2015/05/28

Outline of Mnemonic Guard

Our Expanded Password System Mnemonic Guard with which we can make use of episodic image memory in addition to textual memory can be viewed as an enhanced successor to text-only password systems on its own.

Furthermore, the Expanded Password System will enable us to see truly powerful multi-factor authentications with a strong unique password being used as one of the factors for all different accounts, whether indoor or outdoor.

With the Expanded Password System used as a rescue-password in case of false rejection, biometric solutions will offer good convenience without sacrificing the confidentiality.  We would also be able to see truly reliable decentralized ID federations with a strong unique password
being used as the master-password for each of single-sign-on services and password management tools.  The outcome will be the most highly assured identity achieved through the most reliable shared secrets

The Expanded Password System is inclusive of textual as well as non-textual passwords.  Users can retain the textual passwords as before while they expand their password memory to include the non-textual passwords without being impeded by the cognitive effect of interference of memory.  It is extremely difficult to imagine the users who would suffer disadvantage or inconvenience by taking up the expanded password system.

Click below for more.
Outline of Mnemonicguard



Posted by at No comments:

Password On Media #17

Below are some of the latest media articles about password problems and my comments on them.

- Authentication Advances May Finally Kill Passwords and PINs
http://www.americanbanker.com/news/bank-technology/authentication-advances-may-finally-kill-passwords-and-pins-1074298-1.html
“banks are finally replacing old and not-so-reliable methods of authenticating customers —
passwords and security questions — with sophisticated alternatives.”

My comment:  In a world where we live without passwords or PINs, say, where our identity is
established without our volitional participation, we would be able to have a safe sleep only
when we are alone in a firmly locked room.  Is this what we want?

Posted below relating to this topic is a slide “Death to Password?”
http://www.slideshare.net/HitoshiKokumai/death-to-password-no-it-is-given-a-new-life


- NTT DoCoMo offering password replacement on some services
http://www.zdnet.com/article/ntt-docomo-immediately-offering-password-replacement-on-some-services/
“NTT DoCoMo said it plans to be the first mobile operator to integrate online services and smartphones that support biometric authentication based on protocols developed by the FIDO Alliance.”

My comment:  FIDO is sadly promoting biometrics in a wrong manner.

Biometric authentication could be a candidate for displacing the password if/when (only if/when)
it has stopped depending on a password to be registered in case of false rejection while keeping
the near-zero false acceptance.

We could be certain that biometrics would help for better security only when it is operated together with another factor by AND/Conjunction (we need to go through both of the two), not when operated with another factor by OR/Disjunction (we need only to go through either one of the two) as in the cases of Touch ID and many other biometric products on the market that require a backup/fallback password, which only increase the convenience by bringing down the security.

In short, biometric solutions could be recommended to the people who want convenience but
should not be recommended to those who need security.  Below is a brief slide titled “Password-Dependent Password-Killer” posted with respect to this theme.
http://www.slideshare.net/HitoshiKokumai/password-dependent-passwordkiller-46151802


Posted by at No comments:

2015/02/08

Password On Media #16

Below are some of the latest media articles about password problems and my comments on them.

- Passé words
http://www.economist.com/news/science-and-technology/21638479-more-momentum-crusade-reduce-reliance-psw0rd-pass-words
“PIN—a solution that borders on password territory, but that is more easily remembered”

My Comment:  It seems that there are some misperceptions with either The Economist’s article or what FIDO says

1. PIN vs Password:  Many people take it for granted that PIN is easier to remember than an alphanumeric password because it is simpler.  The fact is, however, that PIN, a numbers-only short password, is even more subject to the interference of memory exactly because it is simpler, say, it contains less information, which gets the user confused more easily and more badly than a longer alphanumeric password.  It is, therefore, more difficult for us to eliminate the reuse across many accounts. You could listen to yourself for your own experience.

2. PKI:  The PKI software and the private key stored on a token or phone can effectively proves the identity of the token or phone, but not the identity of a person who is holding the token or phone.  The tokens and phones are easily left behind, lost, stolen and abused. Then the password would be the last resort.  

A truly reliable 2/multi-factor solution needed for important accounts requires the use of the most reliable password.

3. BIOMETRICS:  The sort of threats that can be thwarted by biometric products operated together with fallback/backup passwords as in the case of Apple's TouchID and most of the biometric products on the market can be thwarted more securely by passwords only.  What biometrics operated this way can achieve is better convenience, not better security.

4. Password’s Death:  Some people shout that the password is dead or should be killed dead. The password could be killed, however, only when there is an alternative to the password. Something belonging to the passwordPIN, passphrase, etcand something dependent on the password (ID federations, 2/multi-factor, etc) cannot be the alternative to the password.  Neither can be something that has to be used together with the password for either convenience or security (biometrics, auto-login, etc).

Anyway, it is too obvious,that the conventional alphanumeric password alone can no longer sustain the demand and we urgently need a successor to it, which should be found from among the broader family of the passwords and the likes.

At the root of the password headache is the cognitive phenomena called “interference of memory”, by which we cannot firmly remember more than 5 text passwords on average. What worries us is not the password, but the textual password. The textual memory is just a small part of what we remember.  We could think of making use of the larger part of our memory that is less subject to interference of memory.  More attention could be paid to the efforts of expanding the password system to include images in addition to characters.


Posted by at No comments:

2014/12/12

Password On Media #15

Below are some of the latest media articles about password problems and my comments on them.

- FIDO Alliance releases 1.0 specifications for passwordless authentication
http://searchsecurity.techtarget.com/news/2240236317/FIDO-Alliance-releases-10-specifications-for-passwordless-authentication?utm_medium=EM&asrc=EM_NLN_37401005&utm_campaign=20141210_Why%20the%20password%27s%20days%20are%20finally%20numbered_mbacon&utm_source=NLN&track=NL-1820&ad=897662

My Comment:  Many people shout that the password is dead or should be killed dead. The password could be killed, however, only when there is an alternative to the password.  Something belonging to the password (PIN, passphrase, etcand something dependent on the password (ID federations, 2/multi-factor, etc) cannot be the alternative to the password.  Neither can be something that has to be used together with the password (biometrics, auto-login, etc).  What could be killed is the text password, not the password.

FIDO is expected to make it sure that the vendors of biometric products operated together with passwords by OR/Disjunction (as against AND/Conjunction that is common for 2-factor authentication) should explicitly publicize that

(A)  The biometric product raises the convenience at the sacrifice of security when the user keeps using the same password.
 &
(B)  The biometric product could raise the convenience without sacrificing security when the user changed the password to a largely-harder-to-break password (with a footnote that the password should be remembered, not carried around on a memo and that the password should not be reused across other accounts.)

It should be noted that it is not possible to compare the strength of biometrics with that of passwords.  There are no objective data about the overall vulnerability of biometric solutions (not just false acceptance rate when false rejection is sufficiently low but also the risk of forgery of body features and the risk of use when the user is unconscious/sleep) and that of the passwords (not only that it may be as low as 10 bits or as high as 100 bits but also that it can be stolen and leaked.)
It will hopefully not take long before FIDO people will be aware that at the root of the password headache is the cognitive phenomena called “interference of memory”, by which we cannot firmly remember more than 5 text passwords on average.
What worries us is not the password, but the textual password. The textual memory is only a small part of what we remember. We could think of making use of the larger part of our memory that is less subject to interference of memory. More attention could be paid to the efforts of expanding the password system to include images, particularly KNOWN images, as well as conventional texts.
Most of the humans are thousands times better at dealing with image memories than text memories. The former dates back to hundreds of millions of years ago while the latter's history is less than a fraction of it.  I wonder what merits we have in confining ourselves in the narrow corridor of text memories when CPUs are fast enough, bandwidth broad enough, memory storage cheap enough, and cameras built in mobile devices.


Posted by at No comments:

2014/11/20

False Sense of Security

It is very worrying to see so many ICT people being indifferent to the difference between AND/conjunction and OR/disjunction when talking about “two factors used together”.

Biometrics can theoretically be operated together with passwords in two ways, 
(1) by AND/conjunction or (2) by OR/disjunction.  Biometric products operated by (1) are unknown.  The users of such products must have been notified that, when falsely rejected by the biometric sensors with the devices finally locked, they would have to see the devices reset.  It is the same with the biometrics operated without passwords altogether.

Biometric products like Apple's Touch ID are generally operated by (2) so that users can unlock the devices by passwords when falsely rejected by the biometric sensors.  This means that the overall vulnerability of the product is the sum of the vulnerability of biometrics (x) and that of a password (y).  The sum (x + y - xy) is necessarily larger than the vulnerability of a password (y), say, the devices with Touch ID and other biometric sensors are less secure than the devices protected only by the password.

What makes us nervous is the possibility of seeing such pictures that many of the consumers, who are trapped in the false sense of security, are piling up their assets and privacy in the cyber space while some of the criminal wolves, who are aware that those consumers are now less safe, are silently waiting for the pig to grow fat.


I would appreciate to hear different views, especially from the people who are professionally engaged in biometrics industries.
Posted by at 1 comment:

Password On Media #14

Below are some of the latest media articles about password problems and my comments on them.


- Thumbs Down on a Palm Recognition Experiment
http://www.americanbanker.com/news/bank-technology/thumbs-down-on-a-palm-recognition-experiment-1071339-1.html 
"Biometric authentication seems all the rage now that Apple uses fingerprint ID in its mobile wallet, but the Bitcoin ATM provider RoboCoin has concluded that biometrics can be more of a hassle than a help."

My comment:  The issue of “hassle” is probably a very minor problem if compared with the false sense of security as discussed in the foregoing.


Turkey halts biometric healthcare registration
http://www.planetbiometrics.com/article-details/i/2415/
Turkey’s Council of State has ruled that biometric registration of patients must stop as it is unconstitutional.”

My comment:  It is interesting to hear that Turkey is preceding the privacy-nervous West.
- Malware’s new target: your password manager’s password

http://arstechnica.com/security/2014/11/citadel-attackers-aim-to-steal-victims-master-passwords/
Once the malware captures this master key, then they can use that master key to exercise complete control over the machine and any of the user’s online accounts,”

My comment:  What have long been anticipated are now happening as have been anticipated.  As I have repeatedly emphasized, password managers should be operated in a decentralized formation or should be considered mainly for low-security accounts.


- FBI Most Wanted Hacker Jeremy Hammond Used His Cat's Name for Password
http://abcnews.go.com/Technology/fbi-wanted-hacker-jeremy-hammond-cats-password/story?id=26884738
Hammond said he still isn't sure how federal authorities were able to get into his encryption program and gather evidence that ultimately sent him to prison, however, he said he wonders if his weak password may have been the culprit.”

My comment:  This report ironically reconfirmed that sufficiently strong passwords are the key for the safe deployment of cryptography.


- Farmers shut out of online services by new identity scheme
http://www.computerworlduk.com/news/public-sector/3583666/farmers-shut-out-of-online-services-by-new-identity-scheme/
"I can’t remember the exact date that I moved to my current address in 1984! Is this all really necessary???"  

My comment:  This news may be giving us too plain a lesson that the shared secrets for identity proofing should be the ones that can be shared not just by machines but also by the very human users.


Posted by at No comments:

2014/10/20

Password On Media #13

Below are some of the latest media articles about password problems and my comments on them.

- Forgotten Passwords Cost Companies $200,000 a Year
http://www.esecurityplanet.com/network-security/forgotten-passwords-cost-companies-200000-a-year.html
“A recent survey of 2,000 people in the U.S. and the U.K. has found that companies lose over $420 in productivity per employee per year due to workers struggling with passwords -- for a 500-person company, that's a loss of more than $200,000 per year.”

My comment:  On top of the damages caused by forgotten passwords we could add the damages by broken and stolen passwords.


- Passage Replaces Your Passwords With Images
http://techcrunch.com/2014/10/19/passage-replaces-your-passwords-with-images/
“From the users’ perspective, here is how it works when you end up on a site that uses Passage: you register with your email and then, instead of entering a password (twice), you hold up your image in front of your camera to register it”

My comment:  The title of the report first led me to wonder if another pictorial password is being reinvented, but it soon turned out to be possibly an alternative to biometric facial recognition.  Pattern matching of the images used in the video may well be much easier than that of faces because there are much more feature points.  A snag is that, although the objects to be used as images to be photographed may not be as publicly exposed as our faces, those image objects can be left behind or lost a bit more easily than our faces. 


- What the cybersecurity executive order means for authentication
http://secureidnews.com/news-item/what-the-cybersecurity-executive-order-means-for-authentication/
“The focus of the announcement was on the move to EMV and the more secure chip and PIN technology. “-

My comment:  "Chip & PIN" is no doubt better than "Chip Only" or "PIN Only", but obviously not as good as “Chip & Strongest Password”.

Using a strong password does help a lot even against the attack of cracking the stolen hashed passwords back to the original passwords. The problem is that few of us can firmly remember many such strong passwords.  We cannot run as fast and far as horses however strongly urged we may be. We are not built like horses.  At the root of the password headache is the cognitive phenomena called “interference of memory”, by which we cannot firmly remember more than 5 text passwords on average. What worries us is not the password, but the textual password.

Multi-factor authentications are also referred to in the article.  Security could certainly be raised by putting a 2nd factor, a 3rd and so on.  But the piling up inconveniences thus caused could in turn drive users away and ruin the whole scheme altogether.


*************************************************************************************
About Me
http://www.linkedin.com/pub/hitoshi-kokumai/3b/483/4b2

About Expanded Password System "Mnemonic Guard"
http://mneme.blog.eonet.jp/default/files/outline_of_mnemonic_security.pdf

*************************************************************************************
Posted by at 1 comment:
Subscribe to: Posts (Atom)