

How to Fix Authentication: Email as a Password Manager - homakov
http://sakurity.com/blog/2015/04/10/email_password_manager.html?

======
stephenr
This article has two problems:

a) password managers don't have to be terrible third party solutions. Safari
has an amazing password manager with strong random suggestions, and it's just
enabled out of the box for millions and millions of iOS and Mac users.

b) this is ridiculously insecure - as soon as anyone breaches your email
account they have access to any other service using this scheme, without any
way to know (i.e no password reset by the attacker)

a) is proof that this can be "solved" by browser vendors. b) is the reason
this should be solved by browser vendors.

~~~
homakov
>(i.e no password reset by the attacker)

Login link = reset link. it's not different from classic scheme. Equally
insecure.

"What if" doesn't work, it's 2015 and the problem is still huge. "Use password
manager" doesn't work anymore, unless you offer something dead simple as my
idea.

~~~
Terretta
"Use a password manager" still seems to be the right answer for frictionless
logins. "Easy" is requirement #1 to get people to use a thing. In fact, using
it should be easier than not using it.

If you use 1Password, it nails the password details that trip up the "shady"
password managers you allude to. See this study about stealing passwords or
credit cards from users of auto fill password managers:

[https://www.cs.utexas.edu/~suman/publications/suman_pwdmgr.p...](https://www.cs.utexas.edu/~suman/publications/suman_pwdmgr.pdf)

Interestingly, the Safari built in keychain is better to protect cc.

~~~
homakov
you're free to use any password manager. my scheme is for developers to build
better authentication

~~~
stephenr
but it just isn't better though. it's worse in the way that _developers_
should be worried about most: security.

~~~
homakov
How exactly is it worse if it's not different from classic scheme?

~~~
stephenr
you're removing something which people basically understand the concept of -
passwords: keep them fucking secret/safe - and trying to replace it with
something that is built on top of a system never meant to work that way. If
your system routinely sends out OTP emails, all it takes is someone to
intercept those emails on their way from your SMTP server out to the wider
internet, and _every fucking user_ is breached.

The _only_ reason password reset links are at all acceptable is because they
are used relatively rarely and it's not predictable _when_ they will be used.

~~~
homakov
So your point is it is less secure because the same weak feature is being used
more frequently?

> all it takes is someone to intercept those emails on their way from your
> SMTP server out to the wider internet it doesn't matter _when_ some user
> will create a reset request. Because you can do it for him, right?

There are tons of services out there _generating_ a password for you and
sending it over in plain text, which is exactly what I proposed. Do we see it
heavily abused? The opposite is true - those services are more safe because
they got rid of reused passwords.

Also there's a bunch of techniques i didn't describe to prevent some attacks.
When user is trying to login save a secret token1 in a cookie and send token2
to their email. When the user clicks this link verify old cookies. This makes
passive global wiretapping less useful (if it was your concern). Still
vulnerable to more targeted attacks (enter username, wait for email, reuse
cookie), but so "reset password" is.

~~~
stephenr
> it doesn't matter when some user will create a reset request. Because you
> can do it for him, right?

only if I know the user's email address for this given service.

with your system the attacker will get a regular flow of emails like this, and
can even just track the emails as they're used, so as to then use them _later_
to create a new authenticated session without arousing the suspicions of the
user.

even if an attacker was lucky enough to capture a password reset email, they
either have to use it immediately (or it will become invalid) or do a later,
second password reset. Either way, the user _still_ knows at the very least
that something isn't right.

> There are tons of services out there generating a password for you and
> sending it over in plain text

and this is fucking atrocious from a security stand point.

> Do we see it heavily abused? The opposite is true - those services are more
> safe because they got rid of reused passwords.

Care to name some? I'm not aware of _any_ major service, website or
application that relies on a OTP via email for primary authentication.

> Still vulnerable to more targeted attacks (enter username, wait for email,
> reuse cookie), but so "reset password" is.

You still don't seem to accept that _knowing_ your account was compromised is
a security feature. With your system there is potentially ZERO indication to
the end user that their account has been compromised. That is FUCKING
TERRIFYING to me, and that it isn't to you, is even MORE FUCKING TERRIFYING.

Please stop making claims as if you have any fucking idea about security.

~~~
homakov
> potentially ZERO indication to the end user that their account has been
> compromised

It's not exactly zero. For example you can generate new "security image" every
time user logs in. If last time it was some cat and now it's dog, then someone
logged in meanwhile. And that's, frankly, is not as terrifying to me as reused
passwords.

>Please stop making claims as if you have any fucking idea about security.

I would be excited to see links to your security write ups, please share :)

~~~
stephenr
You keep making suggestions on the fly which clearly shows you haven't thought
this through, and can't accept that its just a fucking terrible idea.

A "security image" doesn't work if it changes every time. First off - you're
putting the burden of maintaining security onto the user - how the fuck am I
supposed to remember what random picture you showed me?

You can consider this entire discussion thread my fucking security write up.

The comments on your own show that anyone else who listens to you has the same
reaction, so it's no surprise you resort to ad hominem attacks implying that
only someone with published security write ups is qualified to call your idea
fucking stupid.

~~~
homakov
I made it on the fly because "know that you've been hacked" is not important
at all for regular users. They can't remember a random picture - true, but
they also don't care if their password doesn't work anymore. That's all your
(and everyone else's) reasoning so far. Why can't you accept that if your
email was hacked you will learn about it pretty quickly anyway? (because your
paypal funds are stolen).

> that only someone with published security write ups is qualified to call
> your idea fucking stupid

I didn't say that, your answers are on spot and questions raised are valid,
however I am surprised you prioritize "password was changed" issue over entire
reused passwords problem for normal users.

To make it clear: you dont care that people reuse passwords and it is a #1
problem, you only care _if_ email account is compromised and _if_ attackers
decide to silently spy on one of your other accounts instead of getting the
profit now. If that's true we just have different opinions and there's nothing
to discuss here.

~~~
stephenr
> "not important at all for regular users"

You keep saying that but I just don't believe you. People LOST THEIR SHIT when
a heap of celebrity nude photos were leaked, and that wasn't even their own
accounts or information. Major sites being breached etc are not uncommon on
mainstream news reports now. But no, you're right, no one fucking cares about
that.

> I am surprised you prioritize "password was changed" issue over entire
> reused passwords problem for normal users

> To make it clear: you dont care that people reuse passwords and it is a #1
> problem, you only care if email account is compromised and if attackers
> decide to silently spy on one of your other accounts instead of getting the
> profit now.

No, not at all.

Normal users have the very real, very safe option to use a password manager.
They can work across devices and solve the problems of remembering and re-
using passwords. This means they can have reasonably GOOD security, and can
use it EASILY.

That system (the one that exists and works right now) has the extra BENEFIT
that users will know as soon as they try to access their account, if it's been
compromised via a password reset attack.

Your "solution" instead pushes all immediate security onto email and the users
mailbox, which you freely admit IS NOT SECURE. Any requirement for any
semblance of account integrity is then pushed onto the user apparently?

Edit:

So just to make sure it's crystal clear: I'm not saying password re-use is not
a problem, it is. I'm saying the solution to that problem is improving the
tools (i.e password management in browsers) that _already exist_ , where
necessary.

------
Xeoncross
Sounds like you are ready to re-invent the browserID protocol. Might as well,
Mozilla is done with it...

~~~
homakov
By no means trying to invent/re-invent anything. Just making classic scheme
safer by getting rid of passwords.

