Posted on 09/20/2014 5:40:05 AM PDT by markomalley
The Commerce Department has been handing out grants to fund a way for Americans to use a single password anytime they shop, bank, pay bills or engage in any other online activity that requires logging in and verifying identity.
In effect, President Obama’s administration is trying to bring an end to Americans having different passwords for each online account. Almost $3 million in grants were given out for the project this week through the department’s National Institute of Standards and Technology, as part of its National Strategy for Trusted Identities in Cyberspace project.
"The grants announced will help spur development of new initiatives that aim to protect people and business from online identity theft and fraud," Commerce Secretary Bruce Andrews said.
There are more than 300,000 cases of identity theft annually, according to the Federal Trade Commission. Home Depot reported Thursday that hackers gained access to 56 million credit and debit cards in a breach of its systems. Last year, 40 million cards were compromised in a breach of Target's system.
The new initiatives would help create a "federated identity" system in which a single online provider would "vouch" for the user at other websites. The online user would choose the provider that vouched for them.
NIST spokeswoman Jennifer Huergo said the grants would help create a "marketplace of options so that you as a consumer could choose different identity providers that you trust."
She added that "federated identity" was a technical term that the computer experts coined.
"It sounds like 'federal' but it's not that at all. It's a term of art, I guess, for authentication. It comes from the IT people," she said.
Ryan Radia, associate director of technology studies at the free-market think tank Competitive Enterprise Institute, said the project's stated goal of a more secure Internet was laudable, but still better served by the private sector alone. The odds that any identity system starting out as voluntary eventually becomes mandatory is much greater if the government is involved, he said. He also dismissed NIST's claim that the technology could not be created without the grants.
"A Visa or Mastercard issued by a community bank in any small town can be used in any country around the world. That wasn't the result of any government initiative," Radia said, adding that government involvement might even retard the growth of privacy technology.
The government has given out about $19 million in grants through the NSTIC project since its creation in 2011.
Atlanta-based mobile trade association GSMA won an $822,000 grant to create a system that will be usable on different mobile networks. It is partnering with "America's four major mobile network operators," NIST said. Although neither NIST nor GSMA would disclose who the operators are, the four with the most subscribers in the U.S. are T-Mobile, AT&T, Verizon and Sprint, according to Bloomberg.
The $1.2 million grant to Confyrm of San Francisco would be to work on the federated system and find a way to track identity thieves.
MorphoTrust USA's grant is to demonstrate "how existing state-issued credentials such as driver’s licenses can be extended into the online world to enable new types of online citizen services." That would include things like applying for federal benefits.
"Since the government has a pretty good idea of who you are, they could be an identity provider," Huergo said.
While the system would eliminate the need for multiple passwords at different websites — many users employ the same password over and over again, making potential theft easier — it also would create a potential "all your eggs in one basket" scenario. Should the one provider that vouches for a user be breached, most of that person's information would be at risk.
"That is a concern that has been raised," Huergo said, but argued that consolidating the information was still a better idea than the current setup. "Right now we have our eggs all over the place … this would give people the opportunity to reduce the number of baskets that contain their private information."
Should make things easier for the NSA
Your comment needs a bit of edit.
'Cross the regime and access to your credit and personal infomation could easily be disabled.'
And that no man might buy or sell, save he that had the mark, or the name of the beast, or the number of his name.
All the easier to make you a non-person.
good point
Believe it or not, I'm not as worried about that possibility as you apparently are. Having any one of the authentication factors is not that big a deal.
It becomes a big deal if they have your fingerprint scan and/or iris scan and/or facial scan AND your passphrase. Then, on top of that, they have to have your private certificate (that must be used in conjunction with the public certificate which is, by definition, public, to match up and identify "who you are"). From a non-repudiation basis, they would have to have your biometric, your passphrase, AND your private key.
The big deal, from a realism basis, is if they put your public key on the "compromised" list or if they just "lose" your public key.
Another excuse to waste taxpayer dollars.
For safe-keeping, though, the NSA would have it.(/sarc)
Yeh easier for the NSA to scoop all your info. No thanks.
STUPID! Is the only thing I can say about that.
My husband taught telecommunications, electronics and computers for 20 yrs at Jr College and 20 yrs as Navy. Ret SCPO.
His youngest daughter has her own IT business. And she has our computer as tight as she can make it security wise. Does it for all her customers.
The Pentagon has rolling coding, and still they hack it just as they recently did Home Depot and YOU IDIOTS want a 1 word fits all password.
I might do that with apps like Kroger’s or Amazon and I use gift cards on Amazon, but sure as HECK NOT WITH MY BANKING. In fact I do NO BANKING on my phone. And I have a notebook I take when I go to the hospital or on a trip that has NO banking info on it.
I just need photos, my favorite news links, FB, music and photos of the grands and great grands. And can look up drugs they are shoving at me. Saved my hide quite a few times googling them first before I consent to take them. I am very drug sensitive.
More BIG BROTHER SNOOPING!
Impressive how these people seem to mentally still be living in the far past, where they think that government access to your data could ever be a *good* thing.
That idea died with the onset of FDR.
Ideally, in the United States, the individual citizen should almost *never* have any direct contact with the federal government at all. It should almost *always* be filtered through their state, because only the individual states are powerful enough to stand in the way of federal abuse against the citizenry.
This was the original intent of the constitution, before the 16th Amendment, the Income Tax, and the 17th Amendment, the direct election of senators. The senate, representing the states, would prevent the federal government from attacking the citizenry.
And the 14th Amendment made it reciprocal, that the *only* time the federal government could intervene between states and their citizens was to prevent states from *abusing* their citizens.
So, the TOTAL amount of information the federal government should *ever* have about its citizens amounts to just three things: an “actual enumeration”, a headcount, of citizens in the census, NOTHING MORE; records of state and federal felony convictions; and federal interstate commerce, aircraft and navigable water licenses, passports and visas.
Am I alone in liking multiple passwords for multiple applications?”
There are several sites that we go to on-line daily for most of our doctor clients. Never been exactly sure why these sites get their tricots in a bind over the password issue but they have begun the “change the password every 30 days” mandate. Our master list of log-ins and passwords is getting huge and just a monster to manage and keep updated.
I personally use different log-ins and passwords for personal site. IMO, it should just depend on what type of information is accessible through these sites. Another instance of one size does not fit all, something the government totally ignores.
ping!
Federated Identity = 1984
Would it be something like a CAC card and PIN? That system is quite convenient.
Oooo...just what I've been wanting! And only 3 million dollars? Sign me up!
1) A single large secret is a heck of a lot more valuable to those out there with nefarious purposes in mind (both inside and outside of government). Right now, it's bad enough for me if some fed or hacker gets one of my passwords. It is immeasurely more dangerous to me if they suddenly have all of them. Why give someone an even more tempting target, especially one held in a single location?
2) Not all threat models are the same. My banking password is long, complex, and impossible to remember. That's why I use a local password manager to keep track of such things. Computers are good at remembering things, and people are not. My password to Free Republic? Not so difficult to remember, because I occasionally want to enter it manually. Other websites, I could use "password", and not give a damn who knows it. Why allow leakage through various and sundry fly-by-night organizations that I do not trust?
3) Passwords are bad security anyway. Any reasonable password for you to remember is trivial to hack given modern computing power.
4) Cryptographic tokens along with passwords would be better.but more difficult to remember, especially given how little thought people put into passwords in the first place.
The recent hack against Apple where people's "security questions" were trivially broken because they were so easily guessable have exposed that particular method of 'authentication' to be extremely lousy as well. Fortunately, if you think about it just a little bit, you can 'hack' these types of things extremely easily to your own benefit by using a cryptographic hash of the actual answer instead of the answer itself so that your personal information is not something the asking organization actually has. I'll give a couple of examples.
Suppose the question is "What is your favorite colour?" For me. my answer might be "blue", but intead of entering "blue", I might transform my answer with a simple substitution cypher called "rot13". Rot13 is pretty much the most brain-dead simple "cypher" imaginable. It takes each letter, counts up 13 characters, then substitutes the that letter in place of the original (of course, when you hit 'z', you wrap back around to 'a'. So that "abcde" would become "nopqr". My sample answer of "blue" would therefore become "oyhr". This is not easily guessable unless you happen to know ahead of time what I'm doing. Go to rot13.com for an online service that will do the conversion for you. There are also programs you can download to do the same thing. It's really simple and easy to understand. An added benefit is that if you have to, for whatever reason, work it out by hand, you can.
Another method is to use a genuine cryptographic protocol called a "hash" to generate your answer. Here are a few examples: (These examples were generate on a Linux command line.)
$ echo blue | sha1sum b5e1b2a54a67366c75d25634b1f8e6d6b2b5924b - $ echo blue | sha224sum 816db2a87a032323daa8af2282668c1976eee5232d941a92ca3d31d9 - $ echo blue | sha256sum a0bee6616b5e5eae6799cb4525a884a82e7161614f11122bbdf4383b2ac05998 - $ echo blue | md5sum daa5960a123ff55e594be19f9ddc940d -
You don't have to even use the entire string these programs produce for the answer. Your answer could be the first 8 characters, or the first 4 and last 4. Obfuscation is your friend with such things. Just remember your transform and always use the same one, and you'll always be able to produce your "answer" on demand. If you have a smartphone, download a program that can do the above for you.
Note, that with a cryprographic hash, capitalization is extremely important. Check out the following:
$ echo Blue | md5sum 59f05bd141cc42c2a89aefda3fe38050 - $ echo BLue | md5sum 01569944cf5b8b664d445f965f120234 - $ echo BLUe | md5sum f12c49d6b3d9f5e68ed4ef5a59b78ed9 - $ echo BLUE | md5sum 3673442724d7f438b52c21667548314c -
You can see that each given string is completely different even though only one single character was changed. This is an important feature of any cryptographic hash.
So, if my nosy bank asks me what my favorite colour was, I would pass 'BLue' through my chosen hash function, take the first 4 characters, and the last four, and would reply 01560234.
To return to my point 2 above briefly. It's worthwhile to think about the site that you are creating a password for. Rate it on a scale that makes sense to you, like maybe 'high', 'medium', and 'low'. Make your password at least fit the category of how you would rank it. For example, a password for your bank, or to an investment account would obviously be something with a 'high' impact to you if it becomes compromised. Such a password should be as long and complex as you think is necessary.
Use a password management program. Password Safe is a great one for Windows users. There are also variants for Mac, and Linux. This program will allow you to have passwords for sites that are completely arbitrary random strings of characters. Password Safe, or in my case, since I run Linux 'keepassx', store all of your user and password information in a local database. This database is encrypted with a 'master' passphrase. I strongly recommend that you have a nice, long passphrase to protect this database. It makes sense if you think about it, because you want a more complex and random secret to protect a lot of smaller ones, some of which will be pretty important secrets, i.e., banking passwords. You'll be surprised at how fast you can learn to type something once you've done it for a while. You'll probably have some folks tell you that you should periodically change your passphrase, but I disagree. First, because you will want to be able to type if fast, or it will really annoy you to have to enter it, and this will tempt you to make it shorter than it really should be. Second, because you need to remember it. If you forget it, there is noone who can decrypt your database for you.
What would make a good passphrase? How about this...
There is a fly on the wall that looks like barak obama.
Yeah, that looks like a freaking long passphrase, but I'll bet that after typing it 50 times, you'll be able to do so quicker than you would ever guess possible.
Some folks recommend taking a phrase like that and reducing it to something like 'Tiafotwtllba'. I completely disagree with that mainly because that string simply isn't long enough to secure a large secret IMO. I have an entropy calculator (if you don't know why entropy is important to passwords, look it up) that tells me the difference between the two is pretty extreme. The estimate for the entire phrase is 432 bits. That's a lot as far as these things go. Using just the first characters of each word would give you an estimated 96 bits of entropy. Not bad for a passphrase for a medium-ranked website, but for the 'keys to the kingdom', which your password database most certainly is, it is inadequate by orders of magnitude.
I thank those few of you who actually read through this whole thing.
For further thoughts on this stuff I strongly recommend the writings of Bruce Schneier. I don't agree with him about everything, but he's given all this a lot of thought from a lot of different angles.
Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.