By Munir Kotadia, 26 February 2004 08:55
NEWS Microsoft Chairman Bill Gates predicted the demise of the traditional password because it cannot "meet the challenge" of keeping critical information secure.
Gates, speaking at the RSA Security conference on Tuesday, said: "There is no doubt that over time, people are going to rely less and less on passwords. People use the same password on different systems, they write them down and they just don't meet the challenge for anything you really want to secure."
RSA is working with Microsoft to develop a SecurID technology specifically for Windows. Both companies agreed there is a need to remove the vulnerabilities associated with employees using weak passwords.
SecurID is the best-known two-factor authentication system and is used by many large enterprises. It generates a constantly changing sequence of numbers that a user has to type in alongside their normal password or PIN. Creating a specific system for Windows could mean that rolling out strong authentication across an enterprise will be far easier and cheaper.
However, Gates said that Microsoft would not be using the SecurID system internally because it had opted for a smart-card system - with the help of RSA. "Microsoft recently moved to a smart card approach, and a key partner in this was RSA," he said.
Microsoft also demonstrated "tamper resistant" biometric ID-card software, developed by its own research arm, that can be used by both small and large companies to create ID cards using a digital camera, an inkjet printer and a business-card scanner.
To create an ID card, the software requires a photograph and some basic information about a person, such as name and date of birth. This information is processed by the software to create a digital signature in the form of a bar code, which is also printed onto the ID card. If any of the information on the ID card is altered, it will not correlate to the signature and the card is rejected, according to Microsoft.
Gavin Jancke, development manager at Microsoft Research, who demonstrated the software, said one of the key aspects of the system is that it does not require a database because all the information is already stored on the card.
"The authenticity ID is stored in the printed information in the card itself. There are no user privacy issues because we know that what is stored on this card is stuff that they can actually see," he said.
Jancke said the system could also be used to store fingerprints or an eye scan.
"This system is also extensible, so we can include other biometric information, such as iris or fingerprint. It will still maintain the same tamper resistancy on ordinary paper or plastic printed media," he said.
Microsoft did not indicate when or if the software would be available commercially.
Munir Kotadia writes for ZDNet UK
Comments
There are 5 comments. Join the discussion
1. anonymous
hmm sorry maybe this is a weird question, but do those picture hold some kind of "hidden datas" in random areas of the pictures that a scanner can read ? or do they reside in face recognition or did I miss a point?
2. Bob Lewis
Dear God,
When are these bozos going to grow up. PEOPLE are the security problem NOT passwords. Humans are the weakest link in the chain by far and those humans (or perhaps mental defectives would be a more accurate term) who still allow 8 character passwords (or less!) should be the first in the queue for being shot - personally I've never used LESS than 13 characters for passwords in the last twenty plus years except when forced to use less by some pedantic twit who thinks 6 to 8 MAX is just fine.
No, it's not passwords per se that are flawed it's the idiots who abuse their proper usage. Grow up Bill and stop trying to throw technology at a people problem. Get YOUR thinking straight and maybe you'll stand a chance of getting theirs straight!
3. anonymous
After a hard week at the office Bob was finding his latest bout of "password angst" intolerable... :)
4. Jeremy Chatfield
Passwords are a support problem and a user obstacle to efficient working. Security problems are most often not passwords, but based on social engineering and flawed systems.
Consider last years' Microsoft Passport security flaw in which *anyone* could gain control of your Passport by saying they needed passwords sending to a nominated account. This is flawed system attack, not a problem with passwords.
Consider theft - dressing in a tech labcoat, waving a sheet of paper and announcing you're here to take a machine to service immediately. Social engineering attack, relying on human social systems to save face and back down to a dominant.
Pure technological ploys based on passwords are much rarer than exploits of bad systems and gulling people.
5. Jerry
You clearly did not read the article. It's not a people problem. I can crack your 13 character password in the same amount of time it takes for me to crack your 8 character password. The issue is technology and security. Bill is right - the password is dead. Mutiple layers of authentication, including biometrics, are going to shape the future of security - not the 13 character user name/password combination that you suggest.