Page 1 of 1

Are passwords a necessary evil?

Posted: Sat Mar 08, 2014 9:05 pm
by Gopher
The whole idea of passwords has really started to bug me lately. It's hard to pin down exactly why. They just seem to easy to choose poorly, too easy to forget, too easy to scam out of ignorant users. Just getting into someone's email gives you access to every password protected site they visit, and people often don't think too hard about email security. I've often declined to register for a site simply because I don't want to go through the trouble of thinking up a new username/password (even if you reuse them, it's still a chore), or declined to go back to a site because I've forgotten my password and don't want to go through the trouble of resetting it.

I've been trying to figure out an alternative to the whole username/password system for a long time now. Openid is the closest thing I've found to a solution. However, it comes with problems of its own. I didn't understand the documentation for the lisp implementation, so I went with a nodejs gateway, which complicates of the project. Also, openid is really only designed for websites. The user needs to have a browser to access the vast majority of implementations, and I can imagine some contexts where one is not readily availible.

Am I the only one frustrated by this?

Re: Are passwords a necessary evil?

Posted: Mon Mar 10, 2014 5:19 am
by Goheeca
I was also frustrated. Now I'm quite comfortable with SuperGenPass. You don't need to remember tons of passwords and you don't have to keep any database of passwords.

Re: Are passwords a necessary evil?

Posted: Mon Mar 10, 2014 12:57 pm
by Gopher
Password managers are nice, sure. I should really start using one.

However, I'm also thinking about this from a developer's perspective. There are all these technologies like one-time passwords, biometrics, public key encryption, and so many more that can provide so much more convinience and security to your users. As long as you're using static passwords, you have to waste resources on password recovery and account recovery for people who are phished. At least open-id allows users to find providers that accept alternate methods of authentication, but it only works for websites. And, it may be just me, but the protocol seems needlessly complicated.

I suppose one solution would be to have openid unlock a one-time password which you can plug into any application. But then the user would still need a browser each time they want to log in.

I've also given thought to using a chat program for authentication in this way.

Re: Are passwords a necessary evil?

Posted: Mon Mar 10, 2014 8:00 pm
by Pixel_Outlaw
You can always derive you own algorithm. :)
Then you use a single password for the "seed" value.

I'm highly against password fill in software in that it makes the forgetful completely stuck when they can't install the plugins on other people's computers. Not only this but they still own your passwords somewhere online.

Re: Are passwords a necessary evil?

Posted: Mon Mar 10, 2014 9:47 pm
by Gopher
Yeah, I've thought of that before, too. Wouldn't really need to invent an algorithm, sha256 or something would be fine.

But again, I'm not just looking at this from a user's perspective. This is a problem for developers as well. You have to waste resources dealing with people forgetting their passwords (which compromises security even more) and having their accounts hacked. You lose potential users due to the tedium of having to create a user name and password on every site you visit, and possibly verify your email for recovery purposes. As developers, we really need to start exploring some alternatives.

Re: Are passwords a necessary evil?

Posted: Mon Sep 08, 2014 9:58 am
by Akira22
Goheeca wrote:I was also frustrated. Now I'm quite comfortable with SuperGenPass. You don't need to remember tons of passwords and you don't have to keep any database of passwords.
How you get Super Gen Pass. Actually I learn that Super Gen pass running the applet in the browser runs it in the context of the website, which means any website
that knows about SGP (or is otherwise checking out modifications on the page)..can steal your master password?

Re: Are passwords a necessary evil?

Posted: Sat Sep 13, 2014 3:15 pm
by Goheeca
SGP is a js script running locally. There are browsers' extensions/plugins for more convenient usability, I'd been using one before it got broken and now I got used to using that website (you can download it for offline use). I'm using an app in my smartphone too.

Re: Are passwords a necessary evil?

Posted: Mon Sep 15, 2014 3:39 am
by Akira22
This is best thanks