Password hardening
To follow up on my last post, here’s the link to the password hardening Q&A with Mark Diodati. Per the article: ‘password hardening is that you do something extra to make the password harder to guess or spoof without actually distributing a piece of hardware or software to the consumer. That extra thing you do is like a second factor.’
So he’s claiming that BioPassword is able to perform their function using just the native bits of Flash that reside in the default Flash installation? Does that contain keyboard monitoring and patterning capture or does some new code need to be downloaded via Flash to pull this off (rhetorical, for those of you playing at home)? What prevents another keyboard logger from capturing the password and the patterning? This same patterning going to work on my Treo vs. or all of the 3 different keyboards I use in different postures (work chair, sofa, standing desk)?
Wouldn’t it be far better to ensure that capture of the password via any means or method, with or without any cutesy patterning capture, would gain the attacker nothing of use? What about the ability to protect against any kind of internal, total password file compromise? THAT’s password hardening! BioPassword do that? No.
As to the dancing on-screen keyboard entry stuff, that has been shown again and again to be vulnerable to screen / click capture malware. Doesn’t matter if the keys are in different places at each login, this only protects from a pixel grid attack not a screen capture attack that grabs the image surrounding the mouse at time of click so the attacker can see 3,5,9,4,A,m,r, etc. By the time you make the interface confusing enough to obfuscate the clicks, ‘Joe regular user’ is confused or irritated or picking an easy to enter and therefore guess, password. If this was all that and a bag of chips, Bharosa wouldn’t have had to move into fraud detection to support their weak, ‘pseudo-multifactor’ approach.
This stuff has been around for ages along with the ‘pick the faces you remember’ thing. Do ‘the kids’ today still use the word ‘lame’? It’s 2007 and folks are still dinking around with these kiddy toy approaches. I continue to be amazed at the half-measures being considered, let alone purchased and deployed.
Note the admission in the last answer that PKI is the only real answer. Funny how it keeps coming back down to that. Now if only there was a soluton that made PKI practical and scalable’¦ hmmmm, wonder where I might find one of those [sly, cat-got-canary grin]?