Apr-02, 12:10 AM
I figure it came from even BEFORE then....when people used dumb terminals (while their elders told them how good they have it not to be using a card punch machine), and there might be one shared by many people (and where I work, the "old ones" say they shared desks too, and it was cramped). In such a case, blanked-out password fields were a really good idea.
Consider the case of the teletype (http://en.wikipedia.org/wiki/Teleprinter), written record kept of all that was written.

Van Rijn
2010-Apr-02, 12:15 AM
Consider the case of the teletype (http://en.wikipedia.org/wiki/Teleprinter), written record kept of all that was written.

I never used an actual Teletype, but I used a DECwriter (http://www.columbia.edu/acis/history/la36.html)(and logged in using one) many times.

Jim
2010-Apr-02, 12:44 AM
There is a problem that---the more you force people to use secure passwords, the more they make them insecure so they can remember them. A better solution does require a little extra hardware:

you have multiple authentication. One is a pin (you choose it, easy to remember, and don't worry it can be exhausted over--like a bank pin), and a second level is a smart card ...... Systems like that do exist on paper as algorithms ...

Well, something similar does exist. My last job, I could log in to the client's worldwide network by entering my self-selected PIN and a number generated by their system and supplied to me (everyone) through a hardware key. That number changed every 90 seconds.

tdvance
2010-Apr-02, 01:30 AM
I actually used to log into a system, 'bout 10 years ago, using a "dumb smart card" (my term)---the system gave you a number, you punched it into the teeny keys on the smart card, it gave you a code back, and you entered that in along with your pin. A bit of a pain. And after all that, then you did username/password as usual.

PraedSt
2010-Apr-02, 08:20 PM
You're far better off making a memorable 3-5 (non-trivial, meaning nouns, adjectives, and verbs) word pass-phrase drawn from the English language. It's mathematically more secure, even if you tell the black-hat exactly how you created the password, and you're less likely to have to write it down in order to remember it.
I would love to do this, and I've wanted to for some time. The problem is that software I've come across/use set restrictions that make this impossible: 12 characters max, no spaces, have to use a "special" character", etc. Most annoying.

PraedSt
2010-Apr-02, 08:28 PM
Well, something similar does exist. My last job, I could log in to the client's worldwide network by entering my self-selected PIN and a number generated by their system and supplied to me (everyone) through a hardware key. That number changed every 90 seconds.

I use hardware keys for my job. They generate 6 digit numbers that change every 30s. You have to enter this as well as a "standard" password (letters, numbers, specials- as per this thread). The systems certainly feel secure, but I don't have the knowledge to judge exactly how much.

PraedSt
2010-Apr-02, 08:31 PM
...
I remember you know your cryptography. A question: just how good are biometric passwords? (Fingerprint scanners, iris recognition, etc) Would you recommend them over, say, a hardware key?

Moose
2010-Apr-02, 10:23 PM
Heh. Short answer: I wouldn't. Here's the longer answer (http://www.youtube.com/watch?v=MAfAVGES-Yc&feature=related).

The worse news is that biometrics add the temptation to physically jack you (or your severed body parts) to open a door someone wants opened badly enough, whether or not that would actually work. But if Hollywood's thought of it, so will Crim. I'd much rather squeal my password early and often. I'm just as tamper-evident alive as dead.

Moose
2010-Apr-02, 10:37 PM
I use hardware keys for my job. They generate 6 digit numbers that change every 30s. You have to enter this as well as a "standard" password (letters, numbers, specials- as per this thread). The systems certainly feel secure, but I don't have the knowledge to judge exactly how much.

Basically, they serve the same purpose as 3-tries and lock you out schemes: to prevent success through brute force guessing. It has the advantage of not (necessarily) having to lock you out over typos, and the advantage of randomness, but has the weakness of not being immediately tamper-evident if anybody in the company gets one lifted and doesn't notice right away. Especially if that person keeps a written copy of their PIN near the hardware key. Also on the downside, they're expensive/inconvenient to rekey or replace if one turns up missing.

The PIN is mainly for entry-tracking and as a last line of defense if a hardware key gets lifted.

PraedSt
2010-Apr-02, 11:08 PM
I'd much rather squeal my password early and often. :lol:

I didn't expect fingerprint scanners to be defeated so easily. I guess layered security is they way to go.

DonM435
2010-Apr-02, 11:50 PM
I figure it came from even BEFORE then....when people used dumb terminals (while their elders told them how good they have it not to be using a card punch machine), and there might be one shared by many people (and where I work, the "old ones" say they shared desks too, and it was cramped). In such a case, blanked-out password fields were a really good idea.

Long ago I did some work on one of those electric-typewriter-plus-acoustic-modem workstations. We used to rack the paper up a line -- after the typeball had busily overstruck the typing area many times -- so that we could see what we were typing. As we always took all the paper generated along with us, it was safe.

Unless you forgot.

Van Rijn
2010-Apr-02, 11:52 PM
:lol:

I didn't expect fingerprint scanners to be defeated so easily. I guess layered security is they way to go.

There's also the annoyance issue when the scanner doesn't work: I have fingerprint scanners on a laptop and an old PDA. For these scanners, you need to move your finger across the optical scanner line (presumably this is cheaper and the hardware is smaller). If I moved my finger too fast or slow, it would fail, and the right speed wasn't obvious. Determining the right speed also would get more difficult as frustration set in (think about how careful and steady you would be after the fifth time you've been told your fingerprint doesn't match). Also, if I scratched my finger, it could fail. Over time, it would seem to fail more often no matter what I did, so I would have to regularly retrain.

Ultimately, I gave up on the scanners and went back to conventional passwords.

I'm sure there are better scanners, but one of the obvious issues here is between making the scan more fault tolerant but less secure, or making the scan harder to fool, but also harder to use.

ToSeek
2010-Apr-03, 04:05 AM
Well, something similar does exist. My last job, I could log in to the client's worldwide network by entering my self-selected PIN and a number generated by their system and supplied to me (everyone) through a hardware key. That number changed every 90 seconds.

There are people wandering around Goddard with three or four of those hardware key generators hanging around their necks. I'm not sure how they walk upright. ;)

geonuc
2010-Apr-03, 08:30 AM
Well, something similar does exist. My last job, I could log in to the client's worldwide network by entering my self-selected PIN and a number generated by their system and supplied to me (everyone) through a hardware key. That number changed every 90 seconds. Some of my company's clients use that, too. Seems like a good idea - the keys are handy enough.

HenrikOlsen
2010-Apr-06, 01:23 AM
Got one on my key chain, rather easy thing to use and as far as I understand reasonably easy to manage from the admin end too.