
It’s time to replace passwords with keys - zeveb
http://bryan-murdock.blogspot.com/2018/03/it-is-time-to-replace-passwords-with.html
======
pc2g4d
Moving in that direction:
[https://www.w3.org/TR/webauthn/](https://www.w3.org/TR/webauthn/)

~~~
zeveb
That looks pretty cool at first glance — I need to spend some time reading it
in my free time to figure it out.

------
JamesLeonis
I'm slacking right now from a project that's tackling this right now. I'm
taking this as a sign to get back to work.

------
LinuxBender
I would add, it is time to use properly managed keys. i.e. ssh keys with
passwords and IP restrictions. Even better, a centralized CA and expiration of
keys.

Keys can be equally as dangerous as passwords if not managed correctly. Public
keys, even more so. What systems and accounts trust my public key? Who knows?
What is managing and mapping that? Did I have sudo for a while and shove my
public key into your authorized_keys file? Are your ssh instances using the
default location for authorized_keys that users can write to? Is this
appropriate in your use case? Certainly not for production machines, right?

Do you rotate your ssh keys that are used in automation? Are your keys limited
to specific CIDR blocks? etc... things to consider.

------
vschum
[https://keybase.io](https://keybase.io)

It's mission is to bring public key cryptography to the masses, starting with
programmers. The amount of progress that they've made in the last two years is
actually quite impressive.

~~~
ItzHaunT
Keybase is how I found this site. Was looking through the list of accounts I
could prove, and figured this was worth checking out.

------
vortico
>People can't barely manage passwords, they can't manage them at all.

This is like walking in a room, seeing a tiny speck of red paint on the wall
and saying that the wall is painted red.

Virtually everyone who owns a computer uses passwords, and probably 0.1-1% use
a password manager. The others manage the passwords with memorization or post-
it-notes just fine. Sometimes they forget, but email password resets solve
that problem.

They're not _trivial_ for developers, but you shouldn't care about that. You
should care about the end result and UX.

Passwords are simple. No alternative is better because it's a solved problem.
End of story.

~~~
beaconstudios
More users will use password managers if you include those who use browsers'
"remember my password for this site" functionality.

~~~
type0
Even better, ship it with operating system like so:
[https://www.engadget.com/2017/12/16/windows-10-bundled-
passw...](https://www.engadget.com/2017/12/16/windows-10-bundled-password-
manager-had-security-flaw/)

/s

------
sowbug
Car keys and house keys could be implemented as U2F tokens. A person could
carry a single device, which could be a discrete token like a Yubikey, or
virtualized in a phone, to authenticate to work, home, car, and computers.

I wish Tesla would adopt U2F. They already have something that seems to be
BLE/NFC for the Model 3.

