LispForum

[Gopher]

The whole idea of passwords has really started to bug me lately. It's hard to pin down exactly why. They just seem to easy to choose poorly, too easy to forget, too easy to scam out of ignorant users. Just getting into someone's email gives you access to every password protected site they visit, and people often don't think too hard about email security. I've often declined to register for a site simply because I don't want to go through the trouble of thinking up a new username/password (even if you reuse them, it's still a chore), or declined to go back to a site because I've forgotten my password and don't want to go through the trouble of resetting it.

I've been trying to figure out an alternative to the whole username/password system for a long time now. Openid is the closest thing I've found to a solution. However, it comes with problems of its own. I didn't understand the documentation for the lisp implementation, so I went with a nodejs gateway, which complicates of the project. Also, openid is really only designed for websites. The user needs to have a browser to access the vast majority of implementations, and I can imagine some contexts where one is not readily availible.

Am I the only one frustrated by this?

[Goheeca]

I was also frustrated. Now I'm quite comfortable with SuperGenPass. You don't need to remember tons of passwords and you don't have to keep any database of passwords.

[Gopher]

Password managers are nice, sure. I should really start using one.

However, I'm also thinking about this from a developer's perspective. There are all these technologies like one-time passwords, biometrics, public key encryption, and so many more that can provide so much more convinience and security to your users. As long as you're using static passwords, you have to waste resources on password recovery and account recovery for people who are phished. At least open-id allows users to find providers that accept alternate methods of authentication, but it only works for websites. And, it may be just me, but the protocol seems needlessly complicated.

I suppose one solution would be to have openid unlock a one-time password which you can plug into any application. But then the user would still need a browser each time they want to log in.

I've also given thought to using a chat program for authentication in this way.

[Pixel_Outlaw]

You can always derive you own algorithm.
Then you use a single password for the "seed" value.

I'm highly against password fill in software in that it makes the forgetful completely stuck when they can't install the plugins on other people's computers. Not only this but they still own your passwords somewhere online.

[Gopher]

Yeah, I've thought of that before, too. Wouldn't really need to invent an algorithm, sha256 or something would be fine.

But again, I'm not just looking at this from a user's perspective. This is a problem for developers as well. You have to waste resources dealing with people forgetting their passwords (which compromises security even more) and having their accounts hacked. You lose potential users due to the tedium of having to create a user name and password on every site you visit, and possibly verify your email for recovery purposes. As developers, we really need to start exploring some alternatives.