Welcome Guest | |
Follow Us:
    
Newsletter Signup:
The memory game
To safeguard the password, we invented the two-factor authentication. It could be a token, which we now trust to suggest us a ‘one-time password’ By Avinash Kadam, MIEL e-Security, July 29, 2011

Today our entire existence in the e-world depends on our capability to convince the system who we are. We will not be admitted to any of the Internet sites, banking portals, social networking sites unless we remember the right password. Even our own PC will refuse to recognize us if we do not remember the magic words, which differentiate us from an intruder. We always underestimate our power to remember things. So we write down the password. We are constantly admonished about this habit because a written password can be stolen, lost, misplaced or can fall into wrong hands. To overcome this great mistrust of our own memory and capability to safeguard the password, we invented the two-factor authentication. We now trust someone else to remember or generate passwords for us. It could be a token which we now trust to suggest us a ‘one-time password’. For additional security, we scan and store some digital data pertaining to our biometrics — unique features like fingerprint or retina nerve pattern. We believe that these will now be securely managed by some electronics and will always help us in convincing the entry point about our authenticity.

What if this belief is shattered, the way it recently happened in case of RSA SecureId Tokens? Someone breached into the system using a slow and low attack (a more impressive term, APT— Advanced Persistent Threat), which could not be easily detected. The attack was not only against RSA, but against anyone using RSA tokens. So, next we heard that Lockheed Martin, the defense contractor had a major security breach, which was perpetrated through compromised RSA tokens. Now this is worrisome, as millions of customers belonging to thousands of very high profile companies use such tokens. The replacement cost will be in millions of dollars. And how are you sure that similar breaches will not happen again? Can we really trust third parties to maintain security for us? They may have taken all the reasonable precautions, but still cannot give a guarantee against an unreasonable, very advanced, highly persistent threat.

We have not yet heard of a major attack involving biometrics. But observing the trend, it is not inconceivable. How difficult will it be to break into a folder containing biometric signatures and replace them with an attacker’s biometric signature so that the attacker can get in with his/her own signature easily? Someone will definitely come up with another APT for biometric.

Since electronics has failed to maintain the secret, why not turn to paper media for help? This is a classic, ancient way of maintaining a onetime pad. Let me give an example. If I choose six numeric characters for my pass-number, I can keep a note of this pass-number on my computer, in my diary or in my memory. But I do not use this number as the password. I convert this number into password by referring to a book. The first two digits on the pass-number refer to the page number, the next two digits give me the line number and the next two digits give me the word number in that line. I can keep changing the passwords, as well as the scheme of reference and also the book to be referred, as often as I want. So, for the same pass-number, different books will give me different passwords. The password could also be a long passphrase. To correlate the pass-number with the password, the attacker needs to know which book I am referring to for the password, and I hope human memory can be trusted to remember this without writing it down. This simple scheme may not be useful in every situation. But it could definitely be used for generating personal passwords and also for changing them frequently. Also we need not worry about forgetting the pass-number as it is written down.

The author is at MIEL e-Security



blog comments powered by Disqus
Digital Issues
View More
Sponsored White Papers

  • Future Group Turns to Virtualization

  • Multiple ways to build a Multi-tenant SaaS Apps

  • Global Study on Mobility Risks - India Study

  • Global Study on Mobility Risks

  • Security Pros & Cons : Infographic Summary Report

  • Security Pros & Cons : Research Report

  • Identity and Information Security Integration

  • How to Get Started with Enterprise Risk Management

  • Benefits of a Partnering with a Security Service Provider

  • Enabling Cost-Cutting Initiatives with eGRC

    
Featured Videos
MasterCard's PayPass turns your phone into a smarter wallet
At CTIA conference in New Orleans, we got demo of MasterCard's PayPass Wallet. It can be used to book airplane tickets, pay for cabs or buy a coke with your phone
More Videos
Latest Software News
All Articles By Avinash Kadam
Top Stories
CIO Life
‘My inspirations from life’ - N Nataraj, Global CIO, Hexaware
Winner of several prestigious awards, there are several important lessons from N Nataraj's career and life, which are inspirational for emerging CIOs. He shares his key inspirations from life, and the lessons learnt from every individual
BankTech India - IT News for BFSI Segment
We're on Google+
InformationWeek India on Facebook