Are passwords a necessary evil?

Whatever is on your mind, whether Lisp related or not.
Post Reply
Gopher
Posts: 18
Joined: Mon Nov 25, 2013 1:01 am

Are passwords a necessary evil?

Post by Gopher » Sat Mar 08, 2014 9:05 pm

The whole idea of passwords has really started to bug me lately. It's hard to pin down exactly why. They just seem to easy to choose poorly, too easy to forget, too easy to scam out of ignorant users. Just getting into someone's email gives you access to every password protected site they visit, and people often don't think too hard about email security. I've often declined to register for a site simply because I don't want to go through the trouble of thinking up a new username/password (even if you reuse them, it's still a chore), or declined to go back to a site because I've forgotten my password and don't want to go through the trouble of resetting it.

I've been trying to figure out an alternative to the whole username/password system for a long time now. Openid is the closest thing I've found to a solution. However, it comes with problems of its own. I didn't understand the documentation for the lisp implementation, so I went with a nodejs gateway, which complicates of the project. Also, openid is really only designed for websites. The user needs to have a browser to access the vast majority of implementations, and I can imagine some contexts where one is not readily availible.

Am I the only one frustrated by this?

Goheeca
Posts: 271
Joined: Thu May 10, 2012 12:54 pm
Contact:

Re: Are passwords a necessary evil?

Post by Goheeca » Mon Mar 10, 2014 5:19 am

I was also frustrated. Now I'm quite comfortable with SuperGenPass. You don't need to remember tons of passwords and you don't have to keep any database of passwords.
cl-2dsyntax is my attempt to create a Python-like reader. My mirror of CLHS (and the dark themed version). Temporary mirrors of aferomentioned: CLHS and a dark version.

Gopher
Posts: 18
Joined: Mon Nov 25, 2013 1:01 am

Re: Are passwords a necessary evil?

Post by Gopher » Mon Mar 10, 2014 12:57 pm

Password managers are nice, sure. I should really start using one.

However, I'm also thinking about this from a developer's perspective. There are all these technologies like one-time passwords, biometrics, public key encryption, and so many more that can provide so much more convinience and security to your users. As long as you're using static passwords, you have to waste resources on password recovery and account recovery for people who are phished. At least open-id allows users to find providers that accept alternate methods of authentication, but it only works for websites. And, it may be just me, but the protocol seems needlessly complicated.

I suppose one solution would be to have openid unlock a one-time password which you can plug into any application. But then the user would still need a browser each time they want to log in.

I've also given thought to using a chat program for authentication in this way.

Pixel_Outlaw
Posts: 43
Joined: Mon Aug 26, 2013 9:24 pm

Re: Are passwords a necessary evil?

Post by Pixel_Outlaw » Mon Mar 10, 2014 8:00 pm

You can always derive you own algorithm. :)
Then you use a single password for the "seed" value.

I'm highly against password fill in software in that it makes the forgetful completely stuck when they can't install the plugins on other people's computers. Not only this but they still own your passwords somewhere online.

Gopher
Posts: 18
Joined: Mon Nov 25, 2013 1:01 am

Re: Are passwords a necessary evil?

Post by Gopher » Mon Mar 10, 2014 9:47 pm

Yeah, I've thought of that before, too. Wouldn't really need to invent an algorithm, sha256 or something would be fine.

But again, I'm not just looking at this from a user's perspective. This is a problem for developers as well. You have to waste resources dealing with people forgetting their passwords (which compromises security even more) and having their accounts hacked. You lose potential users due to the tedium of having to create a user name and password on every site you visit, and possibly verify your email for recovery purposes. As developers, we really need to start exploring some alternatives.

Akira22

Re: Are passwords a necessary evil?

Post by Akira22 » Mon Sep 08, 2014 9:58 am

Goheeca wrote:I was also frustrated. Now I'm quite comfortable with SuperGenPass. You don't need to remember tons of passwords and you don't have to keep any database of passwords.
How you get Super Gen Pass. Actually I learn that Super Gen pass running the applet in the browser runs it in the context of the website, which means any website
that knows about SGP (or is otherwise checking out modifications on the page)..can steal your master password?

Goheeca
Posts: 271
Joined: Thu May 10, 2012 12:54 pm
Contact:

Re: Are passwords a necessary evil?

Post by Goheeca » Sat Sep 13, 2014 3:15 pm

SGP is a js script running locally. There are browsers' extensions/plugins for more convenient usability, I'd been using one before it got broken and now I got used to using that website (you can download it for offline use). I'm using an app in my smartphone too.
cl-2dsyntax is my attempt to create a Python-like reader. My mirror of CLHS (and the dark themed version). Temporary mirrors of aferomentioned: CLHS and a dark version.

Akira22

Re: Are passwords a necessary evil?

Post by Akira22 » Mon Sep 15, 2014 3:39 am

This is best thanks

Post Reply