

Kill the Password - LJone7
http://techcrunch.com/2015/09/07/kill-the-password/

======
jamiesonbecker
> The static password sitting in a database, is perhaps the dumbest idea
> anyone ever came up with for security. As soon as a resourceful (or even not
> terribly bright) hacker finds his or her way into the database, as we’ve
> learned time and time again, the passwords are sitting there for the taking,
> a giant treasure chest.

Hopefully nobody does that anymore. All passwords should be randomly salted
and hashed, preferably with scrypt or bcrypt. (We use bcrypt at Userify and
also sha256 in the browser before the password even crosses the wire, so we
never handle your raw password.) For servers, we take the same approach: you
should keep your private key _private_ on your laptop -- we only want public
keys.

Passwords are just tough to replace. They're universal and work on almost
every device. Lots of things have tried and failed to dethrone passwords, such
as PIN numbers (insecure), biometrics (which are not authentication), SSL
client keys (abstruse), dongles/smart cards/etc (expensive, inconvenient). MFA
and integrations like oauth can help.

Fortunately, there's a lot of interesting research going on in this area.
We'll probably always have passwords, but they'll get stronger over time.

------
pnt12
"The password, the chief means of securing access to our most valuable data,
has become almost completely useless, no longer even presenting a speed bump
for hackers and mischief makers."

I can't believe I'm reading this. If this was true, we wouldn't be using
passwords anymore.

I find offline password managers the best solution. I currently use KeePassX
and sync the encrypted passwords database with dropbox. The database can only
be acessed with a password + a special file, so I think it makes the password
db nearly unbreakable.

