Home / Blogs / Business / The Bulletin
Follow this blog:
RSS

Google puts a ring on it to infuriate hackers, replace passwords

By | January 20, 2013, 9:19 AM PST

Declaring war on the humble password, Google’s new invention turns a ring on your finger in to a security device.

Passwords. The delight of the script kiddie and our — admittedly often lazy — way to secure accounts ranging from Facebook to corporate systems. When some of the most common passwords we use worldwide include “qwerty,” “ninja” and “password,” it’s no wonder tech giant Google believes that with the rising threat of cybersecurity, passwords simply don’t cut it anymore.

So, what can we do about it? How about create password-replacing jewellery that would open your account through a system of authentication far more difficult to breach?

Set to be published this month in IEEE Security & Privacy Magazine, Google’s research team have outlined a new type of ring-authentication device which could change the way we log in to websites in the future.

Google Vice President of Security Eric Grosse and Engineer Mayank Upadhyay say within the paper:

“Along with many in the industry, we feel passwords and simple bearer tokens such as cookies are no longer sufficient to keep users safe. It’s time to give up on elaborate password rules and look for something better.”

Google already has two-step verification in place, but according to the team, not nearly enough people use the service. So instead, a ring springs to mind — something that’s with you and easy to carry.

In the future this could mean a ring could be used to log in to all of your accounts. The ring would be embedded with a USB-connectable token — potentially including a YubiKey cryptographic card — which you would then plug in to your computer, register yourself, and once identified be able to access any account you choose.

However, this kind of key isn’t the only idea on Google’s table. With the explosion in mobile technology, connecting from your smartphone is also another option. The researchers commented:

“Some more appealing form factors might involve integration with smart phones or jewellery that users are more likely to carry anyway. We’d like your smart phone or smartcard-embedded finger ring to authorise a new computer via a tap on the computer, even in situations in which your phone might be without cellular connectivity.”

There would need to be some kind of backup in case the key was lost or stolen, but would combining all of your accounts make things easier?

(via Wired)

Related:

Start your week smarter with our weekly e-mail newsletter. It's your cheat sheet for good ideas. Get it.

Charlie Osborne

About Charlie Osborne

Charlie Osborne is a contributing editor for SmartPlanet.

Charlie Osborne

Charlie Osborne

Contributing Editor

Charlie Osborne is a freelance journalist and graphic designer based in London. In addition to SmartPlanet, she also writes the iGeneration column for business technology website ZDNet. She holds degrees in medical anthropology from the University of Kent.

Follow her on Twitter.

Charlie Osborne

Charlie Osborne

Charlie Osborne does not have financial holdings that would influence how or what she covers.

She writes for SmartPlanet and is not an employee of CBS.

If you liked this, don't miss...
8
Comments
Add Your Opinion

Join the conversation!

Follow via:
RSS
0 Votes
+ -
Something has to be done, but with slack as well.
Let's face it. Slack is the spice of life. For me, an ideal login token might be a ring, or some other thing that has a personal design which is scanned by a reader. This is not unlike the old signet rig worn by nobles of ancient times, where they could impress it into the wax seal on a letter, enough proof in those days that the letter was genuine. but they had ther hackers too.

I'd like to see some personal key, but I would also like to see loosely credentialed things remain for reasons of privacy. I don't wear my ID on the shirt front or tatoo it on my forehead so everywhere I go everyone knows my ID.. The same goes for the internet.

The personal key would be for important things like banking and e-mail and to edit my databases and websites. Not for message boards, facebook, and Google spying. Google has a good rason for this besides hacker removal. The quality of tracking data is so much better and more valuable to Google's customers when the ID is assured.

Like many others, I'm not out to hide from other legitimate real people, just from the advertisers, snoops, and paid-profilers. I really don't want my internet marketing experience adjusted. I prefer random happy
Posted by opcom
21st Jan
0 Votes
+ -
The technology already exists for finger print recognition, but,
a combination of finger prints, and voice recognition, would be even more infuriating to a hacker. Both of those technologies already exist. Another technology that exists, is the eye print, and a "password" could be built to use two of those, but not all three at the same time, and, on an alternating basis, the system could ask for a combination eye/fingerprint, or fingerprint/eye, or eye/voice, or voice/eye, or voice/fingerprint or fingerprint/eye. The system would need to keep track of the last combination used, and then prompt for a new combination.

The ring idea sounds hopeful, but, a ring alone could be stolen or lost, like the op-ed above states.
Posted by adornoe
21st Jan
0 Votes
+ -
With Yubico type keys, the password changes each time
One nice thing about Yubico keys is that the password changes each time. When inserted into a USB port, the key appears as a keyboard device to the OS. Each time it is activated, it generates a pseudorandom sequence of letters that only the Yubico servers know what to expect. Thus even if somebody has installed a key logger on your system, it does them no good. They can't predict future sequences from old ones they've captured, and since they don't have physical access to the key they can't log into websites as you.

Passwords and even biometric schemes rely on the same input each time. Once the digital data they get encoded into is captured, hackers have free access. Yubico-type keys get around this. On the downside, if somebody gets physical access to your key then it's all over. That's why wearing it as a ring would make sense. If Google could also include some kind of biometric property to the ring as an added layer of security, that would also help. You would then have the classic two types of authentication in that case.
Posted by zackers
21st Jan
0 Votes
+ -
Mr. Skeptical over here
Make all accounts accessible via one single point of failure, via an unproven technology? Yeah, sign me up! =P

Pardon the harsh wording here but if people are too lazy to remember a more complex password than "ninja" then they deserve to be hacked. Whenever security products are designed to address laziness, they end up compromising on security because they are generlaly intended to make money, thus, have mass appeal, thus, focus # 1 is not on security. Or at least that's been the rule so far.

Oh and btw if my key-ring thingy is on my finger and my closest USB port is 15 feet away, then what? What if I need to wash my dishes?

It's fun to see innovations and yes, people are coming out with all kinds of funky authentication ideas, and true you do need to marry convenience with functionality to get the masses to buy in, but the bottom line remains that if the person is too lazy to do something simple like make a decent password then I'm not sure we'll ever see strong security for all. My guess is that after all is said and done some years from now, we'll either use DNA scanners, or be embedded with some device or nano-tech that you can't lose or copy without being a nation state, and so on - but we'll always be subject to interception.

Unless of course we all authenticate via a closed network, which then on the backend converts your session to a public open network like the Internet. But then we need two hard lines to each endpoint. Anyway, the future is interesting but the present is kind of goofy.
Posted by viProCon
22nd Jan
0 Votes
+ -
It is a compromise
The BEST way to protect data would be a combination thing. You log in to a network from anywhere in the world. The server checks the GPS on your phone to be sure you are where you say you are and only then does a voice or DNA scan let you in WITHOUT a password. Saying if a person is too lazy to remember a password means it is their fault if they get hacked ignores the reality that protecting computers should be job of IT professionals and their high tech gear, not the job of often overworked and information drowning souls who after a 30 hour day might not remember their own names let alone "Eref43254###d4232".
Posted by OldPoet
28th Jan
+2 Votes
+ -
Addendum to Mr. Skeptical
I re-read my post - ok I admit I don't feel people deserve to be hacked, BUT, what goes through your mind when you see, even in fiction perhaps, a situation where a rich guy walks around some ghetto waving a stack of bills and tghen gets mugged - what thoughts do you have after haering this? Then think, how is that different than people using simple passwords (minus the laziness factor - we're all intelligent beings, just habitually unintelligent due to conditioning).

That Yubi thing sounds interesting. I also like the 2 of 3 random factor authentication thingy. I personally think frequently rotating authentication mechanisms are a good way to go, so yes while I bemoan lazy passwords, I agree, there can be more effective methods.

But upon hearing about this Yubi key idea, what comes to mind off the bat is that hackers will simply obtain a key, determine the algorithms used to "randomize" the strings ,and who knows from there. All it takes is one person, obvously a cryptographer as most others can't do the math work, and that person just needs to share their findings wht the community and suddenly in the news we all hear about how Yubi keys were hacked. Or perhaps more common to the current modus operundi, a hacker will get into the Yubi corporate network, steal their source code, and release it or something.

I also kind of laughed when I read that hackers will be infuriated. Especially when it was repeated by a previous post.

I'm not a hacker, however I know enough to know that hackers are curious people by nature. The bigger the challenge, the more motivated they are to solve the puzzle. Getting easily infuriated is not a personality trait of the successful hacker.

Plus, though it's pointless for me to say it yet the drum must beat on, a hacker is simply a curious and talented individual. A hacker is not a bad person. Technically speaking, if you are trying to solve a crossword uzzle, you are a crossword puzzle hacker. A computer hacker is just a puzzle solver.

A black hat hacker is the type that does criminal or morally ambiguous activity, a white hat is one thta defends against the black hats, or at least just refrains from using their skills in a black hat kind of way.

Since Ninja is such a popular password, perhaps if I used an analogy: The ninja's in black are the bad guys, the ninja's in white are the good ones, and so you can't just say all ninja's are bad.

However, I do not believe I can make the sama anology using monkey's or 1234.
Posted by viProCon
22nd Jan
0 Votes
+ -
Kudos
This has to be one of the best comments I've read in a while! You make me want to participate in the community again. Thanks!

And needless to say: Great points!
Posted by GSystems
25th Jan
0 Votes
+ -
Same problems
Physical security measures are often easier to overcome than digital, Google should know that. The problem with this method of authentication is that if someone possesses the token, they are assumed to be the user without additional authentication. In other words, if someone gets a hold of your ring, they can get access to all of your stuff. Now, this is partially solved by two-tier authentication, wherein a user has to register a particular device by filling out a secondary password, but again, this makes devices such as personal laptops that are currently quite secure much less so. All we'd be doing is switching out hackers for pickpockets as the primary menace to personal information security.

Let me just give you an example; A DoD contractor is given a work laptop. A thief steals his ring through any of the many ways that could happen. The thief now has complete access to all of his systems, without needing to know anything about computers at all. He doesn't need to guess at a password, because to the computer, he appears to be the user in every way that matters. The machine has been authenticated with that ring, no more work is required, and after copying the relevant info, the thief can ditch the machine, rendering computrace and other such systems useless. All that has happened is exchanging remote threats for local ones.

Realistically, the best security scheme is to use a password comprised of random words, as outlined in xkcd, that is automatically changed on a daily basis according to a user-set algorithm that's simple for the user to process. Here's an example that I've actually used in the past; I had a cron job that changed my email and online banking password every day. Now, take your favorite music playlist (could be anything else that's a list of words in specific numerical order), listen to the first song, you remember what song comes after that? Of course you do, it's your favorite playlist, you listen to it all the time. You probably remember all 20+ songs and which order they're in. My algorithm took the date, and reduced it to a single or double-digit number less than 20, like so; Jan. 27, 2013 = 1+2+7+2+1+3 (the numbers in the date) = 16. So the 16th song on my playlist was what my password was set to that day ('Chamber_the_Cartridge'). If for some reason I can't remember, I just check my iPod or phone, or hum through the songs in my head. But realistically I always remembered, because I listened to it constantly. Now, this gives me a different password every day, and I don't have to remember the password, just the list. You could do a specific word in a poem you memorized, or for two digits, two words i.e. in the Cadaeic Cadenza 1 and 6 = Midnights_Weary. Only need to know the first 20 words of that poem. Or lyrics in a song, just count the words. Anything you can remember more than 20 of. And voila, you have a password that is long, complex from a cryptography standpoint, changes at whatever frequency you want, but is very easy for you to calculate. All you have to know is the date, and be cognicent enough to do single-digit addition.

That's the best password schema. Easier to remember than Tr0b4d&oR or l3t_M3_1n, but much stronger, and changes constantly. You can even tell people your password without worrying, because it'll be different tomorrow. All you have to focus on keeping to yourself is the algorithm that changes it.
Posted by Valyros
27th Jan
Join the conversation
Formatting +
BB Codes - Note: HTML is not supported in forums
  • [b] Bold [/b]
  • [i] Italic [/i]
  • [u] Underline [/u]
  • [s] Strikethrough [/s]
  • [q] "Quote" [/q]
  • [ol][*] 1. Ordered List [/ol]
  • [ul][*] · Unordered List [/ul]
  • [pre] Preformat [/pre]
  • [quote] "Blockquote" [/quote]

Join the SmartPlanet community and join the conversation! Signing up is fast and free. Don't wait -- we want to hear your opinion!

Join Login

Keep Up with SmartPlanet

SmartPlanet Weekly Newsletter
SmartPlanet Weekly Newsletter

Facebook Activity

View Results

Quick Poll

Where do you believe consumers are in their adoption of the cloud?

View Results

Blog Archive