Shulou(Shulou.com)11/24 Report--

I opened a website called "PasswordMonster" to test how secure (not) the passwords most commonly used by people on earth are.

Enter "0" and the site shows that the time it takes for the password to be violently cracked is 0 seconds. "88888888" is 123456 seconds.

Now, it's easy to find tutorials like "how to set an unbreakable password." it takes a lot of effort to create a password that takes 6 billion years to be violently cracked.

But the problem is, you probably won't remember. Otherwise, why do many people use their birthdays as passwords as long as they are not prompted for a password that is too simple? Because of the rest, I can't remember. Then you fall into the "forget password-reset password-forget password" cycle.

Even if I remember the password that took 6 billion years to be cracked, I can't resist the database leak. For example, in large-scale data leaks such as "Super Star Learning", users' account numbers, passwords and other personal information may be stolen, sold or even defrauded by lawbreakers.

In this case, it is useless for me to create a complex password. The only thing I can do is to change the password immediately after the event.

What if the Internet doesn't use passwords at all? Can we not remember passwords and not be afraid of data disclosure?

Password is an "old thing", there are many problems. In the 1960s, the concept of "Password" was born with the original Internet. The original idea was to allow users to become an important line of defense in this security system through customized password design.

This system has been effective for more than 40 years, and it can even be said that it is based on this password authentication system that the Internet has access to user login and thrives.

In theory, passwords are still effective against common hackers, usually by calculating hashes. When you set a very complex password, it will take trillions of centuries to crack it, even if the hacker's deciphering device is a supercomputer.

For example, the typical random password in the picture above, even a supercomputer that uses 100 trillion floating-point operations per second, will take the 8.47 trillion century to break violently.

However, in the 21st century, with the rapid development of the mobile Internet era, most people will have hundreds of Internet accounts that need to set passwords, and it is almost inevitable to use the same password on multiple platforms.

What is more frightening is that the database that stores these account information also has the risk of leakage, such as improper operation within the platform, or the leakage of the database due to self-interest of the relevant personnel. Then the real information of hundreds of millions of users is publicly sold on the dark web. This kind of thing happens frequently.

For users whose information has been leaked, what is more deadly is that exposing information such as the account password of one platform is equivalent to exposing the information of multiple platforms, because many users use the same password on different platforms.

Today's large hacker organizations usually use various channels to collect leaked databases, and through integration, describe a person's various footprints in the Internet, and then file together to build a "social work library." In the process, you may be roughly inferred your password on other platforms.

For example, most accounts today only need an email / mobile number and a password (many people will repeat the same password) to log in, but if this information has been leaked from the database, hackers can follow the clues and piece together your account password information on other platforms. Today, the above operations can be done entirely through automated operations (commonly known as "hitting the library").

There are lower-cost scams. Lawbreakers will use the existing leaked information to defraud more information directly from real people through phishing, the most common of which are fake login websites and fraudulent phone calls. Even if you set an ultra-strong password made up of a variety of random numbers, letters and symbols, it is easy to fall into a trap in front of fraudulent websites that replicate the official landing page at almost 1:1.

Thus it can be seen that the existing password mechanism has often become an accomplice to information disclosure.

But it is difficult for us to blame it entirely on the cryptosystem. After all, this is a system that has been basically stereotyped since the 1980s, when designers probably didn't expect that 40 years later, everyone would have hundreds of Internet accounts.

The existing cryptosystem is like an old steam turbine that has been overwhelmed. Problems occur frequently, but it has to continue to drive the entire Internet to continue to sail. But the industry is also beginning to realize these historical problems, and they intend to start anew and create an authentication mechanism that can completely replace passwords.

FIDO, the key to "No password", at this year's WWDC conference, Apple introduced a new feature that does not require users to type cumbersome passwords by hand-- "Passkeys". With it, the user no longer has to enter the password, but directly uses Face ID / Touch ID (facial recognition / fingerprint recognition) and other methods to authorize the use of the "pass key". At this time, the user generates a private key locally. At the same time, the server side of the platform also retains a public key for authentication, and once the two match, you can log in without a password. In this process, users only need to identify through biometrics.

▲ Apple introduces "access key" (Apple) to developers

Similarly, Google introduced password-free login technology at this year's Google I / O conference: when users log in to a website in a Chrome browser, they can receive authentication for login on the nearest mobile phone. The same technology will be integrated into smart platforms such as televisions, smartwatches and even cars in the future.

▲ Google is also promoting password-free login technology (Google)

The underlying technology that supports these experiences comes from the FIDO Alliance, an organization dedicated to promoting the "password-free" process. FIDO has formulated the relevant technical standards and extended them to the major Internet giants. Now, FIDO members include not only mainstream operating system manufacturers such as Apple, Google and Microsoft, but also chip hardware suppliers such as Qualcomm and Broadcom, as well as payment application giants such as Paypal.

A list of ▲ FIDO Alliance members (FIDO)

These members from different fields, working together under the framework of the same set of technical standards, may be able to ensure the consistency of the password-free login experience in the future, or even the interconnection of users between different devices / applications.

For example, as Apple showed during WWDC: iPhone users can scan code and use a Chrome browser to log in to an account that supports FIDO technology on an Windows PC. Such a simple operation like "Wechat scan login" is more like a microcosm of the efforts of Apple, Microsoft and Google in the field of password-free.

▲ sometimes, it is difficult to implement a simple operation like "login by scanning Wechat code". | Apple

Public key, combined with private key, from the user experience, FIDO is not much different from the current fingerprint / face recognition authentication login, or even similar to the mainstream password auto-filling service.

The most important difference is hidden under the login page: instead of generating a random password by the system, FIDO technology uses "public key + private key" authentication to generate a private key locally on the device, while keeping the public key on the account server. It can only be completed if the private key is used with the public key for login authentication.

▲, just press a fingerprint, Apple.

For those phishing sites that users can not easily identify, accounts that have used FIDO technology in registration have detected that the local private key does not match the correct web page public key, so no information will be transmitted, thus avoiding various fraud attacks on high-imitation login pages and the risk of database leakage.

When the web page detects that the corresponding private key has been stored on the device, since the corresponding biological verification has been performed, the server does not need to judge again whether it is a visit from a real user or a malicious robot attack. of course, there is no need to add repeated verification steps. For example, a variety of complicated CAPTCHA input, as well as a variety of "prove that you are not a robot" CAPTCHA man-machine verification.

▲, which is similar to this kind of man-machine verification that makes people wonder if they are human, should no longer be used. | Network

In addition, when users switch devices or want to log in to their own accounts on other users' devices, Apple's password can also transfer local private keys and assist authentication by means of data backup or QR codes. It is important to emphasize that the private key is always stored on the user's local device.

The final step from a password-free future seems to be overnight, with tech giants promoting FIDO password-less technology, but the FIDO alliance was formed in 2012, before smartphones were even ubiquitous, and the organization began working on more advanced authentication methods.

But wiping out passwords is not easy. At present, we are familiar with the Internet ecology, can be said to be a radical cure in the password authentication mechanism. Passwords have become part of the Internet DNA. Therefore, even if the FIDO alliance has courted the giants of the industry, it can only seek breakthroughs step by step in the past decade.

In the past few years, the FIDO Alliance has implemented three different password-free protocols. Among them, FIDO UAF was proposed in 2014: users install biometric devices to achieve operations such as directly identifying fingerprints and completing payments.

▲ FIDO UAF (FIDO

Another technology called "FIDO U2F" is to provide more secure encryption methods through two-step verification, including Bluetooth / NFC physical key, two-step CAPTCHA and so on. Nowadays, this is also a very general verification technology, and the SMS verification code that we receive almost every day in our daily life also belongs to this category.

▲ FIDO U2F (FIDO)

After the above two agreements, the FIDO2 protocol, which really began to promote a completely password-free era, was born in 2015. The agreement also took eight years, and it was not until 2022 that the time was ripe for FIDO to replace passwords and was able to make its debut on the stage of global attention such as WWDC and Google I / O.

▲ FIDO2 | FIDO

Today, ten years after the establishment of the FIDO Alliance, the "third stage" of the history of the Internet in the field of no passwords can be regarded as the most important step.

Apple has announced that it will support "password keys" based on FIDO technology in the official versions of iOS 16, iPadOS 16 and macOS 13 released in September, while Google will add support for its own platforms such as Android and Chrome browsers by the end of 2022.

Microsoft has also announced that it plans to add FIDO support to Windows "in the coming months". It is only one step away from being really practical.

While the password-free future shown by FIDO is attractive, there will still be some practical problems with this new standard: the most important thing is still the need for more account services to support this technology, which is bound to be a step-by-step, gradual replacement process.

In addition, how to make it easier for users to synchronize their local private keys between different operating systems / devices will also affect the actual promotion process: including iPhone users synchronizing their private keys to Windows PC or Android mobile phones (or vice versa), coupled with the current situation of Android third-party systems, users may encounter far more complex requirements than "logging into their own accounts on other people's computers" in practical use.

The most important thing for ordinary Internet surfers is that they no longer have to rack their brains to set their passwords and are forced to reset them after they forget them.

Referenc

[1] https://www.scmagazine.com/perspective/identity-and-access/will-passkeys-finally-put-an-end-to-the-password%EF%BF%BC

[2] https://thestack.technology/passwordless-future-fido2-quantum-metric-ciso/

[3] https://www.abc.net.au/news/2022-07-14/tech-giants-passwords-passkeys-apple-google-microsoft/101184382

This article comes from the official account of Wechat: fruit Shell (ID:Guokr42), author: Liming Front Alan Editor: biu

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.