You might think the title of this blog is such a click-bait! Who in the world would dare use a one character password you say! This dude is rambling again on a beautiful afternoon!
Well only the rambling part is true, as with all my posts I can only blog when I have settled life’s many priorities.
But back to the title, it is no joke for I see more and more users going down this path of using a single character password to protect their most treasured banking transactions, access to their mobile phones etc.
I’m talking about the use of fingerprint based biometric logins. (I have previously
blogged rambled about this.)
The similarities I see with using a single fingerprint that can easily be stolen is comparable to using one character key from your keyboard as your password. In some cases I think the keyboard method might actually be safer! Here’s why:
One Character Password:
You have to guess 1 out of 94 characters.
(Assuming 26 upper case, 26 lower case, 10 number and 32 symbols).
You only need 1 out of 10 fingers *
(*Available all over your coffee mug and on the phone itself! Don’t ever think just because it’s unique it’s safe.)
So referencing my previous post on how safer passwords involve length and complexity; it’s funny why a single fingerprint is still acceptable when a single character password is not. I strongly vote for someone to give me an option to use multiple fingerprint combinations per login attempt!So hypothetically if your mobile phone is stolen, I just have to find out which of the 10 fingerprints is registered, and probably guessed it’s your right index finger. Instead if you use just one character on your keyboard, I would have to guess which of the 94 is true!
PS: Apple iPhone X is out! No more fingerprints! But now any 3-letter-GOV-agencies don’t even have to force you to remember your passwords or pull your fingers off to scan. They just have to show you your phone and say “Do you recognize this phone? *unlocks* Thanks we’ll take it from here.” Great!
It’s been a while since I wrote and I wanted a place to write, someplace where I used to belong and left abandoned, like going back to your childhood playground and realizing that the swing set is still there; and you can’t help but have a go just to see how it feels.
I wouldn’t call what I’m about to do serious writing (like penning for a novel) but likely similar to a random scribbling of thoughts on paper/screen. If technology advances to a level where a mind map can be generated in real time, my map right now would look like a bunch of spaghetti sparsely spaced with meatballs of vague ideas.
So, about life. Kids are doing ok so far. Any new parents (hopefully) would think of the world for their kids, that they will grow up being someone useful to the world. My thoughts aren’t as grand so far. It’s amazing how my wishes for them are as small as baby steps (literally). Growing from wishing they were born safe and sound, to having normal limbs and even number of digits to not having blemishes or birthmarks.
Right now I’m anxiously mapping their growth rate based on wonderfully “all babies develop at different rate disclaimers” wall posters. But still it’s a good way to see what’s coming and where I can help to make I MYSELF more comfortable with what and where they are currently at in term of cognitive and brain developments.
Everyone says that with time, everything will pass and it’s often with fondness and memories when we look backwards. For me, I disagree. Looking at how things were, I have fallen deeply into the trap where I get no time to rest until they have kids of their own (or maybe even till much later). I might not even have time to sit down and think about the good old days since all parents (yours truly included, now) will end up worrying about their kids until their ripe old age.
OK maybe I can chill a little when they learn how to talk and walk.
I came back recently from a trip and had the misfortune of losing my luggage. Amongst the many things lost are souvenirs and items with sentimental values.
There was initial confusion on my part over where it may have gone, whether it would be in the large luggage conveyor or with customs or stolen! But when I passed my barcode to the airline staff, the confusion was on them as well.
You see, I thought the barcode was linked with both the departing and arriving airports. Kinda like how you can scan it and track your baggage like a parcel from FedEx. However in reality it does nothing except tag your luggage with a reference number. So when it goes missing like in my case, there’s a reference number they can use.
They are not able to tell me if it left the departing airport, or arrived, or was still stuck with customs. All they can do is email the departing airport with the reference number to check if it left the country. I was told to wait for news in 2-3 days and after that, file a missing luggage report.
Monetary compensation is one thing, but souvenirs and sentimental items are priceless. Not even MasterCard can pay for those!
So that got me thinking, what is there to prevent the airline from not knowing and informing me that the luggage did not go on board? If there are systems to identify a passenger isn’t on board, and to unload the checked in luggage, why can’t the opposite happen?
It would be so stupid to know I flew 8 hours back and all this time my luggage wasn’t with me. Worst that could happen is the luggage actually goes on a world tour without me. Now imagine what if the contents are not declared safe for some countries like NZ or Australia?
I eventually got it back 2 days later. Seems like no one can tell why it was left unloaded in the cargo area, sitting there looking pretty; but it was then loaded on the next flight and reach home. There was some perishables inside which is a write-off, lucky I have insurance for that.
I know it’s not the airlines fault rather it would be the airport ground crew, but it does leave me a bad taste that the plane took off without my luggage and no one know about it.
Similar to the theme of my previous post (one year ago, shame on me), I felt that the world had moved on to what I’d call second generation Phishing. Phishing 2.0?
Previous iteration of Phishing had victims visiting bogus websites but the 2.0 version acts as a proxy so that your first transaction does go through (say if you want to check your bank balances). What it does then is to silently steal your login & password. No word if any malware boasts that they are successful (Ha! In your face! Victim!)
TAC messages are used by some banks to prevent this but nothing solid is really in place to prevent a proxy Phisher from asking for it anyway. When the malware / Phishing website has your trust, nothing will stop it.
So it occurs to me that Phishing extends to mobile apps as well. Speaking to industry players in the mobile app development world and IT Security guys, it seems seldom does a company (banks, cinemas, airlines etc) implement mechanisms to identify the integrity of the mobile app talking to their servers.
We have seen SecureWords (those little pictures or words you select during registration) that pops up before you login, to tell you the company is trusted and is not someone else. But nothing to tell the company that the application is their own.
In my ramblings to my colleagues I always challenge why is it so hard to develop some hashing functions that gets passed along to the server to say “yep, I’ve not been modified or imitation in any way” (simplifying it greatly just to prove a point, the detailed steps is probably too technical).
I feel there’s lots more that can be done both on education and technical implementation to deter Phishing, but I’m from the camp that believe that even if a user is not educated (I always use my grandma in presentations, sorry Grams), the technical controls should prevent it. That’s called serving the 18 to the 80.
Just to share something recent: When I was registering this address, I was also paying my income tax. The first website I went to was htp://www.lhdn.gov.my. Now imagine my surprise that it’s actually for sale. The official site is http://www.hasil.gov.my. Now it’s income tax filing season, if I can make that mistake, what is there to stop me from registering the site and use it to Phish for login credentials?
Today’s news has been about how bad an idea was to use fingerprint as a login mechanism (Ars Technica). Apple’s iPhone had a similar mechanism and it was broken in 48 hours by someone swiping a lifted fingerprint (Ars Technica, again). Mythbuster had an episode whereby the latest in fingerprint locks (fingerprint+pulse+heat+skin conductivity) was broken by having someone lick a plastic mold of a fingerprint.
In short: Passwords can be changed, fingerprints can’t.
But I disagree that fingerprints can’t be used as a convenient way to grant authorized access. It’s only the current implementation made it simple and easy to break. Sure you leave fingerprints all over the place, and once someone has your prints it becomes impossible to change it. But no one say it has to be just 1 print per scan.
A better way would be to adopt common good password practices, instead this time we apply it to number of fingerprint swipes.
- Password length = fingerprint swipes
- Password complexity = random fingers (we have 10, take a pick)
- Password history = length + complexity combo history
- Example: Fingerprint password of 3 length + complexity = Left Thumb -> Left Middle -> Left Pinky finger. 3 swipes.
This way even when someone has your prints they have no idea which finger you use, for how many swipes, or in what combination.
Here is a blog that had existed when blogging was cool, having your own domain name is to rise up to the rank of God himself and everyone drools for a dSLR.
A blog that had existed for this long carries with it a load of emotional weight that I want to be rid of and thus a spring cleaning is in order.
I was lucky these are all in digital; imagine if they were in aged rubber band bound diaries and the only satisfying way of ‘deleting’ them involves a bottle of kerosene, a match and an escape plan for the inevitable fire in my backyard.
I’m not holding a sentimental value to each blog post, although I do find a gem here and there as I select them for purgatory. Mostly old chain emails and jokes and some thoughts I had pen down during my uni years (no such luck finding rough scribbles for facebook-social-network); most of which can now be realized as dreams of better role models / entrepreneurs and for the rest of old jokes, Googled.
There’s no archived old post section and it’s a waste of time anyway as my blog view are not as high as before so all those posts are gone. I feel lighter already!
So anyway this is a brand new post for a brand new start, new tags, new categories, new everything! It may also be a way for me to clear the room full of junk before I shut it down, who knows… let’s see if there’s a next post after this.