<div dir="ltr"><div class="gmail_default" style="font-family:garamond,serif"><br></div><div class="gmail_extra"><br><div class="gmail_quote">2014-08-16 13:38 GMT+02:00 Michael Kjörling <span dir="ltr"><<a href="mailto:michael@kjorling.se" target="_blank">michael@kjorling.se</a>></span>:</div>
<div class="gmail_quote"><br><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex">
Then, ideally, when I view a sign-up form that asks for a password,<br>
the password field would have some sort of visible indication next to<br>
it that allows me to automatically generate and store a secure<br>
password for that particular web site. If there is no obvious<br>
connection between the sign-up and login forms, in the login form I'd<br>
be able to pick something along the lines of "for this site<br>
(<a href="http://login.example.com" target="_blank">login.example.com</a>), use the credentials previously used on<br>
<a href="http://signup.example.com" target="_blank">signup.example.com</a>", perhaps offering by default the FQDNs for which<br>
there are stored passwords which fall under the same second-level<br>
domain (with handling of those top-level domains which use an<br>
intermediate label to separate types of sites, as is the case for e.g.<br>
.uk, .nz, and a handful of others).<br>
<br>
A login form that currently looks like (Unicode and monospace font<br>
needed for these mockups to look reasonable):<br>
<br>
Username: [my-username ]<br>
Password: [••••••••••••••• ]<br>
[ ✔ Sign in ]<br>
<br>
could thus look a bit like the following, with the menu expanded:<br>
<br>
Username: [my-username ]<br>
Password: [••••••••••••••• ][⚙]<br>
[ ✔ Sign in ] ⬉<br>
| Use the password from <a href="http://signup.example.com" target="_blank">signup.example.com</a> |<br>
| Use the password from <a href="http://www.example.com" target="_blank">www.example.com</a> |<br>
|------------------------------------------|<br>
| Select among stored passwords... |<br>
| Generate a new password... |<br>
| Forget password on login.example.com... |<br>
`------------------------------------------'<br>
<br>
If that could be solved in a way that makes it easy to use even for<br>
novices, and perhaps even allowing integration with an external<br>
password manager for advanced users, I think we would already be _far_<br>
along the way toward at least encouraging people to use _different_<br>
passwords everywhere. And that, in itself, besides not requiring a<br>
total revamp of lots of sites' authentication logic, would be a huge<br>
win in practice.<br></blockquote><div><br></div><div class="gmail_default" style="font-family:garamond,serif">Instead of storing passwords on a per-site basis, what about a poor-mans hash-based hierarchy:</div><div class="gmail_default" style="font-family:garamond,serif">
<br></div><div class="gmail_default" style="font-family:garamond,serif">psk=PBKDF2(secret, "<a href="http://www.example.com">www.example.com</a>", i, n)</div><div class="gmail_default" style="font-family:garamond,serif">
q3key=PBKDF2(psk,PBKDF2(shared,"2014-q3", i, n)</div><div class="gmail_default" style="font-family:garamond,serif">password = BASE32(PBKDF2(q3key,"login", i, n))</div><div class="gmail_default" style="font-family:garamond,serif">
<br></div><div class="gmail_default" style="font-family:garamond,serif">Such a hierarchy could be the first step to more fine-grained authorization tokens. Fine-grained authorization tokens that could help in avoiding the problems with using credentials as means of delegation between people.<br>
</div><div class="gmail_default" style="font-family:garamond,serif"><br></div><div class="gmail_default" style="font-family:garamond,serif">contactskey = PBKDF2(q3key,"contacts", i, n)</div><div class="gmail_default" style="font-family:garamond,serif">
readonlycontactskey = PBKDF2(contactskey,"read-only", i, n)</div><div class="gmail_default" style="font-family:garamond,serif">supplierscontactinfocap = BASE32(PBKDF2(readonlycontactskey,"suppliers", i, n))</div>
<div class="gmail_default" style="font-family:garamond,serif"><br></div><div class="gmail_default" style="font-family:garamond,serif">So instead of: "Here are the credentials for my account, could you please contact all product X suppliers for a quote on a quantity of Y of product X", you would get: "Here is a sparsecap with the contact info for all our suppliers, could you please contact all product X suppliers for a quote on a quantity of Y of product X"</div>
<div class="gmail_default" style="font-family:garamond,serif"><br></div><div class="gmail_default" style="font-family:garamond,serif">If browser plugin and site builders could agree on such a scheme, you would have an amazing way to gain more usable security in the sense that you can promote delegation that with passwords currently is discouraged out of security considerations. So you either get considerably more work done with a negligible decrease in security or, and this is likely more common, you get significantly more security by not conflating delegation and abdication as happens when you share regular passwords.</div>
<div class="gmail_default" style="font-family:garamond,serif"><br></div><div class="gmail_default" style="font-family:garamond,serif"> </div><div class="gmail_default" style="font-family:garamond,serif"><br></div><div class="gmail_default" style="font-family:garamond,serif">
<br></div><div class="gmail_default" style="font-family:garamond,serif"><br></div><div class="gmail_default" style="font-family:garamond,serif"><br></div><div class="gmail_default" style="font-family:garamond,serif"><br></div>
</div></div></div>