billso.com

I briefly used a PayPal security key, but it was a frustrating experience, simply because I kept leaving the key at home. PayPal’s integration with eBay is not good, which is surprising as eBay owns PayPal.

When I decided to stop using the key, I was able to cancel the PayPal key online in a matter of minutes. It took a 15 minute live chat with an eBay rep to remove the PayPal security key from my eBay account. Perhaps that was a security step by eBay. However the frontline system for canceling the key on eBay’s site did not work properly.

The worst part of the PayPal key: I had to pay US$5 to get one in the first place. If PayPal really wanted business users to have multifactor keys, the first key would be free of charge.

Related posts and pages on billso.com

• OpenID
• 11 May 2008: JanRain launches CallVerifID multifactor phone service for OpenID
• 10 May 2008: Why use OpenID?
• 30 April 2008: Updating WP-OpenID to support ID Selector
• 21 March 2007: About ecommerce part 3: The broadband connection
• 15 March 2007: About ecommerce part 1: Maximizing ROI

The mobile phone is an excellent device for two-factor authentication. Most Internet users already have a mobile phone. A user might not notice that they’ve lost a dongle. security token or smartcard. That’s one reason adoption has been difficult for multifactor authentication schemes.

JanRain announced on 9 May 2008 that it is launching a phone-based multifactor authentication service, CallVerifID, that works with its myOpenID service.

The phone verification service lets a user designate a specific phone number that JanRain’s partner, PhoneFactor, will call when their username requires verification. The user can press the pound (#) key on the phone to confirm the login, or use the incoming call to report that their username has been compromised.

Users can designate a mobile or landline number for their verification calls by setting up their myOpenID account preferences with the appropriate number.

The system isn’t perfect. Someone could still learn the users OpenID URL and passphrase, and arrange to intercept the confirmation phone call somehow. This might take a greater level of physical access than stealing a security key or snooping a keyboard. The call verification system could easily be improved by asking the user to enter or speak a second passphrase on the phone.

As Chris Messina pointed out in December 2007, several large Internet content companies have announced that they will support OpenID. Their implementation has been delayed. for several reasons, including branding, although ma.gnolia finally came through in March 2008.

CallVerifID is more evidence that OpenID can become a trusted authentication platform for content and blogging sites, and perhaps for e-commerce sites as well.

See CenterNetworks and Mashable and for more details.

Mobile phone image courtesy of besto-Baker on Flickr, through a Creative Commons license.

Related posts and pages on billso.com

• OpenID
• 10 May 2008: Why use OpenID?
• 30 April 2008: Updating WP-OpenID to support ID Selector

Here’s a few interesting thoughts about passwords. Some users have problems remembering their passwords, so they rely upon one password that they can easily remember.

David Naylor has compiled several lists of commonly used passwords. Permutations of “password” and numeric characters are frequent entries in these lists. One of the lists that Naylor uses comes from this DarkReading article that has provides a more detailed discussion of system administrator passwords.

I’ve become a big fan of the passphrase, which is a long password that might resemble a sentence, a list of phone numbers, or some other easily remembered data. This Diceware article has some excellent tips for selecting a strong passphrase.

If the system supports a long password, try using the portions of the sentence or the entire sentence itself as the passphrase.

If you want a shorter password, try using the first letters of a long sentence that you can easily remember, but others will find hard to guess. Shorter passwords are easy to break or crack, so users have to balance security with memory.

Some examples

As an example, an English translation of Julius Caesar’s famous quotation, “The entirety of Gaul is divided into three parts”, might be encoded into a short passphrase, shown below in bold, by using the first letter of each word in the sentence:

1. TeoGiditp is a literal conversion of the sentence that preserves the uppercase characters. It’s a weak encoding scheme, because it’s too easy to guess.
2. tE0Gid13p substitutes a number whenever a alphabetic character is repeated in the sentence. This system is a bit harder to crack, and may be more difficult for the user to remember.
3. +€0G!d1Ep uses punctuation marks or typographical symbols that resemble some of the characters. This encoding scheme may be difficult to type and remember, but the variety of characters used makes a dictionary-based attack less effective.
   
4. 190515070904091916 is another substitution cipher in which each letter is replaced by a number representing its numeric order in the English alphabet. This system may work well for devices on mobile phones. This cipher could be refined by using a non-decimal system like hex, or by rotating the numbers so that i=1, j=2, k=3 and so on.
5. 19!05@15#07$09%04^09&19*16 uses the punctuation marks produced by the shift+numeric keys on a US keyboard to indicate or delimit each character. Again, the user should identify a more random set of symbols that can be remembered and typed.

If the passphrase creator reveals the rules they used to create or encode the passphrase, these examples are trivial for a person to crack.

It’s also easy to crack a password if its used by the same person on multiple systems or sites. The overall security of the password is only as strong as the weakest security scheme employed by any of these sites.

Keep in mind that some characters are not available on all keyboards. Mobile phones and PDAs present special problems, as these keyboards are quite limited. The Euro (€) symbol is usually shown on European keyboards, but is rarely shown on US and Canadian keyboards. This symbol can be typed alt+0128 on US Windows keyboards, with a shortcut key on various other keyboards, and alt+shift+2 on US Mac systems.

Create a password keychain

One trick for creating a site-specific passphrase that can be easily remembered is to include a portion of the site’s name or URL in the passphrase itself. While this system can give a human of software-based password cracker a start at decrypting the password, it does allow users to use a single passphrase across multiple sites. Example #1 from my first list might be encoded as follows for these URLs:

• google.com: TeoGiditp-google (much too easy to crack!)
  
• yahoo.com: TeoGiditp%oohay (that’s “yahoo” backwards)
• hotmail.com: h0+mA1L#TeoGiditp (tougher to crack, harder to remember and type)
  

Using a well-known sentence as a passphrase can also reduce its strength. Try a random passphrase generator like this one from leemon.com. You may need to try several passphrases until you find one that you can remember.

Of course, all of these tricks cannot prevent a keystroke logger, camera or shoulder surfer from observing your password as it is typed.

Related posts on billso.com

• 17 April 2008: Virtual keyboards and monitoring software foil keystroke loggers
• 2 July 2007: CXOs face malware email attacks
• 11 January 2007: How to create a secure password

From Lifehacker comes a link to a free virtual keyboard called Neo’s SafeKeys. The keyboard is displayed on the computer screen, and lets a Windows user type their password without accessing the computer’s keyboard.

It’s trivial to monitor keystrokes through software and hardware called keystroke loggers or keyloggers. This New York Times describes a new phishing attack against executives, involving an email with a link to a fake subpoena. Click the link and a Windows keystroke logger gets installed.

Executives are excellent targets for such attacks. CXOs often want to bypass corporate security systems for the sake of personal convenience. When executives insist on carrying confidential or valuable corporate data on their laptop’s hard drive, they may as well paint a target on their foreheads.

CXOs might also disable virus scanners and security software to make the computers run faster. This only makes their personal computers much more vulnerable. When executives are reluctant to admit their mistakes or ask for help, the damage is already done.

I’ve seen virtual keyboard systems deployed on banking web sites, so that users can use a mouse to enter their passphrase. Of course, this can be very tedious if the user has a long passphrase. These virtual keyboard systems may become more common as banks implement multifactor authentication schemes that address consumer, regulator and compliance issues.

Keyboards and keystrokes

It’s still possible to use a keyboard for multifactor authentication, however. This article from Windows in Financial Systems describes a system from BioPassword that requires the user to enter their password ten times in a single enrollment session. Software determines the rhythm of their keystrokes, and stores that data along with the user’s account on a Microsoft Active Directory server. Anyone who tries to access the account will have to simulate that user’s typing behavior for that specific password.

In this 15 May 2007 article, ha.ckers.org pointed out some potential problems with BitPassword’s system. The timing needs to be loose enough to accommodate different keyboard styles. A laptop computer’s keyboard often is laid out differently from a standard desktop keyboard. otherwise, the timing checker might flag users who include numerics, international characters (such as € £ ß Ω) and typographical symbols (like % @ © ^#~) in their passphrase.

Dots and dashes

The concept dates back to the 19th century. Experienced telegraph operators could identify each other by through their fist, or their distinctive patterns of keying Morse code. The same concept was also used during both World Wars to match radio operators with their message content.

Some banks might have each user to enroll several different passphrases, as many banks now require for their web-based customer portals.

BioPassword’s software is designed for business and enterprise users. PC Magazine has an excellent review here, and the London Times and Baseline have good recent articles. This Wired article from 2000 describes how the system was used by a Canadian company, Musicrypt.com, as part of a user management service for music web sites.

Related posts on billso.com

• 12 April 2008: Finding business contacts and passwords on the Internet
• 4 April 2008: Get LinkedIn with [billso.com]
• 14 March 2008: Social media in action
• 3 January 2008: Impression management and Facebook
• 10 August 2007: Forty-somethings flock to Facebook
• 2 July 2007: CXOs face malware email attacks
• 20 June 2007: Facebook vs MySpace
• 11 January 2007: How to create a secure password