Posts by Jin

Unless used very wisely, biometrics could end up pleasing criminals.

Whether face, iris, fingerprint, typing, gesture, heartbeat or brainwave, biometric authentication could be a candidate for displacing the password if/when (only if/when) it has stopped depending on a password to be registered in case of false rejection while keeping the near-zero false acceptance.

Threats that can be thwarted by biometric products operated together with fallback/backup passwords can be thwarted more securely by passwords alone. We could be certain that biometrics would help for better security only when it is operated together with another factor by AND/Conjunction (we need to go through both of the two), not when operated with another factor by OR/Disjunction (we need only to go through either one of the two) as in the cases of Touch ID and many other biometric products on the market that require a backup/fallback password, which only increase the convenience by bringing down the security.

In short, biometric solutions could be recommended to the people who want convenience but should not be recommended to those who need security. It may be interesting to have a quick look at a slide titled “PASSWORD-DEPENDENT PASSWORD-KILLER” shown at

http://www.slideshare.net/HitoshiKokumai/password-dependent-passwordkiller-46151802

Changing PW A to PW B to PW C to PW A to PW B to PW C ------?

Being able to create strong passwords is one thing. Being able to recall them is another. And, being able to recall the relations between the accounts and the corresponding passwords is yet another.

At the root of the password headache is the cognitive phenomena called “interference of memory”, by which we cannot firmly remember more than 5 text passwords on average. What worries us is not the password, but the textual password. The textual memory is only a small part of what we remember. We could think of making use of the larger part of our memory that is less subject to interference of memory. More attention could be paid to the efforts of expanding the password system to include images, particularly KNOWN images, as well as conventional texts.

Incidentally, biometrics are dependent on passwords in the real life. So are multi-factor authentications and ID federations like password-managers and single-sign-on services. And, in a world with passwords killed dead , we have no safe sleep. Passwords will stay with us for long.

Password-free life would be a nightmare.

However nicely designed and implemented, physical tokens, cards and phones are easily left behind, lost, stolen and abused. Then the remembered password would be the last resort.

And, in a world where we live without remembered passwords, say, where our identity is established without our volitional participation, we would be able to have a safe sleep only when we are alone in a firmly locked room. Is this what we want?

It is too obvious, anyway, that the conventional alphanumeric password alone can no longer suffice and we urgently need a successor to it, which should be found from among the broader family of the passwords (= what we know and nobody else knows).

Biometrics will eventually have to stop being a deciding means for identification of individuals.

Being possible to fake and impossible to change or reset, biometrics data should not be used for long as a deciding means of identifying individuals, although it could stay as one of the reference materials for it.

Take the cognitive nature of our memory into account

Being able to create strong passwords is one thing. Being able to recall them is another. And, being able to recall the relations between the accounts and the corresponding passwords is yet another.

Biometrics are password-dependent. So are multi-factor authentications and ID federations like password-managers and single-sign-on services. And, in a world with passwords killed dead , we have no safe sleep.

At the root of the password headache is the cognitive phenomena called “interference of memory”, by which we cannot firmly remember more than 5 text passwords on average. What worries us is not the password, but the textual password. The textual memory is only a small part of what we remember. We could think of making use of the larger part of our memory that is less subject to interference of memory. More attention could be paid to the efforts of expanding the password system to include images, particularly KNOWN images, as well as conventional texts.

Bypass it if it is difficult to defeat

Criminals can attack the password as well.

Threats that can be thwarted by biometric products operated together with fallback/backup passwords can be thwarted more securely by passwords alone. We could be certain that biometrics would help for better security only when it is operated together with another factor by AND/Conjunction (we need to go through both of the two), not when operated with another factor by OR/Disjunction (we need only to go through either one of the two) as in the cases of Touch ID and many other biometric products on the market that require a backup/fallback password, which only increase the convenience by bringing down the security.

In short, biometric solutions could be recommended to the people who want convenience but should not be recommended to those who need security. It may be interesting to have a quick look at a slide titled “PASSWORD-DEPENDENT PASSWORD-KILLER” shown at

http://www.slideshare.net/HitoshiKokumai/password-dependent-passwordkiller-46151802

Hopefully not for lower security

Moreover, behavioural biometrics bring down security.

Whether face, iris, fingerprint, typing, gesture, heartbeat or brainwave, biometric authentication could be a candidate for displacing the password if/when (only if/when) it has stopped depending on a password to be registered in case of false rejection while keeping the near-zero false acceptance.

Threats that can be thwarted by biometric products operated together with fallback/backup passwords can be thwarted more securely by passwords alone. We could be certain that biometrics would help for better security only when it is operated together with another factor by AND/Conjunction (we need to go through both of the two), not when operated with another factor by OR/Disjunction (we need only to go through either one of the two) as in the cases of Touch ID and many other biometric products on the market that require a backup/fallback password, which only increase the convenience by bringing down the security.

In short, biometric solutions could be recommended to the people who want convenience but should not be recommended to those who need security. It may be interesting to have a quick look at a slide titled “PASSWORD-DEPENDENT PASSWORD-KILLER” shown at

http://www.slideshare.net/HitoshiKokumai/password-dependent-passwordkiller-46151802

Probably moving in a wrong direction

Whether iris, face, fingerprint, typing, gesture, heartbeat or brainwave, biometric authentication could be a candidate for displacing the password if/when (only if/when) it has stopped depending on a password to be registered in case of false rejection while keeping the near-zero false acceptance.

Threats that can be thwarted by biometric products operated together with fallback/backup passwords can be thwarted more securely by passwords alone. We could be certain that biometrics would help for better security only when it is operated together with another factor by AND/Conjunction (we need to go through both of the two), not when operated with another factor by OR/Disjunction (we need only to go through either one of the two) as in the cases of Touch ID and many other biometric products on the market that require a backup/fallback password, which only increase the convenience by bringing down the security.

In short, biometric solutions could be recommended to the people who want convenience but should not be recommended to those who need security. It may be interesting to have a quick look at a slide titled “PASSWORD-DEPENDENT PASSWORD-KILLER” shown at

http://www.slideshare.net/HitoshiKokumai/password-dependent-passwordkiller-46151802

Re-invented?

It appears that what have been around commercially for 15 years is now getting re-invented.

Such a story-involving picture password has, for instance, long been a component of Expanded Password System shown at

http://www.slideshare.net/HitoshiKokumai/death-to-password-no-it-is-given-a-new-life

FIDO on a wrong path

FIDO is sadly promoting biometrics in a wrong manner.

Biometric authentication could be a candidate for displacing the password if/when (only if/when) it has stopped depending on a password to be registered in case of false rejection while keeping the near-zero false acceptance.

We could be certain that biometrics would help for better security only when it is operated together with another factor by AND/Conjunction (we need to go through both of the two), not when operated with another factor by OR/Disjunction (we need only to go through either one of the two) as in the cases of Touch ID and many other biometric products on the market that require a backup/fallback password, which only increase the convenience by bringing down the security.

In short, biometric solutions could be recommended to the people who want convenience but should not be recommended to those who need security. Below is a brief slide titled “Password-Dependent Password-Killer” posted with respect to this theme.

http://www.slideshare.net/HitoshiKokumai/password-dependent-passwordkiller-46151802

Wanted is hard-to-forget and yet hard-to-break passwords.

Being able to create strong passwords is one thing. Being able to recall them is another. And, being able to recall the relations between the accounts and the corresponding passwords is yet another. ID federations (single-sign-on services and password managers) create a single point of failure.

At the root of the password headache is the cognitive phenomena called “interference of memory”, by which we cannot firmly remember more than 5 text passwords on average. What worries us is not the password, but the textual password. The textual memory is only a small part of what we remember. We could think of making use of the larger part of our memory that is less subject to interference of memory. More attention could be paid to the efforts of expanding the password system to include images, particularly KNOWN images, as well as conventional texts.

Another loophole - fallback passwords.

Threats that can be thwarted by biometric products operated together with fallback/backup passwords can be thwarted more securely by passwords alone. We could be certain that biometrics would help for better security only when it is operated together with another factor by AND/Conjunction (we need to go through both of the two), not when operated with another factor by OR/Disjunction (we need only to go through either one of the two) as in the cases of Touch ID and many other biometric products on the market that require a backup/fallback password, which only increase the convenience by bringing down the security. You may be interested to have a quick look at a slide titled “PASSWORD-DEPENDENT PASSWORD-KILLER” shown at

http://www.slideshare.net/HitoshiKokumai/password-dependent-passwordkiller-46151802

Password-dependent Password-killer?

Whether fingerprits or iris patters, it would bring down security so long as it is operated together with a fallback password.

Threats that can be thwarted by biometric products operated together with backup passwords (rescue/fallback/ alternative passwords) can be thwarted more securely by a password-only authentication.

We could be certain that biometrics would help for security ONLY WHEN it is operated together with another factor by AND/Conjunction (we need to go through both of the two), NOT WHEN operated with another factor by OR/Disjunction (we need only to go through either one of the two) as in the cases of Touch ID and many other biometric products on the market that require a backup/fallback password, which only increase the convenience while bringing down the security.

Incidentally, it is not possible to compare the strength of biometrics operated on its own with that of a password operated on its own. There are no objective data about the overall vulnerability of biometric solutions (not just false acceptance rate when false rejection is near-zero but also the risk of forgery of body features and the risk of use when the user is unconscious) and that of the passwords (not only that it may be as low as 10 bits or as high as 100 bits but also that it could be stolen and leaked.)

Such a terrible nonsense as the “password-dependent password-killer” should be killed dead lest the good reputation of biometrics as excellent identification tools for physical security should be damaged. Biometric solutions in cyber space could be recommended to the people who want better convenience, not to the people who need better security so long as they are dependent on the backup/fallback passwords.

The gate of a fallback password is open to criminals.

For biometrics to displace the password for security, it must stop relying on a password registered in case of false rejection. Threats that can be thwarted by biometric products operated together with fallback/backup passwords can be thwarted more securely by passwords only.

We could be certain that biometrics would help for better security only when it is operated together with another factor by AND/Conjunction (we need to go through both of the two), not when operated with another factor by OR/Disjunction (we need only to go through either one of the two) as in the cases of Touch ID and many other biometric products on the market that require a backup/fallback password, which only increase the convenience by bringing down the security.

Biometric solutions could be recommended to the people who want convenience rather than security but should not be recommended to those who want security rather than convenience.

With caveats, not to be trapped in a quagmire

It is not possible to compare the strength of biometrics operated on its own with that of a password operated on its own. There are no objective data about the overall vulnerability of biometric solutions (not just false acceptance rate when false rejection is near-zero but also the risk of forgery of body features and the risk of use when the user is unconscious) and that of the passwords (not only that it may be as low as 10 bits or as high as 100 bits but also that it can be stolen and leaked.)

We could be certain that biometrics would help for better security only when it is operated together with another factor by AND/Conjunction (we need to go through both of the two), not when operated with another factor by OR/Disjunction (we need only to go through either one of the two) as in the cases of Touch ID and many other biometric products on the market which require a backup/fallback password.

Biometric products like Apple's Touch ID are operated by OR/Disjunction so that users can unlock the devices by passwords when falsely rejected by the biometric sensors. This means that the overall vulnerability of the product is the sum of the vulnerability of biometrics (x) and that of a password (y). The sum (x + y - xy) is necessarily larger than the vulnerability of a password (y), say, the devices with Touch ID and other biometric sensors are less secure than the devices protected only by a password, although it is more convenient.

Those banks would need to let their clients know clearly that this new access method using Touch ID is recommended to those people who want the convenience rather than the security, not recommended to those people who want the security more than the convenience.

A couple of misperceptions

It appears there are a couple of misconceptions at FIDO.

It makes no sense to expect a PIN to displace a password because the PIN, a numbers-only short password, belongs to the password. A’ which belongs to A cannot be an alternative to A. It also makes no sense to expect a biometric product operated with a backup/fallback password to displace a password. A+B cannot be an alternative to A.

Biometrics would help for better security only when it is operated together with another factor by AND/Conjunction (we need to go through both of the two), not when operated with another factor by OR/Disjunction (we need only to go through either one of the two) as in the cases of Touch ID and many other biometric products on the market which require a backup/fallback password.

Incidentally, it is not possible to compare the strength of biometrics operated on its own with that of a password operated on its own. There are no objective data about the overall vulnerability of biometric solutions (not just false acceptance rate when false rejection is near-zero but also the risk of forgery of body features and the risk of use when the user is unconscious) and that of the passwords (not only that it may be as low as 10 bits or as high as 100 bits but also that it can be stolen and leaked.)

False Sense of Security

Why on earth do they endeavour to bring down security by putting biometric sensors on the phones, tablets and PCs which have been somehow protected by passwords?

Threats that can be thwarted by biometric products operated together with fallback/backup passwords can be thwarted more securely by passwords only.

Whether static, behavioural or electromagnetic, biometric products are generally operated together with a password by OR/Disjunction (as against AND/Conjunction that is common for 2-factor authentication) so that users can unlock the devices by passwords when falsely rejected by the biometric sensors. This means that the overall vulnerability of the product is the sum of the vulnerability of biometrics (x) and that of a password (y). The sum (x + y - xy) is necessarily larger than the vulnerability of a password (y), say, the devices with Touch ID and other biometric sensors are even less secure than the devices protected only by a weak password.

These biometric products might look more secure in appearance, but it is just a false sense of security. Many of the consumers, who are trapped in the false sense of security, may well be piling up more of their information assets in the cyber space while some of the criminals, who are aware that those consumers are now less secure, may well be silently waiting for the pig to be fat.

False sense of security about a threat could be even worse than the threat itself. It is a conundrum how it is possible for so many security professionals to remain indifferent to such a nightmarish situation.

No surprise at all

What have long been anticipated are now happening as have been anticipated. As repeatedly pointed out by many, password managers should be operated in a decentralized formation or should be considered mainly for low-security accounts.

Need only to break the user's password

Assume that the entropy of the decryption key be 256 bits and that of the user's password be 13 bits (= 4 digit PIN), and the chances are that the data are lost to criminals who broke the password. It would be no use talking about encryption without talking about the reliable password or identity authentication of the user.

Not forget password when talking crypto

Assuming that a classified data be protected by an encryption key of 256-bit entropy and the program to manage the system be protected by a manager’s password such as P@$$WoRd1234, the chances may well be that the system will have been taken over by the criminals or spooks who broke the password rather than those who tried to attack the 256-bit encryption key. It could be emphasized that sufficiently strong passwords are the key for the safe deployment of cryptography..

Need to cope with "Interference of Memory"

Using a strong password does help a lot even against the attack of cracking the leaked/stolen hashed passwords back to the original passwords. The problem is that few of us can firmly remember many such strong passwords. We cannot run as fast and far as horses however strongly urged we may be. We are not built like horses.

At the root of the password headache is the cognitive phenomena called “interference of memory”, by which we cannot firmly remember more than 5 text passwords on average. What worries us is not the password, but the textual password. The textual memory is only a small part of what we remember. We could think of making use of the larger part of our memory that is less subject to interference of memory. More attention could be paid to the efforts of expanding the password system to include images, particularly KNOWN images, as well as conventional texts.

False Acceptance & False Rejection

Excessively depending on "contexts" could well bring the same sort of dilemma as biometrics, i.e., false acceptance versus false rejection, which can be summarized below.

Biometrics can theoretically be operated together with passwords in two ways, (1) by AND/conjunction or (2) by OR/disjunction. I would appreciate to hear if someone knows of a biometric product operated by (1). The users of such products must have been notified that, when falsely rejected by the biometric sensor with the devices finally locked, they would have to see the device reset. It is the same with the biometrics operated without passwords altogether.

Biometric products like Apple's Touch ID are generally operated by (2) so that users can unlock the devices by passwords when falsely rejected by the biometric sensors. This means that the overall vulnerability of the product is the sum of the vulnerability of biometrics (x) and that of a password (y). The sum (x + y - xy) is necessarily larger than the vulnerability of a password (y), say, the devices with Touch ID and other biometric sensors are less secure than the devices protected only by a password.

Caveats for ID federations

ID federations (single-sign-on services and password managers) create a single point of failure, not unlike putting all the eggs in a basket. It remembers all my passwords when un-hacked and loses all my passwords to criminals when hacked. It should be operated in a decentralized formation or should be considered mainly for low-security accounts, not for high-security business which should desirably be protected by all different strong passwords unique to each account. Needless to say, the strength of the master-password is crucially important.

Incidentally, at the root of the password headache is the cognitive phenomena called “interference of memory”, by which we cannot firmly remember more than 5 text passwords on average. What worries us is not the password, but the textual password. The textual memory is only a small part of what we remember. We could think of making use of the larger part of our memory that is less subject to interference of memory. More attention could be paid to the efforts of expanding the password system to include images, particularly KNOWN images, as well as conventional texts.

False Sense of Security

Apple is also expected do something about the vulnerability that their Touch ID brings: Biometrics operated with a password in the OR/disjunction way (as in the case of iPhone) offers a lower security than when only the password is used.

Biometrics can theoretically be operated together with passwords in two ways, (1) by AND/conjunction or (2) by OR/disjunction. I would appreciate to hear if someone knows of a biometric product operated by (1). The users of such products must have been notified that, when falsely rejected by the biometric sensor with the devices finally locked, they would have to see the device reset. It is the same with the biometrics operated without passwords altogether.

Biometric products like Apple's Touch ID are generally operated by (2) so that users can unlock the devices by passwords when falsely rejected by the biometric sensors. This means that the overall vulnerability of the product is the sum of the vulnerability of biometrics (x) and that of a password (y). The sum (x + y - xy) is necessarily larger than the vulnerability of a password (y), say, the devices with Touch ID and other biometric sensors are less secure than the devices protected only by a password.

It is very worrying to see so many ICT people being indifferent to the difference between AND/conjunction and OR/disjunction when talking about “using two factors together”.

The problem is not the password but the text password

Many people shout that the password is dead. The password could be killed only when there is an alternative to the password. Something belonging to the password （PIN, passphrase, etc） and something dependent on the password (ID federations, 2/multi-factor, etc) cannot be the alternative to the password. Neither can be something that has to be used together with the password (biometrics, auto-login, etc).

At the root of the password problem is the cognitive phenomena called “interference of memory”, by which we cannot firmly remember more than 5 text passwords on average. What worries us is not the password, but the textual password. The textual memory is only a small part of what we remember. We could think of making use of the larger part of our memory that is less subject to interference of memory. More attention could be paid to the efforts of expanding the password system to include images, particularly KNOWN images, as well as conventional texts.

It is nice for the cyber czar to have noticed that mobile devices come with cameras. However, neither fingerprints nor selfies sound attractive. Biometrics like fingerprints and face recognition operated together with a password by OR/disjunction (as in the case of Apple’s Touch ID) would lower the security than when only a password is used. As for selfies, how would it be possible to use the selfies as an alternative to the password (shared secrets) when our faces are very often exposed with our identity on the network?

Interference of Memory

That some people can do it does not automatically mean that all or many people can do it. That some can finish the marathon for less than 2.5 hours does not mean that many of us can do the same.

At the root of the password problem is the cognitive phenomena called “interference of memory”, by which we cannot firmly remember more than 5 text passwords on average. What worries us is not the password, but the textual password. The textual memory is only a small part of what we remember. We could think of making use of the larger part of our memory that is less subject to interference of memory. More attention could be paid to the efforts of expanding the password system to include images, particularly KNOWN images, as well as conventional texts.

Most of the humans are thousands times better at dealing with image memories than text memories. The former dates back to hundreds of millions of years ago while the latter's history is less than a fraction of it. I wonder what merits we have in confining ourselves in the narrow corridor of text memories when CPUs are fast enough, bandwidth broad enough, memory storage cheap enough, and cameras built in mobile devices.

False sense of security that Touch ID brings

I am of the opinion that Apple is expected do something about the vulnerability that their Touch ID brings: Biometrics operated with a password in the OR/disjunction way (as in the case of iPhone) offers a lower security than when only the password is used.

Biometrics can theoretically be operated together with passwords in two ways, (1) by AND/conjunction or (2) by OR/disjunction. I would appreciate to hear if someone knows of a biometric product operated by (1). The users of such products must have been notified that, when falsely rejected by the biometric sensor with the devices finally locked, they would have to see the device reset.

Biometric products like Apple's Touch ID are generally operated by (2) so that users can unlock the devices by passwords when falsely rejected by the biometric sensors. This means that the overall vulnerability of the product is the sum of the vulnerability of biometrics (x%) and that of a password (y%). The sum (x% + y% - xy%) is necessarily larger than the vulnerability of a password (y%), say, the devices with Touch ID and other biometric sensors are less secure than the devices protected only by a password.

Am I wrong in thinking that this fact should be known to the public?

Touch ID and Password/code

Biometrics operated with a password in the OR/disjunction way (as in the case of iPhone) offers a lower security than when only the password is used.

Users can unlock the devices by passwords when falsely rejected by the biometric sensors, which means that the overall vulnerability of the product is the sum of the vulnerability of biometrics and that of a password. It is necessarily larger than the vulnerability of a password, say, the devices with Touch ID and other biometric sensors are less secure than the devices protected only by a password.

As for an additional vulnerability unique to biometrics, we could refer to

http://mashable.com/2013/09/11/girl-fingerprint-scanner/

Apple should do something about these vulnerabilities if it claims to be security-sensitive.

Nice convenience obtained by abandoning security

Auto-authentication is what we cannot achieve with the passwords but we can so easily achieve with the likes of this kinds of bracelet and swallowed chips.

We know that the function of having someone else login to our phone/tablet/PC on our behalf while we are unconscious is already realized by biometrics as shown in

http://mashable.com/2013/09/11/girl-fingerprint-scanner/

But with the likes of electronic tattoos and hypodermic or swallowed microchips, we can expect the third persons to login to our accounts on our behalf a bit more gently and silently. The third persons would not have to behave very carefully not to wake us up. All that they have to do is just placing our PC/tablet/phone in the vicinity of our unconscious bodies. Then they would have a freehand over our accounts on our behalf.

Some people, for whom convenience is the top priority, might regard this as a proof that the passwords have the fatal drawbacks. I am, however, of the view that this tells us how critical it is to involve the confirmation of the users’ volition to make the login for identity authentication.

False sense of security

It is very worrying to see so many ICT people being indifferent to the difference between AND/conjunction and OR/disjunction when talking about “using two factors together”.

Biometrics can theoretically be operated together with passwords in two ways, (1) by AND/conjunction or (2) by OR/disjunction. I would appreciate to hear if someone knows of a biometric product operated by (1). The users of such products must have been notified that, when falsely rejected with the devices finally locked, they would have to see the device reset.

Touch ID and other biometric products are operated by (2) so that users can unlock the devices by passwords when falsely rejected, which means that the overall vulnerability of the product is the sum of the vulnerability of biometrics and that of a password. It is necessarily larger than the vulnerability of a password, say, the devices with Touch ID and other biometric sensors are less secure than the devices protected only by a password.

As for an additional vulnerability unique to biometrics, we could refer to

http://mashable.com/2013/09/11/girl-fingerprint-scanner/

Needless to say, so-called 2-factor systems with a password remembered as the first factor and something possessed as the second factor are generally operated by (1), providing raised security at the sacrifice of lowered convenience.

I do not quite understand why the clever Apple is doing such a silly thing as spreading the false sense of security under the name of security.

2-factors: Operated by AND/Conjunction or by OR/Disjunction?

2 is larger than 1 on paper, but two weak boys in the real world may well be far weaker than a toughened guy. Physical tokens and phones are easily lost, stolen and abused. Then the password would be the last resort. It should be strongly emphasized that a truly reliable 2-factor solution requires the use of the most reliable password.

I wonder how many people are aware that biometrics operated with a password in the OR/disjunction way (as in the case of iPhone) offers a lower security than when only the password is used. Media should let this fact be known to the public lest consumers should be misguided.

I am really worried to see so many people being indifferent to the difference between AND/conjunction and OR/disjunction.

Biometrics can theoretically be operated together with passwords in two ways, (1) by AND/conjunctiion or (2) by OR/disjunction.

I would appreciate to hear if someone knows of a biometric product operated by (1). The users must have been notified that, when falsely rejected with the device finally locked, they would have to see the device get reset.

Like other biometric products, Apple's iPhones are operated by (2) so that users can unlock the phones by passcodes when falsely rejected, which means that the overall vulnerability is the sum of the vulnerability of biometrics and the vulnerability of a password. It is necessarily larger than the vulnerability of a password.

As for an additional vulnerability unique to biometrics, you may refer to

http://mashable.com/2013/09/11/girl-fingerprint-scanner/

Needless to say, so-called 2-factor systems with a password as the first factor and something possessed as the second factor are generally operated by (1), providing raised security at the sacrifice of lowered convenience.

Two caveats

(1) The two-factor authentication could be reliable only when it comes with a reliable password.

2 is larger than 1 on paper, but two weak boys in the real world may well be far weaker than a toughened guy. Physical tokens and phones are easily lost, stolen and abused. Then the password would be the last resort. It should be strongly emphasized that a truly reliable 2-factor solution requires the use of the most reliable password.

(2) Biometrics, whether static or behavioral or electromagnetic, cannot be claimed to be an alternative to passwords UNTIL it stops relying on a password for self-rescue against the false rejection altogether while retaining the near-zero false acceptance in the real outdoor environment. A dog which depends on a man cannot be an alternative to the man.

I wonder how many people are aware that biometrics operated with a password in the OR/disjunction way (as in the case of iPhone) offers a lower security than when only the password is used. Biometrics industries should let this fact be known to the public lest consumers should be misguided,

Managing very strong password by pronouceable passwords

Generally speaking, hard-to-break passwords are hard-to-remember. But it is not the fate. It would be easily possible to safely manage many of high-entropy passwords with the Expanded Password System that handles images as well as characters.

Each image/character is identified by the image identifier data which can be any long. Assume that your password is “bowbow” and that those characters (treated as images) are identified as X4s&, eI0w, and so on. When you input bowbow, the authentication data that the server receives is not the easy-to-break “bowbow”, but something like “X4s&eIwdoex7RVb%9Ub3mJvk”, which might be automatically altered periodically or at each access if required.

When such high-entropy data are hashed, it would be next to impossible to quickly crack the hashed data back to the original password. Give different sets of identifier data to “bowbow” and the different servers will receive all different high-entropy authentication data. Brute-force attacking of “bowbow” and other similarly silly passwords would perhaps take less than a few seconds with dictionary and automatic attack programs but it could be an exhausting job when criminals have to manually touch/click on the display with their fingers.

A way to safely manage hard-to-break passwords

Sufficiently strong passwords are the key. Generally speaking, hard-to-break passwords are hard-to-remember. But it is not the fate. It would be easily possible to safely manage many of such high-entropy passwords with the Expanded Password System that handles images as well as characters.

Each image/character is identified by the image identifier data which can be any long. Assume that your password is “ABC123” and that those characters are identified as X4s&, eI0w, and so on. When you input ABC123, the authentication data that the server receives is not the easy-to-break “ABC123”, but something like “X4s&eIwdoex7RVb%9Ub3mJvk”, which might be automatically altered periodically or at each access if required.

When such high-entropy data are hashed, it would be next to impossible to quickly crack the hashed data back to the original password. Give different sets of identifier data to “ABC123” and the different servers will receive all different high-entropy authentication data. Brute-force attacking of “ABC123” and other similarly silly passwords would perhaps take less than a few seconds with dictionary and automatic attack programs but it could be an exhausting job when criminals have to manually touch/click on the display with their fingers.

Incidentally, ID federations (single-sign-on services and password managers) create a single point of failure, not unlike putting all the eggs in a basket. It remembers all my passwords when un-hacked and loses all my passwords to criminals when hacked. It could be considered mainly for low-security accounts, not for high-security business. Needless to say, the strength of the master-password is crucially important.

2 may be weaker than 1 in the real world

2 is larger than 1 on paper, but in the real world two weak boys may well be far weaker than one toughened guy. Physical tokens and phones are easily lost or stolen. Then the password would be the last resort. It should be strongly emphasized that a truly reliable 2-factor solution requires the use of the most reliable password.

A sufficiently strong password alone could well be more effective than the combination of a weak password and a vulnerable second factor.

Do not put all your eggs in a basket

ID federations (single-sign-on services and password managers) create a single point of failure, not unlike putting all the eggs in a basket. It remembers all my passwords when un-hacked and loses all my passwords to criminals when hacked. And it is now demonstrated that we could be locked out. It could be considered mainly for low-security accounts, not for high-security business. Needless to say, the strength of the master-password is crucially important, if required in fewer numbers.

Humans are still poor at dealing with texts

What worries us is not the password, but the textual password. The textual memory is only a small part of what we remember. We could think of making use of the whole memory of ours. More attention could be paid to the efforts of expanding the password system to include images, particularly KNOWN images, as well as conventional texts.

Only for low security jobs

The maxim is reconfirmed that it is not wise to put many eggs in a basket. Password managers should be recommended only for low-security jobs.

Interference of Memory

It is probably because shrewd hackers also suffer the strong "interference of memory" when using text passwords. This report probably proves how common this cognitive phenomenon is among human beings.

Nails given but no hammer given

To say only "changing passwords is a best practice and will help enhance security" is like giving us nails without giving us a hammer. What can we do when we cannot remember any more text passwords, we cannot reuse the same passwords over many accounts and we cannot carry around a memo with passwords on it? And, where 2 factor solutions involves a password, where biometrics involve a password for self-rescue in case of false rejection and where ID federations (single-sign-on services and password management tools) require the password called a master-password?

Lower security than passcode-only models

I wonder how many people are aware of the fact that the mobile devices with biometric sensors offers lower security than the passcode-only models.

What the users is expected to do when he is falsely rejected when he is in the outdoor environment? Use the passcode. This means that the criminals can impersonate the legitimate user by breaking either the biometric sensor or the passcode, meaning that the criminals are given more chances to break, say, lower security.

It is really ridiculous to be offered a lower-security solution where higher security is required.

sticky fingerprints left onserver

Where can we read more about "Sticky fingerprints left on server used for Adobe code slurp"?

This should be called a picture-assisted gesture password, not a picture password.

Some picture passwords are designed far more wisely. A good example is shown at

http://mneme.blog.eonet.jp/default/files/expanded_password_system.pdf

false rejection versus false acceptance

This could be taken seriously provided the false rejection rates are zero or very close to zero so that the user will not have to depend on a password for self-rescue in the outdoor environment where there is no such manager who takes care of the falsely rejected user. If not, it must be an expensive joke.

Entertaining indeed

It sounds absolutely entertaining, though it will not help solve the issue of vulnerable passwords. Any personal verification solution which requires a self-rescue password (a password for self-rescue in case of false rejection) can by no means be an alternative to passwords.

Why not try to expand the password memory capcity?

At the bottom of all these headaches is a simple fact that humans cannot firmly remember any more than 5 passwords on average so long as we stick to numbers and texts. But it is not impossible to expand the password memory capacity. One such proposition can be found at

http://mneme.blog.eonet.jp/default/files/expanded_password_system.pdf