Solving password problems one at a time, Re: The password-reset paradox

Jerry Leichter leichter at lrw.com
Sat May 9 07:33:21 EDT 2009 

On May 8, 2009, at 3:39 PM, Ian G wrote:
>> The difficulty with client certs is that I need them to also work  
>> on my
>> laptop. And my other laptop. And my phone.
>>
>> So, how do I get hold of them when I'm on the road?
>
> Good point.  The difficulty with my passwords is that I have so many  
> that are so long that I can only manage them on my laptop, and have  
> to carry my laptop with me ...
>
> We can imagine all sorts of techie solutions to this, but it does  
> appear that we are in a bit of a grey zone with auth at the moment,  
> and the full solution might take a while to emerge.  Try them all?
This is part of a broader UI issue.

I had a discussion with a guy at a company that was proposing to  
create secure credit cards by embedding a chip in the card and  
replacing some number of digits with an LCD display.  The card would  
generate a unique card number for you when needed.  They actually had  
the technology working - the card was pretty much indistinguishable  
from any other.  (Of course, how rugged it would be in typical  
environments is another question - but they claimed they had a  
solution.)

I pointed out that my wife knows one of her CC numbers by heart.  The  
regularly quotes it, both on phone calls and to web forms.  The card  
itself is buried in a thick wallet, which is buried in her pocketbook,  
which is somewhere in the house - likely not near the phone or the  
computer.

Hell, one of the nice things about on-line shopping is that I can do  
it in my bathrobe - except that I *don't* know my CC by heart, so in  
fact I tend to put off buying until later when I have my wallet with  
me.  (This does save me money....)

When I'm in a store, I'm used to having to have my CC with me, because  
I always had to have the wallet with money anyway.  At home, it's a  
whole different story.  In any case, merchants are trying to make the  
in-store experience as simple as possible, pushing for things like  
RFID credit cards and even fingerprint recognition.

So many people would see these "safer" cards as a big step backwards  
in usability.  Why would they want such a thing?  The card companies  
are trying to sell "safety", but in the US, where your liability is at  
most $50 if your CC number is stolen (and where in practice it's $0),  
the only cost you as an individual bear is the inconvenience of  
replacing a card.  Because replacements for security problems have  
gotten so common, the CC companies have streamlined the process.  It's  
really no big deal.  I've had CC numbers stolen a couple of times (by  
means unknown); recently, two of my CC's were replaced by the  
companies based on some information known only to them.  In every  
case, the process was very quick and painless.  Hell, these days even  
on-line continuing charges often update to the new number  
automatically (though I've learned to keep track of those and check).

The person arguing for this claimed that CC companies could offer a  
discount for users of the "secure" cards.  But if you look at actual  
loss rates - how much could you offer?  (I'd guess it's about the same  
as Discover offers:  About a 1.5% rebate on most purchases.  Not  
enough to let Discover steal customers from Visa and MC.  Given all  
the other charges - and the absurdly high interest rates - on cards,  
anything like this gets lost in the noise.)

Security that depends on people changing their habits in a way that is  
inconvenient to them ... won't happen (unless you're in an environment  
where you can *force* such changes).
                                                         -- Jerry

---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com

More information about the cryptography mailing list