
Why [Insert Thing Here] Is Not a Password Killer - nikbackm
https://www.troyhunt.com/heres-why-insert-thing-here-is-not-a-password-killer/
======
cyborgx7
It is not just that everyone knows how passwords work. It is also that you can
always enter a password.

What if I don't have my phone to scan a qr-code? What if I want to use a
minimalistic browser that doesn't implement a key pair store and I don't want
to or can't set up one external? What if my minimal browser is text only? What
if I'm on another device and don't have my stuff on there?

I will pretty much always be able to enter a string of characters. To quote
the unix phillosphy:

Text is the universal interface.

~~~
ken
Sort of. You're selectively quoting "Write programs to handle text streams,
because that is a universal interface" \-- but that was from the days when
"text" was basically synonymous with "ASCII".

Passwords aren't streams, and in the Unicode world, they're not even
(predictable) byte arrays. This isn't just hypothetical. There have been
recent bugs in major systems where people with non-ASCII passwords couldn't
type them.

One of the major failings of QR codes for consumer use, IMHO, is that there is
no fallback. With UPC, the number is printed right below the barcode, so when
it doesn't scan, the clerk can just type in the digits.

ASCII digits are universal. Bytes are universal. Text is ... complicated.

~~~
jniedrauer
> ASCII digits are universal. Bytes are universal. Text is ... complicated.

All text should be UTF-8. It really shouldn't be complicated in $current_year.

~~~
npongratz
Unicode itself gets pretty complicated:

[https://en.wikipedia.org/wiki/Unicode_equivalence](https://en.wikipedia.org/wiki/Unicode_equivalence)

~~~
kijin
Let's rephrase what GP said: All text should be UTF-8 in Normalization Form C.

------
jrockway
> Despite it's [sic] many flaws, the one thing that the humble password has
> going for it over technically superior alternatives is that everyone
> understands how to use it. Everyone.

I think the problem is that people don't understand how to use passwords. They
will reuse them among sites. They pick easily-guessable and low entropy ones.
They will type them into any website that asks. The end result is that not
much security is provided.

(Things are just as bad on the server side, of course. Developers store them
in plain text. They will email them to you. They delete entropy so that you
can use your password to log in over the phone or from a computer terminal
that apparently only has capital letters. I've even seen a website where the
password is sent to the browser and the password checking happens in
Javascript. Not great guys, not great.)

~~~
screye
> I think the problem is that people don't understand how to use passwords

From the looks of it, neither do the authenticators. The capital letter +
symbol + number requirement had led to the current predicament. Just asking
for really long passwords would have been a lot better.

As it stands, people either use a predictable string of num-symbol to satisfy
requirements or remember that one strong password,.which qualifies for all of
the above.

Software like Lastpass are great, but I don't always have access to them. They
also make all of my.online security have a single point of failure.

I think it would be a lot better if companies just changed password
requirements to a decently large length eg: min 20.

This eliminates the likely hood of password like abc123, qwerty and the oh so
lovely "password".

~~~
hyperpape
Just by itself, long passwords will result in people using
"franklymydearIdontgiveadamn" and other things susceptible to a dictionary
attack.

Long passwords plus a bad password check ([https://www.troyhunt.com/ive-just-
launched-pwned-passwords-v...](https://www.troyhunt.com/ive-just-launched-
pwned-passwords-version-2/)) might suffice. However, without that check, I
suspect requiring special characters marginally improves entropy in practice.

~~~
guitarbill
Pretty much everybody I know and asked in the office just sticks some
punctuation at the end, e.g. "Passw0rd$". IDK how much of an "improvement"
that is, compared to e.g. 4 extra characters.

~~~
hyperpape
That's definitely a thing, and you're right, it doesn't add much entropy
(people choose from a few numbers, a few special characters, not that many
substitutions). Four extra characters that are truly random (even just out of
26 letters) is way better. However, that's not the alternative I'm worried
about. I'm worried about people using phrases that will be in the first few
thousand entries in a phrase dictionary.

------
rocqua
From the article:

> I'm referring to passwordless solutions that involves things like QR codes,
> pictorial representations, 3rd party mobile apps, dedicated hardware devices
> or "magic" links sent via email.

I'm not entirely sure the argument holds for the magic links sent via email.
To me, those feel like lower friction that entering a password. Because all of
a sudden, users don't have to remember their password.

For any company considering this, I'd suggest looking at how often the 'forgot
my password please send me an email' feature is used. I know that, before I
had a password manager, there were accounts where I simply never remembered my
password. I had to use them like once every month, and it was easier to just
get the password reset link.

Now consider how much easier a 'click here and be logged in' link is than a
password reset system. This only really gives friction for those few people
who aren't always connected to their e-mail system. On account creation, this
system is even better. All a user needs to enter is their e-mail address. No
more needing to enter a password (twice!). No more dealing with password
requirements.

"magic" e-mail links feel like they really could be a password killer in terms
of lower friction.

However, it isn't clear at all that "magic" e-mail links are more secure than
passwords. I'd guess that, given enough adoption, they'd develop some issues.

~~~
ryan-c
There are some minor issues with the magic link workflow - one of them is
security scanning software potentially visiting the link.

So then you need to open the link in the same browser you want to use. But
what if you want to log in on a desktop browser and only have your email on
your phone?

Maybe have the magic link show a couple letters you need to type into the
browser?

~~~
BillinghamJ
They are trivially solvable problems. PKCE and just displaying a QR code if
you open it on the wrong device makes it pretty much foolproof.

e.g.: [https://magic.cuvva.com/auth-
callback?code=authzcode_000000B...](https://magic.cuvva.com/auth-
callback?code=authzcode_000000BUbZIHZJMzS8f4NLD7tmltY.fa5e2579d6693016765cf04d2c69b3a58785352591244b69c0e04f3c0e5411ce&state=Ijn8I4qQr6HqfG0kxh05rsLmF4IqB3JNchgpbSRR7HY)

We're oriented around mobile use cases. Admittedly less ideal if you don't
have your email on your desktop. But ultimately, if all else fails, you can
always log into your webmail.

For me the key thing is that it doesn't rely on users having any particular
knowledge or understanding best practices - they just need to hit the big
green button. Sure people are more used to passwords, but that doesn't mean
the usability of magic links isn't still better despite them being much less
common.

Normal people are so bad at dealing with passwords. They reuse them, they
forget them, they write them down on text files on their computer. Almost
anything is better if your userbase isn't primarily technically adept people.

And frankly most popular email providers are pretty good at keeping the
accounts secure. Likely much better than anything homegrown we could do.
Especially given the fact that you'll just end up having password resets via
email anyway.

~~~
rocqua
The QR-code thingy hits a friction barrier. For me needing to go to my phone
is more friction than unlocking my password manager. Note that I only need to
unlock my password manager once per reboot, and that for most people the
password manager is already too much friction.

~~~
BillinghamJ
You'd only use the QR code thing if you were logging into an app on your
phone, but had opened the email on your laptop. It wouldn't make sense in the
other direction.

------
codedokode
I don't agree with the author. Passwords are difficult to remember and easy to
steal. Example I saw: old people write their card's PIN code on it because
they cannot remember it. Everyone knows how to use it, you say?

I think that for an average, not computer-loving type of person, a hardware
key is the best solution. You don't need to remember anything: just insert the
key and press the button.

Why aren't they popular? I think because they are not a standard and are not
built in. You don't get a free key when buying a laptop or a smartphone and
that's the main reason why nobody is using them.

But there already are applications that don't use passwords. For example,
Telegram (IM application): when you install it you only have to enter your
phone number, it sends the code in SMS, the app reads the code without user's
interaction, and authenticates the device. No passwords, no need to remember
anything. I don't like this (it is not convenient for those who use a burner
phone number for registration), but for a more typical user it is convenient
and doesn't require them to remember anything.

I think we will see more passwordsless authentication in the future.

~~~
Leace
When using hardware keys remember to register at least two. In case one stops
working or is lost/stolen you're locked out of your account. Backup codes help
but they're another barrier one have to remember.

------
Svoka
In my humble opinion, very few know how to use a password. Most of the people
still believe that their cat name starting with a capital letter and with 1 in
the end is a good password. Or that once you have a good password it is enough
to use it everywhere. Same passwords everywhere is not a security, it's a
vision of security. It may surprise author that main reason to provide
authentication is to give some security, and in case of every single non-it
person I know their passwords are just an illusion.

So, I would argue, while anyone can type in some staff, how to make it secure
is rare knowledge almost no one has. So, is it, really "everyone knows how it
works"? Or just everyone repeating their not quite secure passwords to make
machine happy without any understanding of consequences

~~~
dgzl
You could argue that few people use passwords in a properly secure manner, and
you'd likely be right, but the real question is what will replace passwords?

The truth you describe doesn't mean that we should convince people to use
passwords correctly, rather that passwords aren't the best security medium for
humans. It's unreasonable for people to be expected to craft highly secure,
brand new passwords each time they need one, and also expect it to be stored
in long-term memory. That process is simply out of scope for most humans.

So then, how do we make this easier without compromising security?

------
turc1656
All valid points. But there two other main reasons I see as why (strong)
passwords are essentially a superior choice to everything:

1) Using passwords properly is an exceptionally powerful way of protecting
your account/data/etc. If you use strong, unique passwords and store in a
password manager (with the PW database encrypted, of course), it's virtually
impossible to break into anything on the user side of things. You might be
able to gain access via the server/business side depending on the hack you are
pulling off, but that's on the company rather than the user. For instance, I
do personally have my passwords stored in a password manager with an encrypted
database. They're all unique and strong, as is the password used to access the
password database. That password exists only in my mind. It's not written down
anywhere or stored in some file on any computer. It's not physically printed
out on paper or anything like that. It literally only exists in my head. And
given its complexity and length, there is effectively nothing that will be
able to break it in any reasonable amount of time. The government also can't
force it from me as they could with other methods like 2FA, QR codes,
fingerprints, etc. due to 1st amendment issues. Basically, short of getting me
to log in from a compromised (i.e. keylogged) device (highly unlikely) or
torturing me for the info, there's no way of getting it. And if you're willing
to torture me for it - ok, you win then.

2) From a technical point - basically every device we would use to log into
anything has either a keyboard (whether physical or on-screen) or some sort of
keypad (again, physical or on-screen). This makes for universal compatibility.
If people need to have special QR-code scanning/creation software installed on
a device, or fingerprint-reading hardware - that creates a non-trivial barrier
to the device compatible with the login process.

~~~
krupan
"If you use strong, unique passwords and store in a password manager (with the
PW database encrypted, of course)"

You aren't talking about passwords the same way everyone else here, especially
TFA, is talking about passwords. You might as well be talking about RSA keys
at this point.

~~~
tialaramex
Perhaps more appropriately AES keys, as they are a shared secret (shared with
the target site even if it's using a decent password hash) rather than a
private key.

------
chme
I haven't heard of any system that replaces passwords all the way. Apart from
usability most systems eighter rely on things that are hard to change
(biometrics), things that can be copied (keyfiles, cookies, software) or
things that can be stolen (hardware token). So they don't replace something
that you have to remember (password).

Passwords are easy to change and while they can be copied, that would be the
result of the user or the login software doing something stupid. Not something
wrong with concept of the password login itself.

IMO those systems can be used to make the login more secure but replacing
password all together not so much.

~~~
will4274
> Apart from usability most systems eighter rely on things that are hard to
> change (biometrics), things that can be copied (keyfiles, cookies, software)
> or things that can be stolen (hardware token).

Actually... When you log on with a password today, an Identity Provider like
Google or Microsoft typically issues you a "ticket granting ticket" (TGT)
which you can use to get more tickets. The TGT is stored in a cookie on the
web or in the OS. This TGT is something that be can copied. So, today, when
you log on, you provide your password to get something that can be copied that
you then use to log on to various services. Point being, something that can be
copied is in the flow anyway, so switching from password to something that can
be copied and revoked is only an improvement.

~~~
chme
"copied" in my case is something negative. I meant that as this information is
stored unencrypted somewhere and can be just copied and used by an attacker to
authenticate as an specific user.

The ticket or cookie or what ever is just used to signify to the system that
you are authenticated as user x and specific to http because it is stateless.
So an implementation detail and not part of the authentication concept.

I meant cookies here as data that lives in the browser forever or until the
user requests a new one just using that cookie alone. And removing that cookie
results in locking that account forever.

------
xte
Why I like passwords (and various key locked/unlocked with passwords? Simply
because I can change them, I control them.

Biometrics is unsafe by design because our body can change outside our control
and our body is public enough and unchangeable enough to be a REALLY unsafe
authentication system for anything but human being interacting together.

External other-factor auths like OTP, side verification, port-knocking, ...
are good, but they still need a password somewhere in the chain.

So no, it's not only a matter of reactionary users not willing to change but
also a matter of rational safety reasoning.

~~~
danielrm26
When current bio-related credentials are stolen, they're not stealing your
hand or your iris or your face.

They're stealing destructive hashes of those things.

It'd be like having someone sketch a stick figure version of you, and then you
claim your identity was stolen.

No, it wasn't. Stick figure drawings only work in stick figure readers.

~~~
xte
Take a look at some "sophisticated" retinal scan, they are in the end cameras,
a special kind one. Fingerprint readers? Another kind of scanner. It doesn't
matter that today's only few simpler model can be cracked with a single strip
of scotch, it's only a matter of time.

And we can go up, even imaging quick DNA scanner, quick enough and smart, it
does not change that much, your DNA can be grabbed around you in many way.

The essential point is simple: using your body means using an exposed key,
using a password means using your brain that it's far harder to "expose". Also
passwords are trivial enough, you can even check your keyboard for builtin
keylogger, protect your environment from camera, microphone (phone/audio
analyze to determine key's you press) etc. Try to hw check a biometric system
and well... Good luck.

------
scraft
I signed up for something recently and on the password screen it popped up
with something along the lines of "Hey, can we generate a secure password for
you, don't worry, your browser will remember it for you?" I said yes, sure
enough a strong password appeared and Chrome offered to remember it. Seemed
like a nice introduction to using secure passwords. The next thing I signed up
for I manually generated a secure password and pasted it in and that is now
stored in my browser too.

~~~
Wowfunhappy
And now that person is forever locked in to the browser they were using at
sign up time. What happens if they move from Mac → Windows or Android → iOS?

~~~
Ajedi32
As long as they use the same browser on each of those platforms, they're good.

Yes, vendor lock-in is an issue; and I hope eventually there'll be a way to
sync credentials across browsers. But keep in mind that, even as things are
now, it only locks you to a specific browser, not to a specific OS.

~~~
Filligree
Exporting the passwords is also possible, so it's not really much lock-in. Not
to the kind of person who'd care, and _want_ to switch browsers.

~~~
Skunkleton
You got it backwards. Vendor lock-in rarely applies to experts. It is the
people who "don't care" that _we_ should care about protecting from lock-in.
After all, that is how we got internet explorer 6.

~~~
Filligree
Those, in my experience, are the same people who _can 't_ switch browsers.
They aren't capable of learning new things, and can often barely keep going
with what they have.

~~~
Skunkleton
Not in my experience. They are the people who just don't care. What they have
works well enough, so they don't look to change it.

------
myWindoonn
A little boring and reactionary, I think. Unguessable capabilities (long
unchoosable URLs mostly) have been used to replace passwords. Plenty of
systems refuse to let users _choose_ passwords, and many common password
problems are totally mitigated by this design.

~~~
bad_user
An URL with a randomized path in it is, technically, a password.

Also note that the transportation mechanism is pretty weak. If the URL is
passed over HTTPS, then that keeps your ISP from seeing it, however it can
still show up in logs on the server side or the client side, in your history.
A URL will be remembered or even cached by your browser, whereas a regular
password won't, unless you explicitly allow it.

A regular authentication mechanism doesn't necessarily suffer from these
weaknesses. Consider that you can derive the server-side password, like a
client-side hash which may even be time dependent, such that the actual
password is never sent to the server. You can implement systems in which the
password you know is never sent over the wire.

Basically a randomized URL is semi-public and you need to treat it as such.

There aren’t many alternatives to classic authentication mechanisms around.
The only one I can think of is having authentication links emailed to you, but
that’s also less secure and it simply defers the problem to a third-party.

~~~
paulryanrogers
If those password-URLs are one time use then they are better than a static
password. Still, it's likely those are managed via email which makes _that_ a
single point of failure.

------
new299
I always liked the idea of having a password entry system where a single
observation doesn’t provide enough information to reveal the password [0].

However in addition to creating issues with the secure storage of the
password... I don’t think people would be able to use it reliably.

Still, some banks still seem to use the “enter the Nth letter of your
password” scheme” which seems almostly equally unworkable...

[0] [https://41j.com/blog/2011/10/unobservable-pin-and-
password-e...](https://41j.com/blog/2011/10/unobservable-pin-and-password-
entry/)

~~~
sbradford26
The Nth letter of password thing sounds sketchy to me. Mostly because it
sounds like they have my password in plaintext if they can check that.

~~~
chme
No they just store a checksum for every letter of your password.

/s

~~~
kevin_thibedeau
I'd hope they at least apply ROT13.

------
dustinmoris
> Despite their respective merits, every one of these solutions has a massive
> shortcoming that severely limits their viability and it's something they
> simply can't compete with:

> Despite it's many flaws, the one thing that the humble password has going
> for it over technically superior alternatives is that everyone understands
> how to use it. Everyone.

This is (mostly) true, however, there is already evidence that new technology
could kill the password indeed. What I am talking about is modern phones which
all come with a fingerprint scan or facial recognition which, from my own
limited experience and my own observations, has mostly killed of the
"passcode" on the phone. Yes our phones still make us pick a passcode, but
unless forced to use it nobody does anymore. Even my technology incompetent
mother uses the fingerprint scan to log into her phone and I don't see why
something similar couldn't replace the current experience of her having to
type an insecure password into her hotmail all the time.

~~~
TeMPOraL
<insert standard argument against biometrics>

Biometrics is essentially putting a massively complex system in front of your
password input, that lets the device read the password off your body, but the
consequences are a) you now can't ever change your password, and b) there's
this massively complex system in front of (now hidden) password form, and
complexity means unreliability and exploitable holes.

The reason it seems to be working in phones and in laptops is just because the
protected systems - personal computing devices of random members of general
population - are of low importance, so it's unlikely an attacker is going to
bother, whereas the convenience benefits are substantial.

~~~
bad_user
It’s also not the complexity that’s the problem.

Even if it’s flawless, which is impossible, with biometrics you can easily be
coerced into giving access without effort, whereas we haven’t invented a mind
reader yet.

In other words I can easily imagine kids gaining access to a credit card via
fingerprints or facial recognition, while their parents are sleeping ;-)

I wanted to write about law enforcement agencies, but this is so easy that
your kids can do it.

~~~
yepguy
That new HP laptop commercial featuring the fingerprint reader makes me
facepalm every time. They advertise it as "reinventing passwords" WHILE
ILLUSTRATING EXACTLY HOW INSECURE IT IS.

[https://www.youtube.com/watch?v=KTn0r0HPXVg](https://www.youtube.com/watch?v=KTn0r0HPXVg)

~~~
bad_user
That's too good to be true :-))

------
Ajedi32
WebAuthn is coming. In fact, it's actually already here. There are only two
things it needs before it can start to take over the world: a cross-browser,
cross-platform implementation with synced credentials, and server-side
implementations from a few large companies like Google and Facebook.

A cross-browser, cross-platform implementation with synced credentials will
solve the one remaining usability issue WebAuthn has; the need for users to
register every device with the site they want to sign up on. It's not
acceptable for users to sign up on their PCs and then have to jump through a
bunch of hoops to sign in on their phones; and bootstrapping with passwords
eliminates many of the benefits of Web Authn.

Implementations from major companies will solve the chicken-egg problem that
Troy mentions. Once the system is commonplace, smaller sites will be less
hesitant to jump on board with an authentication solution that's different
from the password-based one that users are used to.

~~~
quickben
And that too, won't be a password killer.

Heck almost 20 years ago Nortel had something better than what you described,
and still we have passwords around.

Everything old is new again, today we are solving passwords with X, tomorrow
with Y, etc.

~~~
Ajedi32
Webauthn is a web standard; not a proprietary product by a company I've never
heard of.

Whatever it was Nortel had, I highly doubt it was as usable or ubiquitous as
what WebAuthn already is.

------
guidodassori
The only password killer is a password manager. And guess what, is password
protected.

~~~
marcosdumay
Keepass can use a key file too.

~~~
kevin_thibedeau
Turning "something you know" into "something you have"... or anyone else can
have too.

~~~
marcosdumay
It's turning "something you know" into "something you know and something you
have".

For most people it's completely redundant because the passwords database is
also "something you have". But it leads to some nice possibilities.

------
czei002
If done right, passwords are a very powerful and universal auth method, i.e.
all credentials can be remembered and no third party or auth device are needed
(e.g. you are still able to login even when you lost all your belongings while
traveling). However, there are problems when reusing passwords and passwords
are usually leaked to the remote party when authenticating, e.g. its trivial
for a web service to learn what password or password pattern you are using. I
am working on an open source project called FejoaAuth where we are working on
a secure authentication solution that does not leak the password during login.
This allows to reuse a password, e.g. to use a password for authentication and
for data encryption. This makes true one password solutions possible. Its an
open source project so please get in contact :)
[https://fejoa.org/fejoapage/auth.html](https://fejoa.org/fejoapage/auth.html)

------
tzs
> Netflix requiring... 4. But I'm hesitant to berate Netflix for what seems
> like an extremely low number because they're also dealing with the usability
> challenge that is people logging on to TVs with remote controls

Amazon handled this great when I set up Prime Video streaming on my Sony Blu-
Ray player. I don't remember the exact sequence because it was 8 years ago,
but it was something like this:

1\. Go to Amazon on my computer, log in, and tell them I'm trying to set up a
new device for Prime Video streaming. They ask me for the make and model and
serial number, which was available on the device in the Prime Video app.

2\. Amazon gives me an integer. I don't remember the length, but I'm pretty
sure it was in the 4-6 digit range.

3\. On the Blu-Ray player, give that integer to the Amazon Prime Video app,
and it completes the setup.

------
PopeDotNinja
One thing I like about passwords is they live in my head. No one can force to
me give it up easily. But with a fingerprint or retina scan, anyone can push
me up to a sensor and force me to supply the bodypart(s) needed to
authenticate.

------
orblivion
If nobody understands anything other than passwords, how has 2FA taken off at
all? How have password managers taken off at all?

What if the password manager were in charge of logging you in _directly_,
through some new protocol between browsers and PW managers? How could that
_possibly_ be more friction? It would be strictly less. Hell, it could be done
without even informing the user that this new feature was being rolled out,
and they sure as hell wouldn't complain about inconvenience because of a step
removed from the login process.

Asking people to deal with more and more and longer and longer passwords is a
usability nightmare. It's a absurdity.

~~~
nathantotten
I wouldn’t say 2FA or password managers have “taken off”. I don’t have
numbers, but just from my small sample of friends/family, only people who are
technically advanced or who I have forced (my wife ;) use password managers.

~~~
orblivion
Well hey, it's a start. They've got more adoption than Troy claims any of the
niche experimental password replacers do.

------
creeble
I just wish there were a more universal acceptance of entropy. I.e.:

Use at least one upper case letter and symbol

OR

Use a password that is at least 20 characters long

Passwords are fine, it's the differing standards that are nutty. Especially
when you don't know them until after trying.

~~~
bhauer
You can satisfy most entropy requirements without even trying by using a
password manager's "create random password" feature. I feel the more important
thing to attack is making password management more approachable to laypeople.

To your point though: the most bothersome constraint put on passwords by
applications and web sites are _limits_ such as restricting certain special
characters (To what end? You're going to hash it anyway, so why limit my
special characters? You _are_ going to hash it, right?) and limiting password
length to something surprisingly short like 16 characters.

~~~
TremendousJudge
my _bank_ requires passwords to be exactly 8 characters and is case
insensitive. when I first realized I literally couldn't believe it, it's
infuriating

~~~
ajford
Sounds like it might be time to switch banks....

~~~
TremendousJudge
I know, but it's one of those things that are much easier said than done sadly

------
comma-ampersand
What is wrong with magic links exactly?

Email already is the single point of failure, password resets. People are
already used to looking at their email, account verification etc. People are
already used to looking at their email after signing in, 2nd factor with email
exists on some sites.

Downsides are that they might be scanned by security software and visited, but
surely that's also a problem for verification links? I can't imagine that
people would appreciate accounts being automatically verified...

All other reasons I can think of indicate a problem with password resets as
well, which also gives access to the account anyway.

~~~
BillinghamJ
On a properly implemented magic link system, automatic visiting wouldn't be an
issue at all. Should only work within the same originating session, and
ideally should use PKCE too.

------
zyx321
Passwords, if used correctly, are extremely secure. However 99% of my accounts
are just not important enough to warrant that level of security. I don't worry
about someone cutting off my finger in order to steal my Reddit account. My
Github account doesn't have any projects that aren't forked elsewhere.
Temporarily losing access to Steam for a day or two would not be the end of
the world.

I have two-factor authentication for email, cloud storage, and banking. For
everything else just give me convenience over security, please.

------
auslander
Related, looks interesting, generated QR on login pages.

A big thread:

[https://news.ycombinator.com/item?id=14459537](https://news.ycombinator.com/item?id=14459537)

------
BitterSweets
Closest to a password killer I've used so far is the built-in iCloud Keychain.
My iPhone and MacBook both have access to the same passwords and most of the
are randomly generated.

~~~
aeternus
Ever watch security footage that overlooks people using iPhones? It's amazing
how many sites display the plain-text password on the screen briefly even when
using Keychain.

------
PhasmaFelis
> _The point of all this is that usability is an absolutely essential
> attribute of the auth discussion. What I often find when I have these
> discussions is a myopic focus on technical merits._

This problem is ubiquitous to all of tech, pretty much. It's particularly
iconic to FOSS grognards like Richard Stallman. Software that respects
people's rights is fantastic, and we need more of it, but if you're not making
that software _usable_ then you're wasting your time.

------
ilovetux
I think that a lot of the problems that are inherent to passwords might be
mitigated by not allowing the user to choose a password. A strong, randomly
generated password being given to the user and changed periodically would
almost force the user to use some sort of password manager.

If this were adopted industry-wide (a big ask, I know) then users would be
able to use the familiar "enter username and password" system while being
protected from common mistakes/misjudgments.

~~~
leetcrew
> A strong, randomly generated password being given to the user and changed
> periodically would almost force the user to use some sort of password
> manager.

or it would force them to click "reset my password" every time they use your
service. now your service is only as secure as their email account.

~~~
yjftsjthsd-h
> now your service is only as secure as their email account.

Surely that was already true?

------
sgustard
This is an interesting argument, given that my phone over the past few years
has moved from passcodes to Touch ID to Face ID. Most apps and sites on my
phone that want to prompt me for a password are intercepted by the OS, which
generates a one-time code and authenticates me via the same Touch/Face ID. The
number of passwords I actually key in has been dropping steadily to near zero.

------
devit
Here's the "password" killer: generating random passwords on the server and
never letting users input their own passwords.

All issues with reused passwords, password strength, hashing passwords with
slow hashes, etc. instantly solved.

Also improves conversion rate since there's no risk the user gives up signing
up because he can't be bothered to think about or generate a password.

~~~
LeonM
Except that people won't be able to remember them, so expect massive churn
when it's time for them to enter the password the very first time.

~~~
devit
Just set a never-expiring authentication cookie in the browser, so they never
need to enter the password in typical one-device use.

When they need to change devices, have the standard e-mail based password
reset as well as "show password" in the account settings (make the password
reset not reset login, unless the user explicitly elects to "log me out on all
devices").

~~~
thecatspaw
> show password

You should not be able to do that if you're doing security properly. If you
can show the password it means you're not hashing it properly and instead
storing it as plaintext

~~~
devit
1\. You can store it on the client side in a cookie.

2\. You can encrypt the passwords with a key outside of the database instead
of hashing them. That means that people can now login with a read-only
compromise of both your app and the database, but chances are that such a
compromise would be a full compromise anyway.

3\. You can also not show them the current password, but instead generate
another one and have them both be valid (until explicitly revoked)

------
elwell
At ClearCoin, we use a stored private key in the user's browser extension to
sign every authenticated request. The signature is verified on the server,
checking that it matches the Ethereum wallet address listed in the payload.

------
lifeisstillgood
Ancient Egyptians probably made the same argument "Keys just won't work -
_everyone_ knows how to use a door knob, but these new dangled keys, no one
carries them, we have not invented key rings yet so people will fumble. Best
not to."

No people dealt with keys and locks because they did not want their stuff
stolen.

As more and more valuable stuff is kept behind our passwords we will accept
more and more cost to protect them.

~~~
Wowfunhappy
Keys aren't actually secure at all. Anyone with a lock-pick and a bit of
practice can break in. I'd say that's actually about equivalent to a poor
password—it's not _that_ secure, but random person off the street won't be
able to break in with a snap of the finger.

Yes, with a password on the internet, there are far more possible attackers
because you can attempt to break in from anywhere in the world. But that's
somewhat beside the point—the standard locks we use on our homes are
absolutely about convenience above ideal security. We _could_ use locks that
are more difficult to break, or keypads that require you to both turn the key
and input a passcode. Most of us don't.

~~~
lifeisstillgood
It's kind of not the point - there are levels of security we accept because
they match the cost / benefit ratio - at least the perceived cost benefit
ratio.

thousands (millions?) of people are daily losing money / privacy due to poor
"locks" on our digital doors. if millions of people were burgled every day
then these poor quality locks would be replaced with hardened steel doors and
seven tumbler whatevers.

I think it is the invisibility of the attacks that is mispricing the
cost/benefit ratio, and allowing the idea "people won't accept anything better
than passwords"

A friend recently lost control of his business email, which lead to someone
asking a client to chnage bank routing detail before paying an invoice -
police were involved but it's still not clear what's going to happen.

He is not happy with passwords.

Now as these scenarios spread, as attacks cost more money, we will see the
perceived cost benefit sweet spot chnage - away from weaker security and
towards better solutions - password managers, 2FA, U2F etc.

we will give up our passwords. if the cost not too is too great.

------
_pdp_
Sign up for monzo and some of the new banking apps and try to find really hard
a password field anywhere.

------
Anonymous4C54D6
Has anybody made a list of [Insert Thing Here]s? I'm curious what kind of
trade-offs they offer.

~~~
nickpsecurity
Here's a great one from Pico project:

[http://www.cl.cam.ac.uk/~fms27/papers/2012-BonneauHerOorSta-...](http://www.cl.cam.ac.uk/~fms27/papers/2012-BonneauHerOorSta-
password--oakland.pdf)

Other publications that might interest you:

[http://pico.cl.cam.ac.uk/technical/](http://pico.cl.cam.ac.uk/technical/)

Ross Anderson's blog, LightBlueTouchpaper, has writeups on this in
authentication category.

------
PunchTornado
still blows my mind how companies like medium think they use a superior system
by making you log in to email in order to log in to medium.com

makes my 1password app useless and I just don't bother to login to medium =>
irrelevant articles => less time spent there.

------
MrStonedOne
Passwords can always be used.

You can forget a password, but you can't drop it down a storm drain, or have
it all of the sudden fail to boot, or forget to bring it when you're at a
friends house and now you can't answer your user's calls to fix the site that
went down for some reason.

------
beatgammit
What about forcing some set of users to change their password if it shows up
in a breach?

~~~
TheDong
Troy hunt created a service for this. He provides an API where you can
securely check if a user's password is pwned without revealing the password to
his server.

He's written about it several times, here's one of the posts:
[https://www.troyhunt.com/enhancing-pwned-passwords-
privacy-b...](https://www.troyhunt.com/enhancing-pwned-passwords-privacy-by-
exclusively-supporting-anonymity/)

------
M_Bakhtiari
I can't help but think that browser vendors could have at least made an effort
to make client certs and Kerberos authentication more user-friendly on the
web. Perhaps not so useful for private consumers, but it would sure come in
handy in enterprise.

~~~
wmil
Is there a good place to go for the current state of client certificates?

I've heard that there was an issue where other websites could see the
certificate, so there were privacy problems with having them installed.

It seems like something that would have been fixed, but it's hard to search
for. Server certificates are so much more common. They end up taking over all
the search results.

------
iamgopal
Password is like email, even slack would not be able to kill it.

~~~
ndnxhs
Because I don't want to use some proprietary silo for communication just like
I don't want to install some websites shitty app to be able to log in.

