
Fuck passwords - vetler
http://me.veekun.com/blog/2011/12/04/fuck-passwords/
======
peterwwillis
I love this post, but must point out something about banks and passwords:

 _Malware trojans don't care about your password._

I don't know why people care about 'password cracking' when it comes to their
bank accounts. Please watch "Modern CrimeWare Tools and Techniques: An
Analysis of Underground Resources"
(<http://www.youtube.com/watch?v=zj4VkCB6obI>) and your jaw may drop. TL;DW:
Bank account sessions are automatically detected and wire transfers happen
immediately to shell accounts. Login accounts are detected and sent to
databases at C&C servers. People who know nothing about computers can generate
a custom trojan to drive-by infect most computers.

Probably 95% of the time, if your bank account gets owned, it's not because
someone cracked your magical password. It's because trojans are incredibly
sophisticated and will take your money at the moment you log in, all
undetected, with no fancy MITM or phishing or SSL cert faking.

Yeah yeah, they got your password and because it's unique now they won't get
into some other account of yours. But carders don't care about your other
accounts. You're one in a million people owned by their trojan. They'll get
the other accounts once you log into them.

------
patio11
There is a (mildly) compelling reason for every bank to have a stupid password
rule which is mutually incompatible with every site in existence: it means
that compromising that other site's identity:password dictionary and then
running it against your bank results in zero successes. Regular users reuse
passwords given the opportunity to do so, and most of them will happily cough
up their bank password to, quite literally, any site on the Internet.

There's got to be some weird game-theory solution for "Maximize for security
while simultaneously minimizing the sum of all accounts on the Internet which
have a password that could possibly collide with a valid password on this
site."

~~~
ay
I think using the password alone in the bank is a stupid idea in the first
place. If all that stands between my dollars and miscreants is a few
characters - this is careless to say the least. Think trojans/keyloggers.

My bank gives me a small card reader (not connected to PC), where I insert my
debit card and need to put in my card pin. This gives a one-time code which I
enter _together_ with my password to login.

However, this is not all - in order to do anything meaningful (aka transfer
money), I need a confirmation code, which is done by me typing into the little
machine the amount, part of the account number being credited, and of course
my banking pin to begin with. So, I effectively sign the transaction, and
having the reader totally offline makes me somewhat confident in its security
even if my linux laptop were compromised.

Of course all of this needs to be matched by the proper security rules on the
backend, which, given their cluefulness with frontend, I trust them to have.

p.s. That said, indeed now I remember that the password rule they had is kinda
stupid. But I have only one bank and I can make the exception for them, given
that they have done their homework otherwise.

p.p.s. and no, I would not like to have my bank operations protected by the
unlocked private key - the added convenience in this case is not worth the
risk at all.

~~~
TeMPOraL
Few years ago my friend had an account in a bank that gave him security token,
that generated a random number every 60 seconds, that had to be appended to
password during login. So even if someone sniffed your password, it would be
valid only for less than a minute :).

I think it's a great solution and I don't understand why it's not widely used.

~~~
azov
This is a horrible solution. I don't care what security experts say about two-
factor authentication. I'm not about to start stuffing my pockets with a pile
of security tokens. I have more than enough keys on my keychain, thank you.
Unless _everyone_ can agree to use the same physical token, I simply refuse to
use a service that makes me carry an extra piece of junk with me all the time.

~~~
pbiggar
Lastpass and gmail use an app called Google Authenticator to provide two
factor authentication. Works a treat, and I always have my phone.

~~~
danishkhan
Lastpass is awesome and even with google authenticator if you do not have your
phone with you they give you the option of printing out like 30 one-off codes
in case of situations where your phone is dead or missing.

------
VonLipwig
I don't understand this whole never reuse passwords nonsense.

I have unique passwords for my email accounts, github, facebook, twitter and
bank accounts. I only need to remember about 8 passwords. They are all pretty
memorable. I usually write them down _gasp_. I then manually type them in
until I remember them. I then rip the paper in two putting half in recycling
and half in the trash.

For every other site I use 1 of 3 passwords. Why? Why not? I mean seriously,
if a site contains no personal information apart from your email why do you
need a separate password for it?

I only use unique 10+ character long passwords to guard things that are worth
protecting. If a forum account, stack overflow account etc gets hacked.. oh
well. I will make another. It really doesn't matter.

I would use 1 password for all non-critical sites but password restrictions
means I need 3.

~~~
oozcitak
But what happens if one of those sites lose their user database? Your other
accounts would be compromised and you would have to change your passwords in
every site you registered with the same password.

~~~
jasonkester
That's the kind of worst-case scenario I can live with.

Suddenly, there's somebody out there in the world who can not only post
comments to Engadget as me, but can now _upvote stories on Reddit as though
they were me_.

Honestly, you could give out your password to 90% of the sites for which you
have them and it wouldn't affect your life at all.

~~~
ajross
They can also message your friends as if they were you. Scams and social
engineering attacks do and have operated this way. If you or your friends are
high-value targets, they or their interests can be seriously hurt by this sort
of thing.

~~~
jasonkester
Which of the sites that you use your throwaway password for have friends and
messaging?

Personally, I have exactly one site from which I tolerate non-email messages
from friends. That's Facebook, and it's in the same category as email,
ecommerce, etc. that gets a real password.

~~~
ajross
Uh... the _specific examples given_ were comments on engaget and reddit. You
think people don't talk to their friends on those sites? Yours is precisely
the kind of thinking that leads people to fall for social engineering attacks.
Clearly you're too smart for it to happen, right?

~~~
jasonkester
Correct. I don't think people talk to their friends on engadget or reddit. Why
would anybody do that?

You have email, telephones and facebook for talking to people. Why would you
expect somebody you know to sift through threads on reddit to find out if
you've said something to them?

Can you honestly say that you've done that? I never have, so it doesn't bother
me whether you can guess my password to one of those sites. And if I ever ask
to you wire some money to me in a comment on an engadget post, feel free to
give me a call to confirm.

~~~
fudged
I've got some friends on reddit that I communicate with through messages.
Although, I certainly prefer to communicate through other mediums.

------
dexen
How's passwords an unsolved problem for any power-user? There's a ton of
password management software out there that does /not/ require you to copy-
paste passwords around†.

For me, kwallet & ssh public keys all the way. Kwallet makes passwords
available to all programs I authorize. Authorize either on case-by-case basis,
or once forever. If you really don't want to bother with KDE and/or want to be
easily portable across everything POSIX, go for
<http://en.wikipedia.org/wiki/Factotum_(software)> \-- it has a simple
protocol.

I remember literally 5 passwords: home computer, work computer, home wallet,
work wallet, auxilliary bank account (just in case something happened to all
of my computers at once).

Actually, scratch that, I can /type/ those passwords, but I don't really know
their content.

† using ^C^V on passwords is a bad idea anyway; (depending on browser)
websites can read contents of your clipboard. And check your recent browsing
history. 2+2=...?

~~~
lubutu
I don't believe any browser except Internet Explorer allows you to read your
clipboard's contents, without pasting. (Another reason not to use IE.)

~~~
fl3tch
I was always annoyed by the fact that I couldn't copy-paste stuff in Google
Docs and had to ^C ^V it. Now I realize this is a feature.

------
mike-cardwell
My passwords are all generated by mashing the keyboard, and are stored in a
PGP encrypted file in my Dropbox. When I want to add a password to that file,
I just edit it using Vim. Vim automatically handles decryption/encryption
because I have the "vim.gnupg" plugin installed. When I want to know a
password, I type "password foo", where foo is a substring of some identifier
I've used, eg the domain name of the site. It searches my encrypted text file
for a line containing that identifier, and selects the last string of non-
space characters on that line as the password. It then displays the password,
and also copies it into the clipboard. It waits for 10 seconds, and then
overwrites the clipboard with it's previous value. My "password manager" is
this tiny script: <https://grepular.com/password.pl_txt>

I'd much rather rely on the security of GnuPG for my password store, than
Keypass or Lastpass etc. Dropbox provides me with backup and syncing
capability for my password store.

~~~
Joakal
There's password generators (usually within most password managers). Far more
better because even mashing the keyboard produces patterns. I bet some of your
starting characters are on the left side of keyboard for example and you never
use capitals or symbols.

~~~
mike-cardwell
I am confident that the passwords that I generate can't be brute forced.

------
Ixiaus
FOAF+SSL!!!!!!!!!!

There exists a rather elegant alternative to passwords for authenticating a
user's identity - it's been around for a while but the user barrier is too
high: FOAF+SSL.

The idea is you generate an X.509 cert and install it in your browser(s). You
then stick the pubkey in a section of your own publicly hosted FOAF file
(hosted by yourself or by an FOAF hosting service) - then when you "visit" a
site that requires you to authenticate all you have to do is give it the
location of your FOAF file, the browser will prompt you to select which cert
you have installed that you want to use. (there are cool things you can do
with remembering a user too)

This solution is elegant in two ways - no password entry, it uses a
cryptographically secure certificate for authorization (much more secure than
a password hash), the application in question can also pull/cache YOUR FOAF
DATA (name, address, alias, whatever you have in there) so you NEVER HAVE TO
FILL OUT A PROFILE FORM AGAIN.

That's effing cool, man. Why don't we see it? Because it's easier to use
Facebook Connect and get the same stuff nowadays then it is to try and educate
internet users on A) what is a FOAF file? and B) where/how do you generate it
and host it when Facebook basically has all of that already (I know, once is
personally owned, the other is owned by Facebook but we can't always control
the ebb and flow of internet mass consciousness even if something is "more
elegant" or "stupidly better").

------
earthboundkid
Dear browser makers,

Creating a password is not a job that users are good at.

Remembering passwords is not a job that users are good at.

Solve this problem for your users.

It's not super tricky. Make up a couple of new kind of input types. Say, input
type=trade-keys. When you see that on a page, create a private-public key pair
and swap it with the server. Take the private key you made and the public key
you got and encrypt them using the user's passphrase---the only password a
user should have. Store that locally and make a back up to your cloud service
in case the user wants to log in with another computer or the user loses their
hard drive somehow.

Done.

~~~
JoshTriplett
BrowserID (<https://browserid.org/>) does exactly that. Once implemented in a
browser, it effectively turns authentication into a key exchange with the
browser.

~~~
Sami_Lehtinen
As far as I can see, it's not different from all the other solutions. When you
logged in to Hacker News you had to notice that there are tons of already
working alternatives out there. It's also one factor authentication and
requires password. So why not to use OpenID, Google, Facebook? Because it's
linked to browser, it's most probably possible to steal your identity. So it's
not prefect solution either.

------
resnamen
I had to register my Apple ID. Apple's site disallows copying and pasting in
the password field. I really REALLY hope this isn't a trend, because I use
strong passwords for everything, and these 128-bit monsters will make your
hands explode if you try to type them in manually.

It blew my mind because a coder had to burn some calories code the site
specifically to disable copy/paste. What kind of UX is that?

~~~
jmcqk6
Either disable javascript on that page, or open up firebug and re-enable the
textbox.

~~~
resnamen
So, it's the "some assembly required" kind of UX.

------
chimeracoder
I absolutely _despise_ security questions.

I have a few bank accounts for my company (checking/investments/etc.) which
each require different logins. That's fine.

However, the security questions _for a business account_ are inextricably tied
to an individual. Favorite animal? High school mascot? Where were you born?

These are all questions that are pretty easy to crack for an individual
account, so they provide next to no added security. Furthermore, for a
business account, they're just an added layer of frustration. When I took over
the accounts, I had no idea how the previous president answered the questions,
since they're all personal to _him_ , not our company. Furthermore, when
someone else at our company needs to access our accounts, they need to know
the answer to _my_ security questions... which are the same ones I have to use
on my personal bank accounts!

In the end, it's so much of a pain to remember the answer to these questions
that when I'm randomly asked to verify, I'm just as likely to call customer
support and ask them to reset them. So what does this mean? I call customer
support and give them

1\. My name 2\. My company's name 3\. Our username 4\. Our bank account name
5\. Our tax ID number _or_ the last 4 digits of the social-security number on
the account.

...most of which would be pretty simple for a would-be attacker to obtain. And
let's face it, corporate accounts at banks are much more likely to be the
targets of individualized attacks, rather than random attacks over an array of
accounts.

tl;dr: For business accounts, security questions actually _decrease_ security.

~~~
pbhjpbhj
> _These are all questions that are pretty easy to crack for an individual
> account, so they provide next to no added security._ //

They're just text field responses though. No one is checking that your first
school was really called "w4ffl3s and |3eeR".

However, your point stands firm and proud. It's security theatre really isn't
it.

------
dprice1
Awesome rant.

In my mind, someone (browser vendors? security community?) should create a
standard for handling interactions to do with passwords. Covering password
length, characters allowed, characters required, case sensitivity, et cetera.
Or perhaps a grading mechanism. Give it a catchy name and get some noted
security researchers and clueful businesses to endorse it. You could even have
a browser extension which points out to users which sites are handling
passwords poorly or in an inconvenient way.

With respect to the issues with banking institutions: why not take it up with
your congressperson, or write to the FTC and/or SEC? The FTC is charged with
consumer protection, and this seems directly in line with that. Again, if
there was a grading tool, the regulators could apply that.

~~~
Dysiode
Mozilla was working on a solution to this some time ago (back when Aza was
still with Mozilla, early 2010 is the latest date in the linked design doc):
[http://www.azarask.in/blog/post/identity-in-the-browser-
fire...](http://www.azarask.in/blog/post/identity-in-the-browser-firefox/)

From the document he links to it seems more like a fancy password manager that
handles session cookies too with the idea of standardizing account management.
Not necessarily a lofty vision but certainly something helpful and interesting
(albeit seemingly dead now).

~~~
JoshTriplett
The work you point to has morphed into the BrowserID effort:
<https://browserid.org/> . Currently alive and well.

------
apmee
I've often wondered to what extent my own password mnemonic "system" is either
sufficiently secure or woefully misguided.

Each of my passwords is made up of the same eight-character non-dictionary
word, plus the alphabet-position numbers of the first three characters of the
name of the site I've made the password for (A -> 1, B -> 2, that old trick).

So for example, say the common word I was using in my passwords was
"pizzadog", then my Hacker News password would be "pizzadog813" (H -> 8, A ->
1, C -> 3)

I admit my goal is convenience, as it's clearly only one step up from using
the same password for everything, but with the added numbers making me feel a
little better in the event of one of them being compromised. But is there any
reason why this approach might be considered a bad idea?

~~~
encukou
Now the bad guy has to crack two sites which you register on. (Or just make
you register on two of his sites). Bam, all your passwords are effectively
3-letters long. This scheme is pretty common, so yes they would think of that.
They might not try and figure out the alphabet position thing, since the
password is laughably easy by now.

Or, they have you register on just one site they control, and figure out the
substitution trick. They now have all your passwords.

Now that you made the post it's even worse: we all know your password here is
8 lowercase characters + 813. If that's really true, I recommend changing all
your passwords everywhere, NOW.

It's an extremely, extremely tiny step up from having the same password
everywhere.

~~~
mattmanser
I think you're being a bit alarmist, the most likely attack is that someone
compromises one password and then logs into a higher value site with it. They
can't do it in this case.

That's not going to happen with that scheme.

As long as you're not also using this for email/banks, it's not that silly, I
use a similar scheme myself, it means you can log in from computers that
aren't your own to certain services without having to install anything or
carry round a bit of paper.

------
g3orge
1Password is a great tool for that kind of stuff. I use it everyday, and it's
very secure.

~~~
sneak
If, by "very secure", you mean "keeps your list of sites on which you have
accounts on in plaintext", then yes.

$ strings ~/Library/Application\
Support/1Password/1Password.agilekeychain/data/default/* | less

~~~
earthboundkid
Who cares about the list of sites you have accounts? Unless you're paying for
goat sex porn, the site names themselves are utterly boring and useless.
Attackers already know you have an account on Amazon because you are a human
being living in the developed world in the 21st century.

~~~
prodigal_erik
1Password is apparently unusable without a required master password (as it
should be), so failing to also protect the site list with it was a serious and
lazy mistake. If you have nothing to hide, that only means you aren't doing
anything controversial, which I regard as a personal failing.

~~~
sneak
I love this response. :)

------
BadassFractal
I completely agree with the sentiment of the post, I have to continuously go
back to my KeePass database to lookup the more complicated passwords.

What's the simplest thing that could work to fix this problem once and for
all? I get the impression that there simply isn't one.

~~~
humbledrone
Public key cryptography. I don't know if it's the simplest solution, but it
does fix the problem. You have a private key, which you keep SUPER safe (e.g.
encrypted with a strong passphrase), and you distribute your public key to
anyone who wants to be able to verify your identity.

~~~
Torn
I'd really like a portable device / managed service I can carry around that
encodes my biometrics in a private key. I don't know if fingerprints or iris
scanning would cut it, though as you'd want something that would hash
reliably.

Maybe something more simple - a 2-step thing like Google's on my iPhone,
except one that logs into multiple sites. That, or get 'Google login'
widespread and have it as the auth middleware on other sites out there.

~~~
Maxious
'Google login' is widespread as the auth middleware on other sites. At least
the sites worth trusting your data too ;)

There's <http://code.google.com/p/google-authenticator/> for SSH,
<http://wordpress.org/extend/plugins/google-authenticator/> for wordpress,
[http://helpdesk.lastpass.com/security-options/google-
authent...](http://helpdesk.lastpass.com/security-options/google-
authenticator/) for lastpass etc. You can use all these implementations with
the very same iPhone/Android/Blackberry authenticator app you use for Google

------
DanBC
> _You know those SSL certificate warnings? You know how you always ignore
> them? Yeah, you shouldn't do that. They're the only warning you get that
> someone might have hijacked the connection to your bank or whatever. It's a
> shame that browsers have trained most of us to ignore the warnings, because
> they're the only thing making SSL useful._

It's not just browsers - here's an example of a budget web / email host
telling users to ignore the warning:

(<http://www.purplecloud.com/webmail/>)

> _When logging in your browser may warn about an invalid or untrusted SSL
> certificate. This is normal and can safely be ignored - the communication is
> fully encrypted despite this warning._

People only using one computer (that no-one else uses) have nice browser based
password managers. Software like Keepass or Password Safe are handy, but not
great if you use more than one computer (especially if you use more than one
OS.) Keeping databases both synchronised and backed-up becomes tricky. And
some companies / public computers won't allow you to use such software.

Trusting my passwords to the cloud just feels weird and unsafe.

~~~
nodata
Inexcusable. An SSL certificate costs 12 USD/yr:
<https://www.gandi.net/ssl/grid>

~~~
icebraining
Actually they're free: <https://www.startssl.com/?app=1>

------
jrabone
Lots of fail here, but I'm surprised no-one has mentioned www.ironkey.com yet
(I just did). I've been using one for a couple of years (admittedly mostly on
Windowses) and was so impressed I bought a couple more for my partner, family
members etc. The identity manager does a reasonably good job, and the two-
factor authentication works well for Ebay / PayPal. I use the on-board
browser, which I keep as my "secure" / trusted-sites-only browser (where
trusted mostly means "can cause money to change hands") or the integration
with IE for some banks. The only thing that doesn't work automatically is
banks asking for random digits (from a 16+ character random string, yeah,
thanks). For that I use the ability to store notes alongside account
credentials in the identity manager. IronKey also provide a degree of device
management on their website, which is maybe the obvious weak spot - the
credentials and checks needed to log on to their site WITHOUT having the
device. That sort of thing is maybe best written down and stored with a will
in a lawyer's safe - it's a worst-case-scenario if you need it.

------
jiri
Ok, SSH agent is fantastic, but why it is not used to log to websites? Is it
so complicated to paste my public key to some textarea during account creation
at any website? What is the reason that no site is using this?

~~~
jiri
I did some googling and the part of copy/paste of public key to website is
pretty obvious and could be useful maybe for some tech sites. At least many
people can do copy/past of key very well, as you can see by trying to find all
public/private keys at pastebin.com ...

But what is very difficult is to enable website to authorize using your agent
or your private key. But ... the SSL certificates in browser should be the way
to go, but as author in blog post wrote "they are just so full of glitches and
surprises as to be virtually unusable" :-(

------
mncolinlee
Personally, I use Keepass over Dropbox. I have my latest passwords available
on any device I use. So if my phone and my computer burns up in a fire, I can
still access my passwords from anywhere I can securely log in to Dropbox and
my safe. If anyone hacks Dropbox, they will still need my safe key. If I lose
Internet access, I can still access all but the most recent password changes.

~~~
lbolla
Same here. The only drawback is that you have to remember your Dropbox
password by heart!

------
calloc
I wish banks in the United States started offering two factor authentication.
If I want to log into my bank (Swiss bank) I input my card number, I then get
a one time code from my bank, I insert my pin card into my card reader (not
connected to the computer), I type in my pin number, I then type in the code I
got from my bank. What I get back is another number that I then type into the
browser field.

I am now logged into my bank. Now each time I try to do anything with my money
(move it from checking to savings, or from checking to my dad, or savings to
checking, or to investing) I have to insert my card, enter my pin, enter the
number and give my bank the number that is generated.

That is secure. WAY more secure than what I currently have with BoA, ING, WF,
First bank, Chase, and Capital One.

------
pwman
I love how LastPass isn't the solution because ... "it's a computer program".

What kind of Luddite computer programmer is against using computer programs to
solve their problems? Yet is fine with using SSH keys?

The argument of bloat is garbage -- you can utilize LastPass bookmarklets at
the cost of exactly 1 bookmark in your browser. That adds a 1K bookmark and a
very small amount of JavaScript to the page if and only if you utilize it.

Password certainly are painful, and our whole goal at LastPass is to make it
easier. We'd be happy to help make other scenarios people are experiencing
better, we've looked at handling ssh a number of times (putty in LastPass for
Applications for example) -- anyone have a preference for how we tackle that
next?

------
Egregore
It would be better to use public keys for authentication instead of password,
but it will require to many things to change for this to happen.

~~~
wladimir
Google Authenticator works pretty well already. I don't know the exact
algorithm used, but I think it's public/private-key based?

~~~
thirsteh
Google Authenticator facilitates two-factor authentication. It's a very good
complement, but it is not public-key authentication nor a replacement for
passwords. SRP is probably the closest: <http://srp.stanford.edu/>

~~~
wladimir
6 digits is indeed too easy to brute force as a password replacement (though
it depends on the setting). I guess it could be used as a replacement for
passwords if the keys were longer, longer sequences or maybe groups of words
like S/KEY.

Btw: _The SRP ciphersuites have become established as the solution for secure
mutual password authentication in SSL/TLS, solving the common problem of
establishing a secure communications session based on a human-memorized
password in a way that is crytographically sound,_

So I understand it still relies on a human-memorized password? How is it a
password replacement?

~~~
thirsteh
It is a replacement to sending passwords over the wire. There are no viable
replacements to passwords, which are really just secrets, memorized or not--
short of issuing secure tokens or installing high-grade optical sensors in all
laptops and getting all services on the Internet to add support for those
authentication methods, anyway. This is why we're still using them.

Even public-key authentication isn't secure if you're storing the private key
on a regular machine, and are not protecting it with a password. Getting the
regular Joe to actually use certificates is difficult enough, too.

------
al_james
The approach I use is to combine a master password (so only one password to
remember) with a site specific name (e.g. the domain name or site title) using
some difficult to reverse combining / hashing algorithm.

This way, even if one password is leaked, it should be impossible (or at least
very hard) to calculate the master password.

I just uploaded a simple demo of this:
<http://onewheeledbicycle.com/junk/passwords/index.html>

------
aprescott
I completely and utterly loathe the security question-answer system. Has there
been any study into how effective they are at improving security compared to,
say, being forgotten and causing a complete annoyance? I've been unable to get
access to fairly important accounts because I couldn't remember which answer I
gave to a generic security question 4 years ago; I know full well that I gave
a perfectly correct answer at the time, I just have no idea what it was.

------
lisper
If you hate passwords, check out <http://dswi.net/>

~~~
fexl
Nice, I checked that out. It looks like you store the encrypted private key in
session storage (i.e. a glorified cookie). My main concern would be how to
back up that private key. As a technically savvy user, I shouldn't have a
problem with that, but I'm not sure how a novice could manage while still
keeping everything "Dead Simple". (I suppose a "backup to cloud" option could
be arranged somehow.)

Another problem in my particular case is that I have my browser set to clear
_all_ cookies upon exit. I'd obviously have to change that, because otherwise
I'd lose my private key every time I closed the browser. But that isn't the
concern of DSWI I know.

I also checked out BrowserID briefly, but as I understand it that requires all
logins to go through a central server. Consequently they need to have a
"privacy policy" which "promises" not to track your online behavior. That is
not true with a system like DSWI, which avoids any central repository or
authentication server.

~~~
lisper
Actually, the encrypted key is stored in localStorage, not sessionStorage. If
you choose "keep me logged in" then the UNencrypted key is stored in
sessionStorage (which automatically goes away when you close the window).
There are no cookies involved (unless the site using DSSID for login gives you
a session cookie).

Packaging PKI so that a non-technical user can use it is the central challenge
here. There's actually quite a lot of functionality that is hidden in order to
keep things simple. To see it visit:

<https://secure.dswi.net/dssid/auth>

~~~
fexl
Yes, thanks for clarifying. I see that now. I've been through your demo a few
times in Chromium, and I've been poking around and looking at the "Cookies and
Other Data" values. So yes, I see now that my actual private key is in "Local
Storage".

By the way, these concepts of localStorage and sessionStorage are new to me.
Evidently they're something like glorified large cookies in HTML5. Chromium
handles it just fine, but I don't think my Firefox browser even understands it
yet. I see where I can examine all my live cookies there, but I don't see any
mention of "storage" there. (I'm using Firefox 3.6.24 on Ubuntu.)

Consequently I haven't been able to get it to work yet on FF. But maybe that's
because long ago I did a bold yet insane experiment wherein I deleted all
trusted root CAs in that browser. So it might be my problem, not yours.

~~~
lisper
DSSID has been tested in FF, Chrome, Safari and Opera. It doesn't depend on
certificates, so deleting your root CA's shouldn't make a difference. Google
"HTML5 local storage" for more info on localStorage and sessionStorage.

~~~
fexl
When I click "Login with DSSID", the page says _nothing_ except "Welcome to
DSSID". No login box, button, or anything. Of course, it's not your fault,
because when I do a View Source, I see all those things. They just don't
appear to me visually.

This is happening on two different Firefox browsers on two different Linux
machines. It must be a problem with settings or a plugin. I'll try it on a
brand new Linux machine with a fresh install of FF and let you know.

~~~
lisper
Of course it's my fault :-) Failing silently is never acceptable under any
circumstances.

That said, a silent failure is pretty weird. It can happen if you have
Javascript disabled (are you running noscript?), but there's a check for that
on the demo page. I just added an explicit check on the DSSID page, so please
try it again.

~~~
fexl
Javascript is enabled; no problem there.

I'm pretty sure the problem _is_ actually related to my deletion of all root
CAs. Why? Because there's a red exclamation mark over the lock icon at bottom
right of window, and when I hover it says "Warning: Contains unauthenticated
content."

I already force-accepted the dswi.net certificate as a specific exception when
I first played with DSWI yesterday. I would think that acceptance should apply
to the JS content as well. But apparently not. So I'm poking around in my FF
settings to see how I can trust your certificate _even more_ than I already
have -- yet without installing Comodo's root CA certificate.

It's all my fault, because of my bold yet insane experiment in distrusting all
root CAs.

------
matthiasb
Using passwords as single factor of authentication is complicated,
inefficient, insecure; and for corporations, they are also expensive because
of all the calls to the helpdesk they generate.

A solution for you is using an OTP (one-time password) as a 2nd factor of
authentication. Since your authentication is a lot more secure with an OTP,
you probably don't need to use such complex passwords anymore.

For example, you can enable the 2-factor authentication with OTP with Google
and Bank Of America. With Google, you can either request an OTP by SMS when
you are authenticating and/or provision the Google Authenticator mobile
application which will generate OTPs for you. For Bank Of America, you can
also get OTPs by SMS. They also provide an OTP card called the SafePass card
([http://www.bankofamerica.com/privacy/cf/safepass_card_popup....](http://www.bankofamerica.com/privacy/cf/safepass_card_popup.cfm))
to generate the OTPs.

"Speaking of usernames, i've run into more than one bank that requires a digit
in your username. A digit. In. Your. Username." --> It cost me so much trouble
with my BOA online account! I found out I could actually change my username
and it made things a lot easier!

~~~
r00fus
> "Speaking of usernames, i've run into more than one bank that requires a
> digit in your username. A digit. In. Your. Username."

This makes sense, as your credential set includes both username and password -
enforcing increased diversity in character selection in username to include
numerics increases the exponent by 10 for each character.

~~~
matthiasb
I do not consider a username to be a secret information. But even if it was
secret, having complex username just make thing complicated. And when it is
too complicated, your users tend not to use your service at all.

------
CHsurfer
I started e-banking with UBS in Switzerland around 10 years ago (it's were I
live) and they provided me with a card, and a little card reader with a key
pad. To log in, I have to enter and 8 digit account code (not my account
number though - something random but consistent). It then gives me a random
code. I type my secret pin number into the card reader and enter the given
code. It gives me back a response with number and letter characters (all
capitol letters) that I enter into the web page to complete the log-in.

This seems quite secure as someone would have to have my card and pin number
to access my account, which is the same level of security I have when I access
my ATM machine. This was my first experience with e- banking. Imagine my
disappointment when I tried to open other bank or trading accounts and found
out they just used normal passwords.

Now, I only use e-banking with UBS, even though their fees ares somewhat
higher - I consider the security well worth it. I guess the cost of the device
and administration must be less than 35USD per year, which they easily make up
for in fees. My question is, why aren't the other banks doing this as well. I
would totally pay for it.

------
tlrobinson
One of my banks limits passwords to 12 characters. I asked a customer service
representative why, her response was "because it's hard enough to remember
12".

/facepalm

------
runjake
He would have gotten his point across better if it wasn't presented as an
expletive-filled "yeah? fuck you!" rant, which seems like the cool thing to
do, these days.

Never mind the fact that this subject ("Use different passwords!") has been
beaten into the ground at this point and if people haven't clued in by now,
they likely won't until they're compromised.

~~~
yock
I loathe that you're being downvoted for this. My first desire after reading
this was to share it with my co-workers. Unfortunately, the article's format
as a profanity-laced rant makes it completely inappropriate for that purpose.
It's a shame that he so effectively limited his audience.

------
ward
As to the bank issue, I think they "fixed" that in Belgium. Logging in is
still an annoyance, but I atleast feel pretty safe with it.

To log in on the site, you need to do the following steps:

* Load site and type in card number (this is mostly a pain, but if needed you can make your browser remember the number)

* The site provides you with a "challenge code", in the case of my bank an 8 digit number

* You take a little machine provided by your bank, it looks basically like a calculator of sorts

* Slide your card in the machine

* Enter challenge code and your pin in the machine when asked for

* Machine returns a number which you then input on the site

* Click login

This challenge code is different every time, the only (big) downside is always
needing the machine when doing online banking. However, I feel that's a small
price to pay given that once logged in you can make transactions, something I
wouldn't trust much if there was only a password with silly restrictions.

Also note, you have to repeat the challenge->machine->reply action when
signing transaction you enter online.

------
Spearchucker
This has been a problem for a long time - which is why companies like
Microsoft and IBM have been spending time on technologies like CardSpace,
ADFS, the identity meta system from Kim Cameron, IDEMIX and U-Prove, and other
stuff that tries but fails like Microsoft Live (erstwhile Passport), OpenID,
and OAuth.

The upshot is that the technology to move away from usernames and passwords
exists. What we (the IT world) haven't been able to pull off is the ecosystem,
to borrow an over-used cliche.

What we need are identity providers - some kind of body that can verify who we
are. A good candidate is the passport office (FCO in the UK), the drivers
license people (DVLA, in the UK) or the people who issue birth certificates.

Others, like banks, credit check agencies or supermarkets might also fulfill
this role, but the scope for abuse and potential lack of accountability might
make these bad choices.

Typically, the technology is not the problem. People are the problem.

------
omouse
If you're using SSH, you should check out Monkeysphere:
<http://web.monkeysphere.info/>

It allows for the use of OpenGPG keys.

There's also a web component so your website can use it! However it only has a
FIrefox/IceWeasel plugin for now. It's two parts; the server side validation
stuff, and the browser plugin.

------
juanfatas
Hi there, I think password is working perfect. And we just need to figure out
a way to remember all passwords into our brain in a unforgettable way. Here is
what I do: Password for xxx: First GF's birthday(yymmdd)+favorite city(2
letters, first letter CAP)+ high school student no.+last 3 letters of my all
time favorite movie this would result: 760925Lu201228can And you can store the
statement in your gmail. Only you will know the answer. Then you don't forget!
Also I have 3 level passwords. High Medium Whatever High: I will think of a
password as I demonstrated above (at least 4 questions). Medium: I will think
of a password for just 2 questions. Whatever: would be a stupid password but
for accounts I don't care if it's hacked(stack overflow, github..etc) Among
all tools, maybe it's better to write your password and put in your pillow.
and forget all the technical stuff.

------
imperialWicket
I totally agree. I recently had the password requirements experience with
quickbooks and their silly requirements
(<http://imperialwicket.com/quickbooks-online-password-fails>).

Like many have said, I have a 6-10 password bank of relatively complex
passwords that I use for services I may need to easily use on alternate
computers. For everything else, I use randomly generated values (usually 24
char, including alphanum, special, hyphen, underscore, and white space) which
I store in a Keepass db. I keep the Keepass db on a flash drive which I keep
with me virtually all the time.

This technique is frustrating at times, but I like knowing that if a password
is compromised, it's either something that can quickly and easily be
addressed, or it's something that I really don't need to address.

------
luser001
I use the PwdHash extension. It works great. You type the same password into
every box; it in encrypts it using the domain name of the current web page as
the key.

Also I'm using SSL client certs for a recent project, and I _LOOOVE_ them. I
wonder what sorts of problems render them "unusable" for him.

~~~
agotterer
I also use PwdHash. I don't know nay of my passwords by heart and also use the
same seed password for everything. Whats great is you can use the extension
for chrome or FF, theres a free iphone app and theres always pwdhash.com if
you need a password.

------
nakkiel
I'm by no mean an expert in passwords/cyrpto and the like but it sounds to me
that his idea of generating passwords from the service name and a master
password is a good bad idea.

Basically, his passwords are made of two variable strings: one is the service
(easy to guess if you're target a specific account, which in his case you must
anyway) and a master password that likely doesn't vary much from one identity
to another.

Doing this is basically opening the door to anybody who could gain access to
his generation algorithm. I have no maths to back me up but I made a quick
proof of concept that I ran against /usr/share/dict/words and managed to find
one collision in ~100000 tests (I was generating passphrases though).

I'm going to keep on investigating and try to generate passwords instead of
passphrases.

~~~
bigiain
You've still got to do it right. If I phish your twitter account and discover
your password is "twitter-iloveyoujane", you can bet I'm going to see if
"facebook-iloveyoujane" will get me into your facebook account...

And I'd be astounded if there weren't already automated tools that do this for
every website in the alexa top 1000...

------
gitah
I'm not sure it's worth all the trouble to go out of the way and adopt a
complicated password generation scheme. As long as your password isn't qwery,
an attacker brute forcing it seems very unlikely for any competently
implemented web app: most block you after n incorrect tries and sending HTTPS
POST requests seem really slow. Dictionary attacks on the password hash is
another problem, but salting the password should handle this problem.

I agree reusing passwords for multiple services is risky, but shouldn't having
different tiers of passwords handle this? Use a really weak password for stuff
you don't care about or sites you don't trust and then use a stronger password
for your bank, email, etc.

------
zokier
It's a shame that browser-based authentication mechanisms such as HTTP
Digest/Basic Auth and Client certificates are so broken and underdeveloped.
HTML5 has everything and a kitchen sink, but neglects to address this major
shortcoming.

~~~
VonLipwig
Mozilla made BrowserID, is this something similar to what you suggested?

------
chmike
While the author has a point when users reuse their password for many
accounts, he ignores the time required to test a password when using
bruteforce attacks. The rant on banking passwords with strongly limiting
constrains may be (is?) balanced by the time to test each password. The
password could be reduced to a few numbers if it is assigned randomly by the
bank and can't be changed by the user, and if something like a paying phone
call is required to reset the password after three failed attemps. Make the
password a serie of logos to click in a specific ordre and displayed randomly,
and keyloggers become history.

------
tete
WebID to rescue:

Technology that implemented in every browser right now (certificates) +
compatibility with stuff like USB dongles, smart cards, that have also been
available for some time now. Oh and no, you don't need a CA. Problem solved?

<http://www.w3.org/2005/Incubator/webid/>

Only thing left is using it and making browsers more friendly towards that
approach. This mainly involved getting rid of scary technical warnings.

Until then I will use password maker, which isn't a store but creates the
correct password when needed:

<http://passwordmaker.org/>

------
ghostwords
> ... password managers like LastPass ..., but let's think about this for a
> moment. I have the choice of either making my passwords so memorable and
> reused that i'm at a grave security risk, or of making them so secure that i
> need a computer program to store them for me. This is fucked up. This is
> fucking broken. This should not be allowed to go on.

Uh, how are SSH keys not using a computer program to store your secrets? Just
use a password manager. You discovered the hard way why your special scheme
doesn't work. Use a password manager (like KeePass). Use it with Dropbox, use
it with a Flash drive.

------
iand
Take a look at WebID which uses client certificates to give you that SSH-like
convenience for identifying with sites

<http://www.w3.org/2005/Incubator/webid/spec/>

------
chadillac
I remember reading an article about complex passwords vs what was basically
called "offensive gibberish", I've actually taken a liking to this approach
more recently than relying on a password manager. The whole goal is to make
your password memorable while also making it long and complex enough to avoid
cracking/brute forcing.

e.g. For gmail rather than "password3" one might use "give me my god damn
email you stupid machine!" It's great because it's easy to remember, and
complex enough to keep you relatively safe.

e.g. 2.0 : <http://xkcd.com/936/>

------
yariang
I was very pleasantly surprised by the security question system used by Ally
Bank recently. They let you enter your own security question.

Why haven't they thought of this before!? I can come up with very good
security questions that incorporate inside jokes with knowledge only I know
and things I know I wouldn't share with anyone publicly.

These are things I will remember all my life and that nobody else will know
(unlike say, my father's middle name). Unfortunately, Ally asked me for
answers to three pre-determined security questions right after.

But there is hope!

~~~
kristiandupont
I know of a couple of websites that do this and the problem now is that I used
the same question on multiple sites. I guess I could come up with a new one
each time but that does actually take a bit of creativity..

------
dzhiurgis
Oh shit. Just yesterday I've ran into precisely same problem: I've tried to
change all my passwords online into something like service_password_date. I
decided to do this after googling my four favorite password md5 hashes
(abc123, cba321, etc). It was there :) So yea, only several services would
allow to have password longer than 15 characters, and several even wouldn't
allow to use anything else than numbers and letters. I was shocked. Skype
won't even let you use their name in password, how's that fucked up...

------
gospelwut
As I posted on Proggit.

NO. NO. NO.

Password _length_ is by far the most important factor to brute force attacks.
Which, I presume, is most people's concerns because if we're talking about
weak hashes or plain-text storage, you're kind of _fucked_ anyways. You can
have your cake and eat it too.

Take, for example, some convoluted piece of shit password like
`1Liek2Progr4m35423\\!#@`. First off, most people won't remember that without
using a password manager or copying it from your super-secret text file in
your encrypted folder.

Sure, there will be a few people that chime in saying, "Hey, I can remember
complicated, crazy passwords". Okay. Can you do it when the service forces you
to rotate passwords, e.g. AD? Most users can't. Trust me. They can't.

So, what now?

Just make really long passwords. Instead of `fC29ap5w78r3IJ`, make it
something you will remember. For example: `$omeb4s1ePr3fix I like to cheat on
my wife with the secretary I hate her so much`. The entropy of the second
password, due to its length, is much better than the former.

Now, if we're talking about services don't let you have an obscenely long
password, that's... a service problem. While the implications are real, we're
talking about "how to make really good passwords". I feel like this has been
answered, but people are insistent on some arcane notion of using some complex
string of characters -- as if the computer gives a fuck. Not everything is a
straight dictionary attack, and the computer doesn't give a fuck if your
password has words in it or not insofar as it's not just one or two words.
It's not going to break a 42 character-long sentence that much faster because
it has WORDS in it.

And, there's no way somebody should be able to be trying to guess your
password that many times without getting locked out. Unless we're talking
about somebody hacking into the server itself, dumping out the hashes, and
trying to break it that way. Even in that worst-case scenario, assuming they
have done their due diligence with salts/bcrypt/etc, a 42-character length
password should take them somewhere in the vicinity of _for fucking ever_.

EDIT: The benefit comes from the prefix and the sentences. It pretty much
deters both kinds of common algorithms even if you reuse the prefix.

~~~
WA
Related: <http://xkcd.com/936/>

There's only one downside. If you generate your password based on a phrase and
add the service name to that, it could be easily guessed in other services.

If you use RedBananasFlyReallyHighAmazon for Amazon and
RedBananasFlyReallyHighPayPal for PayPal (which, by the way, doesn't work, as
PayPal for whatever reason blocks the word PayPal), one could guess the
password from the other service, if one gets compromised.

Ultimately, you can only hope for the service to store the password hashed and
salted, but in reality, that is not always the case or there's some novice
programmer trying something out and all passwords are logged in plaintext
somewhere else, while the database stores them hashed and salted.

But generally, I prefer this approach, as it provides a lengthy password,
different for every service and easy to remember.

~~~
gospelwut
Well, in general, I'd suggest something related to the service rather than the
service itself. Computer algorithms generally aren't intuitive in the same way
computers are.

Paypal -> $pr3f1x29# elh oh el I liek money u gieve

------
rvavruch
I've been using PassPack for a few years. It allows you to generate random
passwords with your choice of # of characters and type. My default setting is
14 chars of a-z, A-Z, 0-9 and punctuation. Then if the site complains I scale
back, no punctuation, less chars, etc.

This does mean that 90% of the time I need to go to PassPack before I can
login anywhere. Recently I've also wondered if a public key solution could
work in a browser. That would be fantastic.

~~~
Jd
LastPass also contains such a password generator. Even better, it remembers
the passwords for you!

------
NHQ
I like the idea of websites using public key encryption. Would the browsers
have to implement it on the client side? Could a plugin handle that?

------
16s
I've posted about SHA1_Pass here on HN before, but thought it relevant to this
thread, so here it is again: <http://16s.us/sha1_pass/>

It's an open-source, portable password generator. No ads, no gimmicks, no
password storage. The basic premise is "Don't store passwords, generate them
locally on your computer when needed."

------
brendoncrawford
For secure passwords, I strongly recommend the Password Hasher extension (
[https://addons.mozilla.org/en-US/firefox/addon/password-
hash...](https://addons.mozilla.org/en-US/firefox/addon/password-hasher/) ),
which allows you to use a different hash-based password for every site. It
also allows different password lengths.

------
cr4zy
I generate different, easy to remember passwords for every site by using a
random looking base string and slapping in a few characters derived from the
domain. For example you could take the first and last letter of 'ycombinator'
and use 'ut' as your changing characters (the letters to the right of 'yr' on
the keyboard.)

------
markkum
Passwords are painful for the users, and not good for service providers
either; [https://www.mepin.com/2011/09/26/7-problems-with-
usernames-a...](https://www.mepin.com/2011/09/26/7-problems-with-usernames-
and-passwords-for-service-providers/)

Support OpenID!

------
motters
Passwords are not ideal, but they seem to be the best compromise available. An
alternative might be for everyone to carry around a USB dongle containing a
private key, along with physical keys. There's always some tradeoff between
security and convenience.

------
andrewflnr
We've GOT to get public key cryptography in the hands of the masses. My
current favorite strategy is to get them all using some distributed social
network that uses PK and also integrates with everything, but I don't know how
feasible it is.

Any other ideas?

------
zobzu
been preaching the same since.. 1997? When SRP came along, we though that tied
to proper keychains we'd see the light at the end of the tunnel. but nope.

too many "pros" are too tied to die hard password auth ;-)

------
denzil_correa
There's some nice little study going around on the very same topic. In fact,
they seem to agree with you. Check out "FastWords".

<http://fastword.me/>

------
diziet
When I am able to, I make my important passwords a very long phrase that I
then memorize like a poem.

whenIamabletoImakemyimportantpasswordsaverylongphrasethatIthenmemorizelikeapoem

------
mukyu
Firesheep is about session hijacking, not watching actual logins (which would
normally be over ssl even if it is non-https served/https form target).

~~~
latortuga
Your use of the phrase "even if" makes me think that you are saying that
loading a form on a non-https page would be secure when that is emphatically
not the case at all.

~~~
mukyu
I know that http served https form target login is an anti-pattern.

I was saying that a) firesheep does not have anything to do with passwords
(which he implies it does) and b) it would be prevented with ssl anyways. I
don't even know why he brought it up.

------
IgorPartola
Fuck passwords is right! After having one of my re-usable passwords
compromised through Mt. Gox's breach and (a small amount of) my bitcoins
stolen from a different site, I have learned my lesson (BTW, the correct term
for this type of event I think should be "I got Mt. Goxed.")

Here are a few things I learned:

* Banks don't need complicated passwords. Though they force you to use something that you'd normally consider ridiculous, like ^([a-zA-z0-9]){6,8}$, they also are much more quick about locking the login. On top of that you typically don't have to worry about SQLi with your bank and they do all use SSL. Phishing attacks are much more likely.

* I use LastPass and my typical password is a random 32-character alpha + numeric + all sorts of special chars string and different for every site. Some exceptions still apply: I want my main Google password to be something I remember and I feel all right about that since there I can use two-factor auth.

* LastPass knows your passwords. Or at least they could. Consider that when you log in to share your password with someone (see below for why), you can expose your password to yourself on their site. Now all they need is some JavaScript (potentially inserted by a malicious person from a third-party domain) to grab it out of the DOM.

* LastPass has the ability to share passwords with others. This works well in my situation where my wife has all of our banking and utilities passwords, and either one of use can pay the bills. Once again, the fact that every site gets a unique password means that I can share these without sharing the passwords to my employer's servers, etc. On the flip side, explaining how LastPass works to a non-geek was a challenge. Their plugin for Chrome is just sort of ugly and clunky (Chrome's fault).

* SSH agent is fantastic. I set up all my personal servers and workstations to only allow pubkey-based logins which means no more script kiddies trying random passwords. I also set up a PAM module to authenticate sudo using pubkeys and SSH agent, so I never enter a password into a remote machine.

* SSH agent forwarding may be set up in a very insecure way. The biggest problem is that if your local machine doesn't ask for permission to answer a pubkey challenge explicitly, you could have the following situation: an attacker compromised your remote machine. They have replaced /bin/bash with a clever script that executes bash, but also scans your ~/.bash_history for other hosts that you SSH'ed to. Now as soon as you log in, /bin/bash starts trying those hosts one by one, logging into those hosts and doing whatever the attacker wants since they also have access to sudo.

* Other things to be paranoid about: evil browsers, compromised operating systems, malicious browser plugins, key loggers, people with physical access to your machines, other people's dumb passwords on the same servers that you log into, MITM attacks and not checking the key signatures of SSH servers, monsoons, terrorist organizations, drug cartels, brain washing, swine flu and Soviet era doomsday devices.

Basically, LastPass and SSH agent are way better than using the same password,
but just be careful about how you set it all up.

~~~
pavel_lishin
> Their plugin for Chrome is just sort of ugly and clunky (Chrome's fault).

How is it Chrome's fault? It looks like pickled ass on every browser I've
installed it on as a plugin, and it looks like ass as the iPhone app.

~~~
IgorPartola
At least partially because Chrome's extentions are just bits of JavaScript.
For example the FF version throws up a dialog box when you want to log in. On
Chrome it shows you a new tab that is mostly empty. Just feels less integrated
I guess.

------
anty
Reminds me that I have locked myself out from my Google account by using
umlauts (specifically an "Ä").

------
droithomme
I like this guy's article and it makes good points. But dropping the
capitalization of the pronoun "I" half way through a formal article that one
publishes for a general readership looks really bad.

------
Sami_Lehtinen
Here's one solution for true geeks. <https://www.grc.com/offthegrid.htm>

