Google Blogoscoped

Forum

Dual password

DPic [PersonRank 10]

Monday, August 13, 2007
12 years ago2,270 views

What do you think of this idea-- two passwords. Already having an extra password could affect the security of your account but keep listening. One password would be fancy and stuff that you wouldn't use anywhere but in your own privacy and you wouldn't have to change it very often. The second password would be shorter, simpler, and you would change it all the time (or whenever the system told you to) and you would use it in public places and anywhere where it could easily be found. Of course, this second password would be optional. Feedback?

David Hetfield [PersonRank 10]

12 years ago #

Kinda like a security question Danny?
(Just in a password format?)

Roger Browne [PersonRank 10]

12 years ago #

More useful would be a one-time password that you can set up in advance from your private computer.

Then, you can use a public computer to log in to PayPal and if there's a keystroke logger attached to that computer you won't have your account siphoned.

Philipp Lenssen [PersonRank 10]

12 years ago #

Not having to enter any password would be the ultimate usability. Is this feasible for websites, with some additional hardware? Maybe some retina-checking camera connected to some neutral server which hands out tokens to other websites? :)

DPic [PersonRank 10]

12 years ago #

All possible with OpenID

openid.net/

James Xuan [PersonRank 10]

12 years ago #

Sound good to me.

Colin Colehour [PersonRank 10]

12 years ago #

I like Roger's idea. Banks can do this with Credit Card numbers right now. If you make a purchase with the Virtual Credit Card number, if that number got out, it wouldn't affect you because it was a one time use only credit card number.

Colin Colehour [PersonRank 10]

12 years ago #

Actually, even better would be to be able to use one of the RSA keychains to get part of your new password each time you log in. Part of the password changes each minute so if someone did grab your password, it would be useless the next minute.


farm2.static.flickr.com/1095/1 ...

James Xuan [PersonRank 10]

12 years ago #

:) I just bought a DS with a 3v voucher. A virtual credit card. Maybe joe could give me his number sometime for animal crossing?

Roger Browne [PersonRank 10]

12 years ago #

> Not having to enter any password would be the ultimate usability.

Now that's a great example of lateral thinking, and in principle there are several ways in which it might be done. I don't think the retinal scanner will work though, because it's prone to a "man-in-the-middle" attack where the retinal image is captured and replayed later.

To overcome this, the website would need to give you a unique instruction each time, such as "blink twice, then look to the left". But that's almost as much hassle as a password.

Philipp Lenssen [PersonRank 10]

12 years ago #

> I don't think the retinal scanner will work though, because
> it's prone to a "man-in-the-middle" attack where the retinal
> image is captured and replayed later.

I think the real question is not is it safe, but is it safe enough. Someone who watches over your should in an internet cafe (or who installed a cam anywhere on the ceiling) will be able to capture your Google Account password. Is getting a hi-res retina pic of you really easier?

But the retina is just an example. A webcam authenticating a "3D picture in front of the webcam that moves, and looks like you" might also be feasible. I've seen this with BananaScreen screen locking...
bananasecurity.com/

Zim [PersonRank 10]

12 years ago #

biometrics are always the best solution, but it's hard to implement...
Just avoid checking your mail everywhere if you don't really need to.
A good solution would be ... err... Just kill everybody near those public computers, shoot the cameras, blind the windows and lock the door. Connect directly to the router, disconnect any other computer before connecting yours. Use a live-cd. Reset your connection to get a fresh and new IP. Use firefox. Connect using secure HTTP. Run in circles. Use a very long password (more than 40 characters).
Or just take some risks :)

This thread is locked as it's old... but you can create a new thread in the forum. 

Forum home

Advertisement

 
Blog  |  Forum     more >> Archive | Feed | Google's blogs | About
Advertisement

 

This site unofficially covers Google™ and more with some rights reserved. Join our forum!