[Discuss] A Little OT: The Password Post-It

[Richard Pieri]

On Apr 19, 2012, at 3:24 PM, Tom Metro wrote:
> 
> As I expected, an academic proof of concept.

Only for the more recent types.  The early keyless entry systems, the ones that don't bother with frequency hopping, were more easily abused.  RFID is similarly abusable because it doesn't do any (much?) hopping at all.


> Did you read the paper to see what the proposed counter measures were?

I was unable to find it.


> could be addressed by having the smartphone app fingerprint the WiFi
> access points in the vicinity. Maybe even verifying that the phone has
> an active connection to the corporate WiFi, authenticated through your
> RADIX server (the laptop/desktop component could also confirm this).
> 
> You've now raised the bar some more.

So... instead of having users remember their passwords you expect them to keep track of little things that they lose and break all the time *and* the passwords needed to make those little things usable.  And you've spent a lot of money on hardware and software needed to implement this system.

This isn't raising the bar.  This is making things more difficult for the people you're allegedly trying to help.


> Part of your premise was that this sort of relay attack could be
> accomplished without the phone holder being aware of it. You could also
> mitigate that by having the app trigger an audio alert when an
> authentication handshake occurs.

No, my premise is that enforcement of password policies is stupid.  It doesn't matter if those passwords are enforced by screen locks and keyboard entry, key cards, smartphone applications, or whatever else someone who thinks he's clever can come up with.  Enforcement is stupid because it doesn't address the problem.

--Rich P.