What if I don't have my phone to scan a qr-code? What if I want to use a minimalistic browser that doesn't implement a key pair store and I don't want to or can't set up one external? What if my minimal browser is text only? What if I'm on another device and don't have my stuff on there?
I will pretty much always be able to enter a string of characters. To quote the unix phillosphy:
Text is the universal interface.
Passwords aren't streams, and in the Unicode world, they're not even (predictable) byte arrays. This isn't just hypothetical. There have been recent bugs in major systems where people with non-ASCII passwords couldn't type them.
One of the major failings of QR codes for consumer use, IMHO, is that there is no fallback. With UPC, the number is printed right below the barcode, so when it doesn't scan, the clerk can just type in the digits.
ASCII digits are universal. Bytes are universal. Text is ... complicated.
Forget that, I've lost track of how many times I've hit the horrible bug of "site X lets me enter password Y, explicitly compliant with stated password rules, but then rejects it at login time." Either the registered password was mangled by some input sanitization/encoding, or the login password was. After some do-overs, it becomes clear that many "valid special character lists" are just plain wrong. It's 2018, and there's an appalling number of cases where someone doesn't understand that quoting/encoding ASCII/UTF-8/etc. is a 100% solved problem.
All text should be UTF-8. It really shouldn't be complicated in $current_year.
And I wouldn't say that text meant ASCII. My understanding is that it meant text is the thing that could be understood and written by both people and computers.
This is terrible from the perspective of phishing but we really need to avoid that causing us to ignore the usability hassles to everything else.
I’m happy to see that conversation get more nuanced, too, rather than just being game-theoretical about perfect security: acknowledging the usability and security costs of password complexity requirements or expiration, having intermediate checks for more sensitive operations so you’re not training users to hammer their password out hundreds of times a day, etc.
You are correct, as long as you throw out all the other password advice that, ironically, Troy Hunt has given us about not reusing passwords, making them long or full of hard-to-memorize characters, etc.
Once you use secure passwords by making them long and/or hard to memorize, unique for each website, etc., you can't just rely on your brain, fingers, and an awkward on-screen keyboard to "always enter a password." You need your password manager with you, you need privacy so nobody can shoulder surf while you agonizingly peck out your password on your touch screen keyboard (remember everyone learning Kanye's cell phone password recently?), etc.
Your statement about universality is only technically true.
I remember a couple of passwords for services I frequently have to log into without access to a password manager. I can make choices about the security requirements for different services, and the security of the passwords I use for them. I can make choices about how to store them. I use a command-line program that stores passwords in individual textfiles, encrypts them with gpg and manages them with git. I could also choose to write them into a notebook with a cypher I can do in my head.
These are all choices I get to make because passwords are text, and nothing else.
I can also write down passwords (unencrypted) to sites that I use infrequently, and for which I have low security requirements. For many such sites, a password reset is reasonably implemented and fast, and so for a vast number of sites, email security (and thus, email password security) == arbitrary site password security anyway.
Basically I have a prefix of length 7 which is two words, where some of the letters get converted to numbers, and then I use shift to make them into special characters.
Then for each website I append a different word that has some meaning for me, and convert the letters to numbers. Then I add a special character at the end.
A typical password might look like
Which is very easy for me to remember and type, reasonably long, and certainly not on any lists of most commonly used passwords.
Ways you could improve this method would be to have different prefixes for different industries (banking, social media, etc).
- If a password on a website is stolen or if the website forces me to change password, then my "rules based password generation" becomes a problem. Now, it needs to handle variations. And, with hundreds of websites, I won't remember which variation a certain website password is on.
- If a website has password rules that don't let me use my "rules based password generation," then what do I do? I tried having an alternative generation rule, but different websites have different password rules. So, no one / two / three generation rules will be able to generate acceptable passwords.
- The "append a different word" requirement is tricky. How do you append a different word for each of the hundreds of domains while having a way to mentally recall them? I chose to use the domain name and shift all letters up by one. However, that failed with sites that use multiple domain names.
- Sharing passwords with my wife became a hassle because the rules and variations were becoming too much for her.
This doesn't much help the average customer service worker who struggles to give correct change if you hand them cash in an amount that's not a round number.
Passwords are a thing that need to work for everyone, which means they need to work for the lowest common denominator too, which means the GP is correct to point out that password advice is contradictory: the lowest common denominator cannot both use strong, unique passwords and avoid using some other kind of technology to assist with that.
Alternatively teaching about the use of password managers might not be a bad idea.
But digital literacy should certainly be something that our society focuses on teaching it's young adults and keeping your accounts secure is one big component of that.
But considering our schools don't teach us about credit scores, and a myriad of other very useful things that can impact you in large ways down the line, I guess I'm not so hopeful.
If all accounts would have sane restrictions on the password it would become trivial to have something both secure and convenient. I have been looking for a system that allows me to:
1. Does not require me to remember an absurd amount of information.
2. Allows me to login to services, even from other devices.
3. Has a unique password for each service (so that it is not disastrous if one password leaks).
We could have one master password, use site and username (and maybe a counter, to make it easy to rotate passwords) as salt, and use a hashing or password derivation algorithm to derive a unique password for each service. This would only require you to pick and remember a strong master password.
It may be you're working in the one environment where the master password + derived password scheme + counter scheme would be an improvement, but the above objection is why it doesn't work well for most users.
This has been tried. While it initially sounds appealing, it is a monumentally terrible idea.
* You need software to implement the scheme.
* Rotation is a problem, you need a counter for state
* Different services have widely different password rules which are additional state
* If a site stores password data in cleartext or weakly hashed, your master password/passphrase can potentially be cracked
* People choose passphrases just as badly as they choose passwords
Just write your passwords down. Maybe leave a few characters off or don't label them.
It all comes down to the threat model you are defending against. The threat model I'm defending against is automated attempts to catch me reusing the same password with different accounts.
Even if you were defending against a motivated actor putting human eyes on your passwords, something like`XXXXXXsXXXXXXsssXX` where the X are reused across sites and the s is a derived, site-specific chunk is a) as good as completely random until your adversary is manually correlating multiple leaked passwords for you and b) not trivially obvious to derive once they are correlating multiple leaked passwords.
This is a thing that is done, and even automated. If you have a couple password dumps, checking levenshtein distance between them is not hard.
BUT its safe, because unless YOU are the target of the attack, the contents of your random slip of paper on your desk, or the password protected one note file on your dropbox, or the encrypted pwsafe3 file on your usb stick are outside of the reach of some bad actor trying to get ALL of the passwords, not just YOUR password.
Normally, to attack a password manager, you must have a copy of its database. With a deterministic password scheme, this is not required. This proves to be disastrous in practice for cryptocurrencies.
If you aren't the one under attack, and you still create different passwords for each service, the method of offline password storage (be it a spread sheet, a password manager, or a sticky note) are all similarly-ish safe.
Is it secure? No. But if you work at a place where SSO isn't a thing in 2018, it's not secure anyway.
This is bad security advice. Don't this if at all possible.
How is that reasonable? If you make a case that restricting password managers lowers security, could you possibly change it?
If you don't like to share your data with third parties then you are basically restricted to logging in on devices that have access to your email. Which means you're stuffed when that doesn't apply.
Security at the expense of usability is fine when it's warranted. All too often it's not.
(This whole thing reminds me of “Your post advocates a ... approach to spam. Your idea will not work. Here is why...” And maybe warrants a similar parody.)
So your only choice is to access your (personal) email on a device where you may not want/be allowed to.
I think password managers are great but the service I see them providing that has the most benefit is to reduce the number of passwords the user needs to actively remember. The single sign on approach has it's weaknesses but the idea itself is pretty sound, you should legitimately trust facebook or google or whoever to know more about secure authentication than some random site... the fact that this service comes with a privacy leak and implies greater online presence tracking is terrible, but the core idea is sound. It'd just be nice to have a neutral party doing it.
The problem is the lack of an alternative which is how this whole thread started - their approach allows you to choose between logging in via a third party, or logging into your email on the same device. It doesn't let you log into their website directly.
I wouldn't mind if they emailed you some kind of time-limited one time token you could enter on the other device, rather than using a conventional password. But all they supply is a lengthy link, which can only practically be opened on the device that has access to your email.
Yubikeys are not difficult either. You enter your username, you focus the password field and you press the button. There, you're done. If anything it's easier and more convenient than a password.
Passwords are just the lowest common denominator. Everybody can memorize a character string, not everybody has a smartphone or yubikey with them at all times.
How much set up does it take to get to that point though? Usability at point of use is great but setting something up is usually far more difficult than actually using it.
The biggest problems are:
- limited selection of sites that support U2F
- U2F is off by default in Firefox (it's a little buggy apparently)
- somewhat expensive ($45 for Yubikey Neo)
Those are getting better, and I think the Yubikey can be used OOTB (you just enable it on an existing login to prove you own it). I'll be regenerating keys, but most users probably won't bother.
I don't know if a Neo can replace the secret key that makes FIDO (and thus U2F/WebAuthn) work but doing so seems pointless. If bad guys tampered with it, they presumably neutered this feature; whereas if not it's fine out of the box. Certainly Yubico's cheaper FIDO2-only product offers no way to regenerate the secret.
Nobody today deploys WebAuthn to replace passwords, only as a second factor so it doesn't really undermine Troy's point, though perhaps our other countermeasures (long complicated passwords for every site, changed frequently) are less necessary if you have a good second factor like this.
Who needs a smartphone when you can use a piece of paper. Mind you this can be copied so has a similar vulnerability to passwords. But since it can be generated you can think of it as a salted password when combined with a classic one.
And then we use the final way of authentication, hard to forge personal documents, government issued... often in poor ways.
Computer systems cannot be truly fully trusted. Final security always depends on the human operators and equivalent human impersonators.
A skilled social engineer can even convince your friends the account is dead. They can call the delivery company or even initiate the procedure to reissue documents or destroy keys. They can phish and scam you which is even easier.
If you remember it. You either have to use weaker passwords (for example, same password on several sites) or you won't be able to remember them. Or you can write them down which is pretty secure, but is not it easier just to carry a hardware key instead of a notepad with passwords?
Also, once I accidentaly deleted Latin keyboard layout in Linux (yes, it is easy). And having only Russian layout I was unable to enter the password to log in (and even if I could I wouln't be able to use the console). I tried to use on-screen keyboard, but in Debian it cannot input characters not present in keyboard layout.
But it's possible that in the future we will put the bar higher. Then these arguments might be considered as silly as "with HTTPS I can no longer telnet into a web site and issue HTTP commands by hand!" (and don't tell me people didn't do that, I did it myself).
Similarly, if you’re not a financial site question whether you’re doing anything of value. The Netflix example is great: a huge password really doesn’t matter unless the site allows you to see stored credit card information since the worst thing someone can do is load your viewing history up with high ratings for Iron Fist. Continuing to cargo cult DoD policies from the 1970s has caused more problems than it’s stopped.
This requires that the site supports automatic completion and pasting. Quite a few sites explicitly prevent it for stupid reasons like assuming user browser is compromised.
(If it is, you shouldn't be using the webpage for authentication.)
- increase your subscription and watch using your account for free
- send DVDs to their house and sell them
- use your same email/password combo on other sites
If you use 2FA for most things, it's much harder exploit anything. However, you need to use good 2FA, not that SMS crap.
> - increase your subscriptio
This should force a confirmation and notifications as I noted. Simply checking the credit card CVV is way more useful than traditional MFA.
> and watch using your account for free
Not your problem and Netflix must monitor that to catch friends and family sharing anyway.
> - send DVDs to their house and sell them
Also a financial change which should trigger checks. Again, CVV does the job perfectly fine.
> use your same email/password combo on other sites
This is only true if they utterly botch the design by storing passwords insecurely and displaying them to the user. If either of those are true, it’s virtually certain that they’ve made equally bad mistakes elsewhere which MFA won’t help with.
They were right to turn on 2FA but it does come at a cost, and that cost isn't always worth it.
>But it's possible that in the future we will put the bar higher. Then these arguments might be considered as silly as "with HTTPS I can no longer telnet into a web site and issue HTTP commands by hand!" (and don't tell me people didn't do that, I did it myself).
I'm actually going to make the opposite counter-argument. I do think https is a great achievement but I also think we lost something with the additional complexity introduced in, what used to be, a fairly simple protocol with wide adoption. I don't think those were silly arguments to have had.
I think the problem is that people don't understand how to use passwords. They will reuse them among sites. They pick easily-guessable and low entropy ones. They will type them into any website that asks. The end result is that not much security is provided.
From the looks of it, neither do the authenticators. The capital letter + symbol + number requirement had led to the current predicament. Just asking for really long passwords would have been a lot better.
As it stands, people either use a predictable string of num-symbol to satisfy requirements or remember that one strong password,.which qualifies for all of the above.
Software like Lastpass are great, but I don't always have access to them. They also make all of my.online security have a single point of failure.
I think it would be a lot better if companies just changed password requirements to a decently large length eg: min 20.
This eliminates the likely hood of password like abc123, qwerty and the oh so lovely "password".
Long passwords plus a bad password check (https://www.troyhunt.com/ive-just-launched-pwned-passwords-v...) might suffice. However, without that check, I suspect requiring special characters marginally improves entropy in practice.
The attacker doesn't know what I'm using for my password, so they have to attack all valid combinations up to the max length the server supports.
I don’t know exactly where the breakeven point is, but there is some point where a song lyric or other phrase provides less entropy than a relatively short password.
Bottom line: use a lot of random ascii characters(at least 14 or 16, or 4 random words) and you’re probably set. Use less, or a found phrase and it’s not good.
I think we’ve historically been shaped by classic Unix crypt() memories where something couldn’t easily be fixed without breaking compatibility even though that era is largely in the past.
My above comment about offline attacks was my personal stance/ideal: I use a password manager for just about everything, not something I’d mandate.
As a developer, in many contexts I might implement min 8 chars with no special char requirements. I think the bad password check is also a good idea.
But a sufficiently long password could literally just be 'a', repeated. Would that really be more secure?
Honestly if you want somebody to have a secure password, make it for them and e-mail it to 'em. Virtually no chance they are going to use it for anything else, and if somebody has their e-mail, they can recreate one anyway.
It's much easier to remember a 40 character passphrase of real words than a 12 character password of random symbols including punctuation
But also missing the point. It just has to be better than the usual 8 + some punctuation at the end that most people resort to when faced with these shitty, asinine password rules.
I think there are probably less than 10,000 words that people would choose for their password, and that people use capital letters... maybe, but don't use 12 character passwords (8 more reasonable) so it could really go either way.
They do understand it. They just trade security for laziness.
The vast majority of the time, for the vast majority of people, it never results in any issue at all. And solve plenty of their problems.
I've tried educating non-technical friends and family about insecure passwords and how random long strings are more secure. Their responses are:
1. "I can't remember that password! / I don't want to type that!"
2. "I'm a nobody, hackers wouldn't be interested in me. My account has no interesting data." [explanations about botnets doing damage to others go way over their heads]
3. "If someone REALLY wants to hack me then I can't stop them anyway."
They think that the inconveniences of secure password practices are not worth it.
I don't think a password manager will solve it for them. Especially older family members are "afraid of technology" - they are constantly worried that they will break something, and when something is written on the screen 9 out of 10 times they have no idea what it means. I have enough trouble explaining how copy-paste works — I don't think I can explain them what a password manager is, or how to keep in in sync across their devices, let alone convincing them to pay for such a thing.
I've tried the low-tech way. Advising them to use XKCD-style password and writing them down on paper. The result: they keep passwords over multiple pieces of paper/notebooks and they always lose them.
I've resorted to PMaaS — Password Management as a Service. In other words: I dictate what passwords they use, and I manage it for them in my password manager. Their login method is to call me to retrieve their login credentials.
And they're probably right from their own perspective.
Nice try though. I'd recommend an actual password manager instead. Authenticated with biometrics and a simpler local password.
Your service does the same, using voice and phone number as biometrics. (Perhaps with recovery question.)
Feel free to replace it with sufficiently advanced AI.
The "I'll manage all your passwords for you" is the only solution that actually works. The ONLY other alternative is that they use 123456 as password everywhere. I already explained why I can't get them to use a password manager.
When you visit, you can write those passwords down in your password manager. This way if the book goes missing or there is a disaster, you have a backup.
Though it's also quite likely a lot of users don't even remember their passwords at all now and just use password reset every time they want to log in.
I guess what I'm asking is this: can someone walk me through the attack scenario? I don't really get it.
1. Mallory enters Alice's username and a random password
2. Website sends back Alice's plaintext password to be checked client side
3. Mallory inspects network traffic and retrieves Alice's plaintext password
It's also bad if the hash is sent back; now Mallory can run all sorts of attacks on the hash itself without worrying about rate limits or any other protection the site operator could implement.
i.e. the server sends the (plaintext or hashed) password to the client, and the client verifies it locally.
Edit: the original commenter replied as a sibling to you: https://news.ycombinator.com/item?id=18382949
As I recall, it did send you the plaintext password too, of course.
> I'm referring to passwordless solutions that involves things like QR codes, pictorial representations, 3rd party mobile apps, dedicated hardware devices or "magic" links sent via email.
I'm not entirely sure the argument holds for the magic links sent via email. To me, those feel like lower friction that entering a password. Because all of a sudden, users don't have to remember their password.
For any company considering this, I'd suggest looking at how often the 'forgot my password please send me an email' feature is used. I know that, before I had a password manager, there were accounts where I simply never remembered my password. I had to use them like once every month, and it was easier to just get the password reset link.
Now consider how much easier a 'click here and be logged in' link is than a password reset system. This only really gives friction for those few people who aren't always connected to their e-mail system.
On account creation, this system is even better. All a user needs to enter is their e-mail address. No more needing to enter a password (twice!). No more dealing with password requirements.
"magic" e-mail links feel like they really could be a password killer in terms of lower friction.
However, it isn't clear at all that "magic" e-mail links are more secure than passwords. I'd guess that, given enough adoption, they'd develop some issues.
So then you need to open the link in the same browser you want to use. But what if you want to log in on a desktop browser and only have your email on your phone?
Maybe have the magic link show a couple letters you need to type into the browser?
I gave it some thought, and that seems to be solvable. Have the link go to a 'confirm' page, where the confirm button performs a post request.
If security scanning software is randomly hitting post requests, that is just totally ridiculous.
What seems a lot more scary to me is the plaintext nature of e-mail. Even SMTP over TLS doesn't keep any end-points from reading your email, and I'm guessing there is a small but significant set of people who'se email providers don't run TLS.
Besides, if someone can recognize that any request is underway for a login, they might intercept it and send a phishing fake.
We're oriented around mobile use cases. Admittedly less ideal if you don't have your email on your desktop. But ultimately, if all else fails, you can always log into your webmail.
For me the key thing is that it doesn't rely on users having any particular knowledge or understanding best practices - they just need to hit the big green button. Sure people are more used to passwords, but that doesn't mean the usability of magic links isn't still better despite them being much less common.
Normal people are so bad at dealing with passwords. They reuse them, they forget them, they write them down on text files on their computer. Almost anything is better if your userbase isn't primarily technically adept people.
And frankly most popular email providers are pretty good at keeping the accounts secure. Likely much better than anything homegrown we could do. Especially given the fact that you'll just end up having password resets via email anyway.
Writing them down in a textfile on the computer might not even be that bad _if_ they, as a consequence, are not or less reused.
Webmail is always a decent backup option though, so doesn't give me too much concern in terms of people getting stuck. But may be a little less seamless, particularly if they're using a shared/public computer. That scenario throws password managers out of the window too though.
Seems like both in combo could be a nice solution, but I'm sure we'll just start getting support requests from people whose password doesn't work because they never set one...
Not that I think about it.. it's kinda suspicious that no one has asked for it in all this time. Hmm..
I'm not sure the size of this population is well understood to be able to label them as "few" - it may be few for a given set of services, but may be many for a different set of services.
I think that for an average, not computer-loving type of person, a hardware key is the best solution. You don't need to remember anything: just insert the key and press the button.
Why aren't they popular? I think because they are not a standard and are not built in. You don't get a free key when buying a laptop or a smartphone and that's the main reason why nobody is using them.
But there already are applications that don't use passwords. For example, Telegram (IM application): when you install it you only have to enter your phone number, it sends the code in SMS, the app reads the code without user's interaction, and authenticates the device. No passwords, no need to remember anything. I don't like this (it is not convenient for those who use a burner phone number for registration), but for a more typical user it is convenient and doesn't require them to remember anything.
I think we will see more passwordsless authentication in the future.
So, I would argue, while anyone can type in some staff, how to make it secure is rare knowledge almost no one has. So, is it, really "everyone knows how it works"? Or just everyone repeating their not quite secure passwords to make machine happy without any understanding of consequences
The truth you describe doesn't mean that we should convince people to use passwords correctly, rather that passwords aren't the best security medium for humans. It's unreasonable for people to be expected to craft highly secure, brand new passwords each time they need one, and also expect it to be stored in long-term memory. That process is simply out of scope for most humans.
So then, how do we make this easier without compromising security?
1) Using passwords properly is an exceptionally powerful way of protecting your account/data/etc. If you use strong, unique passwords and store in a password manager (with the PW database encrypted, of course), it's virtually impossible to break into anything on the user side of things. You might be able to gain access via the server/business side depending on the hack you are pulling off, but that's on the company rather than the user. For instance, I do personally have my passwords stored in a password manager with an encrypted database. They're all unique and strong, as is the password used to access the password database. That password exists only in my mind. It's not written down anywhere or stored in some file on any computer. It's not physically printed out on paper or anything like that. It literally only exists in my head. And given its complexity and length, there is effectively nothing that will be able to break it in any reasonable amount of time. The government also can't force it from me as they could with other methods like 2FA, QR codes, fingerprints, etc. due to 1st amendment issues. Basically, short of getting me to log in from a compromised (i.e. keylogged) device (highly unlikely) or torturing me for the info, there's no way of getting it. And if you're willing to torture me for it - ok, you win then.
2) From a technical point - basically every device we would use to log into anything has either a keyboard (whether physical or on-screen) or some sort of keypad (again, physical or on-screen). This makes for universal compatibility. If people need to have special QR-code scanning/creation software installed on a device, or fingerprint-reading hardware - that creates a non-trivial barrier to the device compatible with the login process.
You aren't talking about passwords the same way everyone else here, especially TFA, is talking about passwords. You might as well be talking about RSA keys at this point.
Doesn't that mean that anyone who can read the input stream from your keyboard can decrypt all your passwords?
I mean, I use a password manager because it's the least-shitty way I can think of to not reuse passwords, but to me it's a matter of when and not if some bad guy manages to insert malware into the password manager code and get all the passwords.
Passwords are easy to change and while they can be copied, that would be the result of the user or the login software doing something stupid. Not something wrong with concept of the password login itself.
IMO those systems can be used to make the login more secure but replacing password all together not so much.
Actually... When you log on with a password today, an Identity Provider like Google or Microsoft typically issues you a "ticket granting ticket" (TGT) which you can use to get more tickets. The TGT is stored in a cookie on the web or in the OS. This TGT is something that be can copied. So, today, when you log on, you provide your password to get something that can be copied that you then use to log on to various services. Point being, something that can be copied is in the flow anyway, so switching from password to something that can be copied and revoked is only an improvement.
The ticket or cookie or what ever is just used to signify to the system that you are authenticated as user x and specific to http because it is stateless. So an implementation detail and not part of the authentication concept.
I meant cookies here as data that lives in the browser forever or until the user requests a new one just using that cookie alone. And removing that cookie results in locking that account forever.
Biometrics is unsafe by design because our body can change outside our control and our body is public enough and unchangeable enough to be a REALLY unsafe authentication system for anything but human being interacting together.
External other-factor auths like OTP, side verification, port-knocking, ... are good, but they still need a password somewhere in the chain.
So no, it's not only a matter of reactionary users not willing to change but also a matter of rational safety reasoning.
They're stealing destructive hashes of those things.
It'd be like having someone sketch a stick figure version of you, and then you claim your identity was stolen.
No, it wasn't. Stick figure drawings only work in stick figure readers.
And we can go up, even imaging quick DNA scanner, quick enough and smart, it does not change that much, your DNA can be grabbed around you in many way.
The essential point is simple: using your body means using an exposed key, using a password means using your brain that it's far harder to "expose". Also passwords are trivial enough, you can even check your keyboard for builtin keylogger, protect your environment from camera, microphone (phone/audio analyze to determine key's you press) etc. Try to hw check a biometric system and well... Good luck.
Yes, vendor lock-in is an issue; and I hope eventually there'll be a way to sync credentials across browsers. But keep in mind that, even as things are now, it only locks you to a specific browser, not to a specific OS.
I know a ton of people who use Chrome on non-mobile and Safari on mobile.
Even if Firefox "encrypts" before syncing, they must decrypt in order to provide the clear text password from another browser, no? They don't send "blobs of bytes" to password form entries.
Also note that the transportation mechanism is pretty weak. If the URL is passed over HTTPS, then that keeps your ISP from seeing it, however it can still show up in logs on the server side or the client side, in your history. A URL will be remembered or even cached by your browser, whereas a regular password won't, unless you explicitly allow it.
A regular authentication mechanism doesn't necessarily suffer from these weaknesses. Consider that you can derive the server-side password, like a client-side hash which may even be time dependent, such that the actual password is never sent to the server. You can implement systems in which the password you know is never sent over the wire.
Basically a randomized URL is semi-public and you need to treat it as such.
There aren’t many alternatives to classic authentication mechanisms around. The only one I can think of is having authentication links emailed to you, but that’s also less secure and it simply defers the problem to a third-party.
If its the latter, then how do you protect the link from other uses of this system? Encryption? And how are you encrypting something? Password? If you do it via a keyfile then how do you protect the keyfile? If you do it via a hardware token, how do you prevent other people from stealing and using it?
However in addition to creating issues with the secure storage of the password... I don’t think people would be able to use it reliably.
Still, some banks still seem to use the “enter the Nth letter of your password” scheme” which seems almostly equally unworkable...
I wonder if there is a hashing scheme that would work with some kind of ambiguous entry... I.e. “is the 3rd digit between 5 and 10”.
If you could confirm certain properties of a password/pin from its hash...
That is not to say that it's very likely, because it's not.
> Despite it's many flaws, the one thing that the humble password has going for it over technically superior alternatives is that everyone understands how to use it. Everyone.
This is (mostly) true, however, there is already evidence that new technology could kill the password indeed. What I am talking about is modern phones which all come with a fingerprint scan or facial recognition which, from my own limited experience and my own observations, has mostly killed of the "passcode" on the phone. Yes our phones still make us pick a passcode, but unless forced to use it nobody does anymore. Even my technology incompetent mother uses the fingerprint scan to log into her phone and I don't see why something similar couldn't replace the current experience of her having to type an insecure password into her hotmail all the time.
Biometrics is essentially putting a massively complex system in front of your password input, that lets the device read the password off your body, but the consequences are a) you now can't ever change your password, and b) there's this massively complex system in front of (now hidden) password form, and complexity means unreliability and exploitable holes.
The reason it seems to be working in phones and in laptops is just because the protected systems - personal computing devices of random members of general population - are of low importance, so it's unlikely an attacker is going to bother, whereas the convenience benefits are substantial.
Even if it’s flawless, which is impossible, with biometrics you can easily be coerced into giving access without effort, whereas we haven’t invented a mind reader yet.
In other words I can easily imagine kids gaining access to a credit card via fingerprints or facial recognition, while their parents are sleeping ;-)
I wanted to write about law enforcement agencies, but this is so easy that your kids can do it.
Kids, or partners. There even was this funny video making rounds around the Internet couple years back.
The point about coercion is good too.
 - https://www.youtube.com/watch?v=fawPebE75xA
username/password split an unique/secure identifier in a unique part and a (supposedly) secure part. biometrics are that pair together.
Sure, they get used in some applications as a "password" because it's "cool" but it's fair to say biometrics is public information so while many biometric services do their best to avoid being spoofed, they're really more akin to a user name.
I'd also like to point out that fingerprint scanners don't work if you need to use then when you've just gotten out of the bath / been swimming. If something is going to replace passwords then I'd want to be damn sure I can use it 100% of the time I need to (baring when I personally fuck up - eg forgetting my password).
A cross-browser, cross-platform implementation with synced credentials will solve the one remaining usability issue WebAuthn has; the need for users to register every device with the site they want to sign up on. It's not acceptable for users to sign up on their PCs and then have to jump through a bunch of hoops to sign in on their phones; and bootstrapping with passwords eliminates many of the benefits of Web Authn.
Implementations from major companies will solve the chicken-egg problem that Troy mentions. Once the system is commonplace, smaller sites will be less hesitant to jump on board with an authentication solution that's different from the password-based one that users are used to.
Heck almost 20 years ago Nortel had something better than what you described, and still we have passwords around.
Everything old is new again, today we are solving passwords with X, tomorrow with Y, etc.
Whatever it was Nortel had, I highly doubt it was as usable or ubiquitous as what WebAuthn already is.
I can't find any user examples that don't mention a phone or yubikey or whatever.
I feel like every argument against password managers, uses the worst possible implementation as their basis for how they work.
For most people it's completely redundant because the passwords database is also "something you have". But it leads to some nice possibilities.
Amazon handled this great when I set up Prime Video streaming on my Sony Blu-Ray player. I don't remember the exact sequence because it was 8 years ago, but it was something like this:
1. Go to Amazon on my computer, log in, and tell them I'm trying to set up a new device for Prime Video streaming. They ask me for the make and model and serial number, which was available on the device in the Prime Video app.
2. Amazon gives me an integer. I don't remember the length, but I'm pretty sure it was in the 4-6 digit range.
3. On the Blu-Ray player, give that integer to the Amazon Prime Video app, and it completes the setup.
What if the password manager were in charge of logging you in _directly_, through some new protocol between browsers and PW managers? How could that _possibly_ be more friction? It would be strictly less. Hell, it could be done without even informing the user that this new feature was being rolled out, and they sure as hell wouldn't complain about inconvenience because of a step removed from the login process.
Asking people to deal with more and more and longer and longer passwords is a usability nightmare. It's a absurdity.
And I'd assert that password managers haven't exactly taken off; I'd be curious about their numbers, but the dozen or so people I know who use one are all software engineers. Also, they don't really replace passwords - they're based on them!
Password managers are a separate program that (some) people are willing to use as part of their login process. Perhaps whatever adoption it has is based on the fact that people understand passwords. But once they're used to using a program to log them in, I'd argue that's a potential hook into something more secure. Even something as simple as the API I described would mitigate (I'll stop short of saying eliminate) phishing attacks.
"2fa" as traditionally thought of is a bit of a detour though - what's more important is strong authentication, with passwords being worst and a UAF key being best for now. Authenticator apps satisfy 2FA with a single authentication, but that freaks out plenty of smart people (phone PIN lock + device bound cert = something you know/are + you have) - purely due to years of training that 2FA means 2 authentication.
2FA doesn't try to replace passwords.
I fully agree with you, but an anecdote.
I find long password to be easy to remember if they are just long lower case strings instead of having wierd symbol-number combinations.
FYI, this is exactly what WebAuthn is. The standard was just finalized in August. All we need now is some implementations.
Use at least one upper case letter and symbol
Use a password that is at least 20 characters long
Passwords are fine, it's the differing standards that are nutty. Especially when you don't know them until after trying.
To your point though: the most bothersome constraint put on passwords by applications and web sites are limits such as restricting certain special characters (To what end? You're going to hash it anyway, so why limit my special characters? You are going to hash it, right?) and limiting password length to something surprisingly short like 16 characters.
But I totally agree with your point about limiting special characters and length.
Email already is the single point of failure, password resets.
People are already used to looking at their email, account verification etc.
People are already used to looking at their email after signing in, 2nd factor with email exists on some sites.
Downsides are that they might be scanned by security software and visited, but surely that's also a problem for verification links? I can't imagine that people would appreciate accounts being automatically verified...
All other reasons I can think of indicate a problem with password resets as well, which also gives access to the account anyway.
I have two-factor authentication for email, cloud storage, and banking. For everything else just give me convenience over security, please.
A big thread:
This problem is ubiquitous to all of tech, pretty much. It's particularly iconic to FOSS grognards like Richard Stallman. Software that respects people's rights is fantastic, and we need more of it, but if you're not making that software usable then you're wasting your time.
If this were adopted industry-wide (a big ask, I know) then users would be able to use the familiar "enter username and password" system while being protected from common mistakes/misjudgments.
This kind of friction is exactly what troy is talking about.
I agree that the business makes the decision, growth is the top priority and friction reduces growth, but in reality this is how most of the world already works. If you rent a hotel room you don't get to provide your own key and if you lose their key then you must prove who you are to get another one issued.
In the end there must be some compromise between growth and responsibility. If a company cannot grow responsibly then we end up with Facebook all over again.
There is significant friction involved in memorizing a long password. So no, it's not "how most of the world already works".
I guess a more direct example would be an employer trusting you with the combination of a safe. You would need to remember the combination which presumably would be changed periodically.
The point I think I'm trying to make is that it's rare for a business to leave the responsibility on the consumer to secure the property of that business whether it's access to a server, a hotel room, or a safe.
A better example would be a safe deposit box or storage unit with a combination. Where you are accessing your account so to speak. There you can pick the combination yourself in most cases.
But it is frictionless for the user. The entire point of the article is that trading friction for security isn't going to happen in most businesses.
or it would force them to click "reset my password" every time they use your service. now your service is only as secure as their email account.
Surely that was already true?
A password manager on the other hand is just a place to store credentials. Credentials is a concept that most people understand. A password manager in this context could be as simple as a text file on your desktop (not a great idea), or the one included with your browser (a little better, but make sure you set a master password), but if you want more features there are more sophisticated options available.
Coupling authentication with encryption has its place, but I would think that it would work better when accessing a service through an app rather than a browser since the app publisher can create unique a key pair and sign the certificate with their own CA and use that for authentication, but in the context of a web app accessed through the browser copy-and-paste beats having to configure your client certificate per domain at least from a "user friction" point of view.
Which might be an improvement or might not.
All issues with reused passwords, password strength, hashing passwords with slow hashes, etc. instantly solved.
Also improves conversion rate since there's no risk the user gives up signing up because he can't be bothered to think about or generate a password.
Sure, but there's considerable risk of the user giving up signing up because they can't be bothered with memorizing a random password and want to set their own like every other service allows them.
When they need to change devices, have the standard e-mail based password reset as well as "show password" in the account settings (make the password reset not reset login, unless the user explicitly elects to "log me out on all devices").
You should not be able to do that if you're doing security properly. If you can show the password it means you're not hashing it properly and instead storing it as plaintext
2. You can encrypt the passwords with a key outside of the database instead of hashing them. That means that people can now login with a read-only compromise of both your app and the database, but chances are that such a compromise would be a full compromise anyway.
3. You can also not show them the current password, but instead generate another one and have them both be valid (until explicitly revoked)
What if I don't have my phone to scan a qr-code? What if I want to use a minimalistic browser that doesn't implement a key pair store and I don't want to or can't set up one external? What if my minimal browser is text only? What if I'm on another device and don't have my stuff on there?
I will pretty much always be able to enter a string of characters. To quote the unix phillosphy:
Text is the universal interface.