Ask HN: Why are we still using passwords?
IANASecurity Expert, but there are several on HN. Hopefully this will start an interesting discussion.
1) Why are we still using passwords to authenticate people online? And by "we", I mean most big public websites. Google, Facebook, Twitter, Gawker. It seems like some sort of key-based, public/private algorithm would be better than the current mess. Is this correct or am I forgetting something?
2) What would the optimal solution look like, assuming the browsers supported everything necessary?
24 comments
[ 3425 ms ] story [ 3086 ms ] threadThere is no better security for common use than the password... and it is just as effective as anything else with the added benefit of being universally applied if it is a decent one.
I really dislike the idea of being forced to use any one service in order to access multiple different services. I actually will go to rather extreme lengths to avoid this.
Also, I hate fb so I deactivated my account. So that clearly means that I wont be using fb for anything. So, universal logins need a lot of work.
Why would you want to use (e.g.) an RSA key for authentication, forcing you to carry around a data fob or something from computer to computer, instead of using a password or passphrase that you can actually remember? Ordinary users would flip out if you asked them to do that. If you really want a super strong key, you can simply use passphrases that don't suck, or you can always use a password manager like KeePass that encrypts your weak passphrases with a strong master key.
Strong passphrases is also not enough, unless the passwords are unique across sites. Some HN users may use unique passwords, but normals don't. I don't do it with 100% regularity.
I suspect the real result of such a scheme is that everyone's private keys to everything would be sitting around unencrypted on USB drives and written on pieces of paper, so it would be even easier to steal their identities.
I think the solution is still -- use a password manager, and then it's easy to keep track of unique passwords across sites.
That's not quite the way it works. There is no shared secret required. With my public key you can create an authentication challenge that allows you to validate my identity without ever seeing my private key (or, for that matter, you can send me a message that only I can read).
Public key crypto still requires a private key - which is basically a password that is too long and obscure to be remembered by a human. And therefore has to be stored in a text file on your computer (a security risk in itself; I'd presume most people don't currently do this with their passwords). And good luck logging in to Facebook from a friend's computer.
A private key is fundamentally different - it is private. You never send it to anyone, ever. So it's safe to use just one, because nobody else will ever see it.
As you alluded to, the problem then becomes managing that key securely, and also generating & distributing keys for non-technically inclined users.
But a correct infrastructure could be easier to use and an order of magnitude more secure.
And it wouldn't have to be rolled out all at once. I really wish my bank gave me the option of signing in with a private key today.
(unless you memorized your key - it's something you have, not something you know)
A website could send a push-notification to your phone. You as a user would then have to say "Yes Its me logging in" and voila your in.
The disadvantages are a) your email can be hacked and b) it's a bit inconvenient for the user. Also you'd need SSL to protect the key, which would be in the URL.
http://www.rsa.com/node.aspx?id=1156
I'm not sure this would ever be practical for consumers, but it's a clever idea. i've used it to get on vpns at big companies.
But computers are good at remembering lots of long random strings, so why have we not developed a standard for site log-ons which the browser chooses the passwords and stores it securely for the user?
I've always thought, perhaps irrationally, that the problem with biometrics is false positives: i.e. letting in someone who isn't you. I misttype my passwords all the time, and I think users would be OK with a "Sorry, can you say that again?"-type message on occasion.
Basically, am I in "where's my flying car" territory?