Project Abacus, a.k.a. Google is terrible at security
-
A curious thing appeared in my feed: it would seem Google is developing a new authentication method. It's supposed to "kill passwords". If that sounds suspiciously like "kill any semblance of security" to you, you'd be incredibly right!
So it's an API that decides whether you really are who you say you are, based on biometrics. But worry not, banks will require much higher trust score than games! And apparently some people want this to replace 2FA. You can see a handy chart from last year's conference showing estimated entropy of all this bullshit: whole 20 bits.
It "may prove to be ten-fold more secure than just a fingerprint sensor", because you know your security system is great when your selling point is being better than 4-digit PINs or fingerprints. Because people still don't understand that biometrics are usernames, not passwords.
This is probably the most brain-dead idea I've ever heard. And the worst thing is, there doesn't seem to be any way to disable this, so your account may be compromised even if you don't want to use it, because you know that neglecting the security of one of the most critical accounts is fairly important. And because this is Google project and it's an API and people are dumb, this is bound to be used elsewhere too (articles already mentioned that banks want to trial it, because of course, if there is anyone worse at security than Google it would be banks).
There's been reports of users being able to login to their accounts on brand new devices with silly questions like "what city do you login from the most". To be honest I don't really care whether they're true or not. This whole thing has literally no redeeming qualities whatsoever. This is what centralisation brings: morons in charge.
I'd say that this ruins privacy, too, but that ship has sailed a long time ago.
-
@CatPlusPlus said in Project Abacus, a.k.a. Google is terrible at security:
It "may prove to be ten-fold more secure than just a fingerprint sensor"
A 10-fold increase in security is just a bit (hah!) over 3 bits of entropy. Or they could, you know, increase the minimum length of password by one character. Given how terrible people are at password selection, that'd probably get about the same increase in security.
The real question is whether they'll have this as a login alternative, or whether they'll remove passwords. Android devices support all sorts of login methods, but typically only a subset are enabled (depending on manufacturer policy, device policy and user choices). Adding to the base set? Not a problem; this wouldn't be the most insecure option, not by a long stretch. It's only removing the password method which would be a Big Deal.
-
@dkf said in Project Abacus, a.k.a. Google is terrible at security:
It's only removing the password method which would be a Big Deal.
I can't see that happening - Google would never make their services inaccessible to 90%+ of existing computers.
-
@dkf said in Project Abacus, a.k.a. Google is terrible at security:
Adding to the base set? Not a problem
Might be if it lets you skip the password auth every time. I don't have any Android devices to test it out, but I've looked around account settings and don't see a way to allow or disallow it. I hope it's because I'm using GApps and they're not rolling out this nonsense there, but I bet even if there is a way to disable it, it'll be enabled by default for everyone. For ~convenience~.
-
@CatPlusPlus said in Project Abacus, a.k.a. Google is terrible at security:
I don't have any Android devices to test it out, but I've looked around account settings and don't see a way to allow or disallow it.
Login methods are in the per-account-per-device settings (as at the very least the device needs them without a network present), so you wouldn't see them without an Android device. I'm guessing they'd be in Settings → Account → Security → Screen lock.
-
I don't care how accurate it is or how much entropy it has, I outright refuse to use a form of
identificationauthentication that can be plainly seen on my body and copied by taking a high resolution photo or video (or DNA sample). I'd like to be able to venture out into the world without wearing a hazmat suit with a two-way mirror that I only take off to log in. Biometric login is a no-go for me, worst idea ever IMO.
-
How about a secure picture password instead? Of course, derp derp they're going bankrupt.
BlackBerry Picture Password and the PRIV – 05:51
— N4BB.COM
-
I still believe that we should just make people memorize 4-digit randomly generated PINs rather than their own chosen passwords. Because they can memorize 4 digit PINs, whereas most people simply can't generate or memorize good passwords. This just leaves the problem of how many they should have and how often they should be changed.
A hardware token would also be useful. They are simple to implement, easy to understand, and virtually unbreakable. The only problem is how do you deal with people losing them. You need some kind of trusted third party to keep a copy of your private certificate and verify that you are the correct person before issuing a new certificate (I'd say the g-word here but I don't want to trigger libertarians).
(btw, PIN stands for Personal Identification Number, whereas it's actually used for authentication, not identification. It should technically be PAN)
-
@anonymous234 said in Project Abacus, a.k.a. Google is terrible at security:
I still believe that we should just make people memorize 4-digit randomly generated PINs rather than their own chosen passwords.
Nope, not gonna happen. Instead, "make" people use a Picture Password as demonstrated in the video I posted above. $100 goes to the first person who watches me unlock my phone with a Picture Password, and then can actually unlock it when I hand it to him.
-
@lolwhat Are we allowing brute force methods? If so someone can make a solid ~$90 on this proposition:
-
@MathNerdCNU you can use this method straight to get his 100$, no passwords or phones needed.
-
@MathNerdCNU Obligatory XKCD reference, which I assume you were making a reference too:
-
@MathNerdCNU LOL, point taken, but it's usually poor form to do it in public. Not to mention that it's really difficult to describe the exact location on the screen where you need to move the number.
-
@lolwhat said in Project Abacus, a.k.a. Google is terrible at security:
poor form to do it in public
And it is relevant to this community how?
-
@Vault_Dweller As relevant as you'd like. Are you one of RacePro's alts?
-
@lolwhat I was commenting more generally. The question "is it poor form to do this in public?" generally does not factor into the decision-making process of most people here when deciding about anything
-
@LB_ said in Project Abacus, a.k.a. Google is terrible at security:
I outright refuse to use a form of identification authentication that can be plainly seen on my body and copied by taking a high resolution photo or video (or DNA sample). I'd like to be able to venture out into the world without wearing a hazmat suit with a two-way mirror that I only take off to log in
Unless your passwords are protecting matters of national security, this is sounding a bit tinfoil hat
-
@Vault_Dweller said in Project Abacus, a.k.a. Google is terrible at security:
@lolwhat I was commenting more generally. The question "is it poor form to do this in public?" generally does not factor into the decision-making process of most people here when deciding about anything
I'll keep my eye on the news for new additions to the sex offenders registry.
-
@CatPlusPlus Fuck this up the arse with a rusty rake.
-
@Jaloopa He has a point though: if everyone used fingerprints for security, "artificial fingerprint kits" of some sort would start appearing and becoming popular and then it wouldn't be that hard an effort for an attacker to make.
They only work as long as not many people use them.
-
@anonymous234 the server doesn't know if the fingerprint came from a sensor or was generated by software
-
@fbmac Oh, but that problem has already been solved!
-
@Jaloopa said in Project Abacus, a.k.a. Google is terrible at security:
Unless your passwords are protecting matters of national security, this is sounding a bit tinfoil hat
My point is, while biometric data is a great form of identification, it's a horrible form of authentication and it is a huge step backward from passwords.
-
@Jaloopa said in Project Abacus, a.k.a. Google is terrible at security:
@LB_ said in Project Abacus, a.k.a. Google is terrible at security:
I outright refuse to use a form of identification authentication that can be plainly seen on my body and copied by taking a high resolution photo or video (or DNA sample). I'd like to be able to venture out into the world without wearing a hazmat suit with a two-way mirror that I only take off to log in
Unless your passwords are protecting matters of national security, this is sounding a bit tinfoil hat
I object to passwords I can't change.
-
@ben_lubar said in Project Abacus, a.k.a. Google is terrible at security:
I object to passwords I can't change.
You can change your fingerprints.
-
IIRC we don't even know for a fact that fingerprints are unique, and there is evidence to suggest otherwise.
-
@LB_ ...making the case for biometric data being a form of (admittedly poor) authentication rather than identification (usernames are unique, passwords are not)
-
@Vault_Dweller Fingerprints are not the only form of biometric data that can be measured and used as identification. Also, regardless of whether fingerprints are unique or not, it still stands that biometric data is publicly visible and difficult to change.
-
@Polygeekery said in Project Abacus, a.k.a. Google is terrible at security:
You can change
your fingerprintswhether you have fingers.FTFY
-
@anonymous234 said in Project Abacus, a.k.a. Google is terrible at security:
"artificial fingerprint kits" of some sort would start appearing
You can already find millions of howtos online. It's not that hard to fool a fingerprint scanner.
-
@LB_ said in Project Abacus, a.k.a. Google is terrible at security:
IIRC we don't even know for a fact that fingerprints are unique, and there is evidence to suggest otherwise.
Most password check algorithms check a cryptographically generated (and hopefully one-way) hash of the password, and not the password itself, in order to avoid actually directly storing the password in human readable form where it might get swiped.
A hash has, by definition, less bits of entropy than the original password - For any given password hash within a particular ruleset for password formatting, there are(or, at least, should be) a number of "valid" passwords which hash to the same value.
So, although biometrics are lousy as authentification tokens in a significant number of ways, "possibly being duplicate" is not one of them. That, in fact, is something that makes them lousy as identification tokens as well.
-
@tufty said in Project Abacus, a.k.a. Google is terrible at security:
A hash has, by definition, less bits of entropy than the original password
IFF the original password consumes more bits than the hash.
take SHA256, it has 256 bits of entropy, or 32 bytes of entropy.
the password
Password1234
consumes 12 bytes, and so has a maximum 84 bits of entropy (7 bits per letter because ASCII) (it's a bad password too so it's actual entropy is probably much less)so it would be more accurate to say a has has a MAXIMUM entropy equal to the entropy of the hash. if you have a terrible password your EFFECTIVE entropy will be lower.
or to put it in math, the effective entropy of a hash is on the order of:
MIN(entropy of password, max entropy encoded in hash)
-
-
@accalia said in Project Abacus, a.k.a. Google is terrible at security:
@tufty said in Project Abacus, a.k.a. Google is terrible at security:
no, no it doesn't.
Bugger.
-
@tufty said in Project Abacus, a.k.a. Google is terrible at security:
@accalia said in Project Abacus, a.k.a. Google is terrible at security:
@tufty said in Project Abacus, a.k.a. Google is terrible at security:
no, no it doesn't.
Bugger.
IKR?!
-
@tufty Blame
Canada@ben_lubar
-
@Onyx said in Project Abacus, a.k.a. Google is terrible at security:
@tufty Blame
Canada@ben_lubarcan i blame trump?
i want to blame trump....
it's fun to blame trump.
he makes weird noises whan you blame him.
-
-
@LB_ As real biological objects they are unique with arbitrary resolution.
There is a noise floor beyond with more resolution doesn't give more identification power because as biological objects they drift over time. I have a lovely scar on my left index finger right across the finger pad, for example.
Whether or not that noise floor is low enough to uniquely identify every human being is unknown.
What is known is that most fingerprint identification methods are laughably crude and turn up false matches all the time. Fingerprints are almost worthless as forensic evidence. Ditto eyewitness testimony. There are work-arounds but all involve near-complete control over the evidence or the eyewitness and careful controls.
-
In what world is this a feasible plan? Despite being undesirable, you know that some people will support it because "teh footure" (but probably not that many, hopefully). Man, has
GoogleAlphabet, Inc. lost touch with innovation.
-
@AyGeePlus said in Project Abacus, a.k.a. Google is terrible at security:
Fingerprints are almost worthless as forensic evidence. Ditto eyewitness testimony.
Unfortunately, neither judges nor jury members nor policemen seem to have any idea how unreliable those are. That's how you end up with thousands of wrong convictions.
-
@accalia said in Project Abacus, a.k.a. Google is terrible at security:
MIN(entropy of password, max entropy encoded in hash)
True, although password rules may reduce the theoretic hash entropy maximum (I've seen a lot of systems that set a maximum password length, for example), and real world analysis indicates that password entropy is low; this shows a median entropy of around 21 bits, and less than 5% with an entropy greater than 45 bits (rated by Dan Wheeler's Zxcvbn, from a dataset of 10 million passwords)
-
@tufty said in Project Abacus, a.k.a. Google is terrible at security:
@accalia said in Project Abacus, a.k.a. Google is terrible at security:
MIN(entropy of password, max entropy encoded in hash)
True, although password rules may reduce the theoretic hash entropy maximum (I've seen a lot of systems that set a maximum password length, for example), and real world analysis indicates that password entropy is low; this shows a median entropy of around 21 bits, and less than 5% with an entropy greater than 45 bits (rated by Dan Wheeler's Zxcvbn, from a dataset of 10 million passwords)
in otherwords password entropy drives the effective not the hash entropy as password entropy is almost always weaker than hash entropy.
:-)
-
ZDNet said:
Google is working to develop the Trust API, which determines a 'trust score' using data such as location, facial recognition, and typing patterns to determine if the user is indeed who they say they are, then allowing them access to the required applications if the criteria is met.
AndroidCentral said:
The end result is a constant system that generates a trust score based on your usage, including how you type words and what apps you load on top of things like voice and face detection.
Engadget said:
uncrackable collection of biometric readings.
Engadget said:
as your phone continually monitors and recognizes your location patterns, voice and speech patterns, how you walk and type, and your face (among other things).
So, in order to maximize your ability to use this:
- No vacations
- No injuries which affect your face, fingers, or walking gait
- No laryngitis
- You better walk
- You better have fingers
- You better be able to talk
And to protect yourself, don't carry your phone into situations where potentially sensitive information may be discussed.
-
@AyGeePlus @tufty Whether or not fingerprints are unique is not relevant for authentication. My point is they're publicly visible and difficult to change, making them really poor for authentication purposes regardless of uniqueness. Same goes for faces, DNA, etc. - biometric data should not be used for authentication. Maybe for identification, but never for authentication.
-
@accalia said in Project Abacus, a.k.a. Google is terrible at security:
the password Password1234 consumes 12 bytes, and so has a maximum 84 bits of entropy (7 bits per letter because ASCII) (it's a bad password too so it's actual entropy is probably much less)
Not all 7 bits per character are used because some are unprintable.
But you did say "maximum", which is technically correct.
-
@another_sam said in Project Abacus, a.k.a. Google is terrible at security:
Not all 7 bits per character are used because some are unprintable.
But it's usually more than 6 bits; even just lower case, upper case, and digits will get you an alphabet of 62 symbols.
-
@another_sam said in Project Abacus, a.k.a. Google is terrible at security:
Not all 7 bits per character are used because some are unprintable.
What’s stopping us from using control characters in a password, though? Other than web sites probably rejecting them and users being unable to enter them on a device like a phone or a tablet, that is.
-
@Gurth said in Project Abacus, a.k.a. Google is terrible at security:
@another_sam said in Project Abacus, a.k.a. Google is terrible at security:
Not all 7 bits per character are used because some are unprintable.
What’s stopping us from using control characters in a password, though? Other than web sites probably rejecting them and users being unable to enter them on a device like a phone or a tablet, that is.
Nothing. However, increasing the number of choices in the alphabet used doesn't increase password entropy anywhere near as fast as increasing the number of characters in the password, and significantly reduces the likelihood of the user being able to remember the password.
-
@tufty Unless you go to using the dictionary itself as your “alphabet”. Which is what the whole “correct horse battery staple” XKCD was actually about…