New Mass Password theft solution?

[Bittenfleax]

A UK company called Silicon Safe has designed a "box" that is intended to store passwords in a safe and secure manner. It can fit in a normal server rack mount and will only set you back £100,000!!!! ($140,000 US). 

 

Well... I still don't trust it, unless I know how it "sort of" operates. Saying that "It has the code stored on a chip so it's safe" does not cut it. Well, for me at least. Oh and don't forget the other security measure that is mentioned. "After four attempts to authenticate a password it will be flagged to the administrator". Wow... I am sure other software does this.

 

 

 

 

"You want developers to know what they are doing including knowing how to store data correctly. That might be preferable to paying £100,000 for a box engineered for one specific purpose."

 

This quote exactly, my point is why would a company pay that much money for a dedicated piece of hardware when there are other solutions which are cheaper. The only reason why there was mass password theft was a lot of the time because administrators where lazy and did not do their job properly. 

 

 

Source: http://www.bbc.co.uk/news/technology-35418212

[desertcomputer]

What if you burn down the server? you need reset all your password ... 

[manikyath]

i think the idea is once the password goes in, it never comes out again so brute forcing or man in the middle is the only way.

 

like when the user makes his password it goes in the box, and then all auth has to go trough the box, and it only replies with a right/wrong, while the password stays stored safely inside.

so... basicly a hardware implementation of modern ways of storing passwords.

[Bittenfleax]

i think the idea is once the password goes in, it never comes out again so brute forcing or man in the middle is the only way.

 

like when the user makes his password it goes in the box, and then all auth has to go trough the box, and it only replies with a right/wrong, while the password stays stored safely inside.

so... basicly a hardware implementation of modern ways of storing passwords.

True, but that is what hashes and databases are for. Which are much cheaper than this. It is just the lack of security in the databases due to people not doing their job properly.

[desertcomputer]

True, but that is what hashes and databases are for. Which are much cheaper than this. It is just the lack of security in the databases due to people not doing their job properly.

Your mind is still good place to hid your passwords until the government mind scanners ... 

[manikyath]

due to people not doing their job properly.

this is why my night stand i custom ordered is 60cm tall and not 85cm...

 

can we please make stuff like that an act of crime?

[Bittenfleax]

Your mind is still good place to hid your passwords until the government mind scanners ... 

Hahaha

[ADM-Ntek]

i think the idea is once the password goes in, it never comes out again so brute forcing or man in the middle is the only way.

 

like when the user makes his password it goes in the box, and then all auth has to go trough the box, and it only replies with a right/wrong, while the password stays stored safely inside.

so... basicly a hardware implementation of modern ways of storing passwords.

 

brute forcing shouldn't work since it will flag the password after 4 fails. also keep in mind it is supposed to stop mass theft so i assume there will be safeguards to access multiple passwords ate once. 

[manikyath]

brute forcing shouldn't work since it will flag the password after 4 fails. also keep in mind it is supposed to stop mass theft so i assume there will be safeguards to access multiple passwords ate once. 

still nothing software cant do.

[ICantThinkOfAnyGoodName]

Properly salted and hashed passwords will be just as secure on any other server as on this, if not more secure.

[ICantThinkOfAnyGoodName]

brute forcing shouldn't work since it will flag the password after 4 fails. also keep in mind it is supposed to stop mass theft so i assume there will be safeguards to access multiple passwords ate once.

You could just take the internal storage drive out and connect it to another computer.

[grayperview]

passwords need to go away,

 

We have finger print readers and iris scanners now that are relatively cheap to integrate into a device, surely someone can come up with some way of integrating this into all situations where you would normally need a password, ideally using both...

 

I know everyone doesn't have these on there devices yet, but for those that do give them the option to use them instead of a password....

 

I don't mean just to log in to an os or phone, i mean on websites, steam, origin, banking, the lot.

[Trik'Stari]

Windows Active directory can easily set password lockouts, where after you fail a certain number of times, you have to contact an admin to unlock your account.

[as96]

Windows Active directory can easily set password lockouts, where after you fail a certain number of times, you have to contact an admin to unlock your account.

This is meant to protect passwords stored in servers if an attack happens.

[Trik'Stari]

This is meant to protect passwords stored in servers if an attack happens.

The OP pointed out that this device is capable of doing lockouts after failed password entry attempts, and said "I'm sure other software can do this". I was confirming that.

 

I'm certain Linux can do the same thing as well. Although I'm more familiar with Windows Active Directory.

[as96]

The OP pointed out that this device is capable of doing lockouts after failed password entry attempts, and said "I'm sure other software can do this". I was confirming that.

 

I'm certain Linux can do the same thing as well. Although I'm more familiar with Windows Active Directory.

Oh ok.

 

Anyway basically any modern OS is able to do that, even on mobile.

[Trik'Stari]

Oh ok.

 

Anyway basically any modern OS is able to do that, even on mobile.

I wouldn't know about mobile. I assume that is merely used with either a lockout timer (certain amount of time before you can try again), which isn't really all that secure, or a brick feature that bricks the phone after a certain number of failed attempts. Very secure, just hope you don't fuck up lol

[azurezeed]

Wow, who would pay for this?

First explain how your "security" works

[bob345]

Maybe more places should just use mandatory 2 step authentication.

[ICantThinkOfAnyGoodName]

passwords need to go away,

We have finger print readers and iris scanners now that are relatively cheap to integrate into a device, surely someone can come up with some way of integrating this into all situations where you would normally need a password, ideally using both...

I know everyone doesn't have these on there devices yet, but for those that do give them the option to use them instead of a password....

I don't mean just to log in to an os or phone, i mean on websites, steam, origin, banking, the lot.

What about situations when multiple people need to share a password? Also in what way would it be more secure? You'd literally be using the same password for EVERYTHING.

[grayperview]

Multiple people should not share a password, they should all have their own individual accounts within a group, that is not just good security 101, but common sense 101.

 

1. Finger prints are unique true they can be forged, but its very difficult and needs physical access to the finger or a left over print, 

 

2. The iris is also totally unique, whether or not this can be faked or not I do not know.

 

3. These are NOT passwords, they are physical unique traits, that are infinitely more difficult to get around than a password.

 

Couple these together and your security is multiple times more effective, and the chance of it being compromised remotely (given the software is also secure) is virtually none existent.

 

If you want to be even more secure you could add a password layer onto of the other two. but passwords on their own need to go away.

[Sauron]

This quote exactly, my point is why would a company pay that much money for a dedicated piece of hardware when there are other solutions which are cheaper.

 

Because software houses sometimes don't do their job. Instead of risking a security bug in their custom tailored application I bet an enterprise would gladly pay 140 grand.

[dalekphalm]

passwords need to go away,

 

We have finger print readers and iris scanners now that are relatively cheap to integrate into a device, surely someone can come up with some way of integrating this into all situations where you would normally need a password, ideally using both...

 

I know everyone doesn't have these on there devices yet, but for those that do give them the option to use them instead of a password....

 

I don't mean just to log in to an os or phone, i mean on websites, steam, origin, banking, the lot.

In principle I agree with you, but physical access security and biometrics, like iris scanners, will not prevent you from forcing a device open. Eg: If someone mugs you, grabs your iphone, and says, give me the passcode - you could lie, or say no. Obviously they might threaten or hurt you, but you have that option.

 

With TouchID, they could say "unlock the device", you say no, they punch you in the face and force your fingerprint onto the device.

 

Another scenario, your employer, or the government (Let's say due to criminal investigations) say you must unlock your device - with a passcode, you could say "I forgot what it is", or could try to resist their "persuasions".

 

With Biometrics, they could simply force your finger onto the scanner, or your eye up to the scanner, etc.

 

Obviously even with traditional passwords, someone can probably beat the password out of you, unless you're Rambo, or trained specifically to resist interrogation (and even in those cases, you're generally trained to simply resist long enough for passcodes and authentications to expire and be changed). But it's a hell of a lot easier, if all they have to do is force your finger onto a pad, rather than force you to willingly tell them a passcode.

 

What about situations when multiple people need to share a password? Also in what way would it be more secure? You'd literally be using the same password for EVERYTHING.

In cases where multiple people need to share a password, the entire architecture would be changed. There might be one "user", software side, but you would authenticate many people with access via biometics. Each user would get access to the same information/account/details, but would each be authenticated with their own biometrics.

 

Multiple people should not share a password, they should all have their own individual accounts within a group, that is not just good security 101, but common sense 101.

 

1. Finger prints are unique true they can be forged, but its very difficult and needs physical access to the finger or a left over print, 

 

2. The iris is also totally unique, whether or not this can be faked or not I do not know.

 

3. These are NOT passwords, they are physical unique traits, that are infinitely more difficult to get around than a password.

 

Couple these together and your security is multiple times more effective, and the chance of it being compromised remotely (given the software is also secure) is virtually none existent.

 

If you want to be even more secure you could add a password layer onto of the other two. but passwords on their own need to go away.

Of course, you're right. Ideally, every person would always have their own user account, and no one would ever share passwords of any kind. However, biometrics can still be used to authenticate multiple people to a single user account, if that's the way the system is designed.

[grayperview]

In principle I agree with you, but physical access security and biometrics, like iris scanners, will not prevent you from forcing a device open. Eg: If someone mugs you, grabs your iphone, and says, give me the passcode - you could lie, or say no. Obviously they might threaten or hurt you, but you have that option.

 

With TouchID, they could say "unlock the device", you say no, they punch you in the face and force your fingerprint onto the device.

 

Another scenario, your employer, or the government (Let's say due to criminal investigations) say you must unlock your device - with a passcode, you could say "I forgot what it is", or could try to resist their "persuasions".

 

With Biometrics, they could simply force your finger onto the scanner, or your eye up to the scanner, etc.

 

Obviously even with traditional passwords, someone can probably beat the password out of you, unless you're Rambo, or trained specifically to resist interrogation (and even in those cases, you're generally trained to simply resist long enough for passcodes and authentications to expire and be changed). But it's a hell of a lot easier, if all they have to do is force your finger onto a pad, rather than force you to willingly tell them a passcode.

 

In cases where multiple people need to share a password, the entire architecture would be changed. There might be one "user", software side, but you would authenticate many people with access via biometics. Each user would get access to the same information/account/details, but would each be authenticated with their own biometrics.

 

Of course, you're right. Ideally, every person would always have their own user account, and no one would ever share passwords of any kind. However, biometrics can still be used to authenticate multiple people to a single user account, if that's the way the system is designed.

Yeah that is why you create a group and add individuals to that group.

 

sure they can beat the shit out of you to get your phone, thats not ideal...but knowing that they are not going to be able to access the device without a finger or iris is going to put off most petty criminals stealing phones, tablets and laptops anyway, its too much risk for too little reward, where as if its just a password, it can be hacked and unlocked much easier.

 

but its more on about remote access, iris and finger scanners for accessing sensitive data should start becoming the norm now.

 

Also if you are accessing an employers servers, there is likely to be someone who essentially has a master key to your account any way. Using a biometeric is more to do with stopping an outsider gaining access to the systems.