[Cryptography] Passwords are dying - get over it
Bill Frantz
frantz at pwpconsult.com
Mon Dec 23 12:36:12 EST 2013
On 12/23/13 at 10:53 PM, waywardgeek at gmail.com (Bill Cox) wrote:
>Sounds good, but what's the alternative? It scares me to have a key ring
>decrypt all my passwords at once, and just hang around in memory. The
>closed-source password safes are a non-starter, IMO. I agree the password
>situation sucks. I'm not very familiar with alternatives. What do you
>suggest?
I suggest a signature scheme which operates automatically. Each
user has a private key which is kept secure using the normal
technologies. There is no magic here, and there is no
improvement over the current practices of keeping private keys
in TPMs, dongles, files, password encrypted files etc.
I'll use web site login as an example, because it is common and
a necessary authentication problem to solve. There are several
directions one could go, and they aren't mutually exclusive,
although a single web site would probably use only one of them.
* The private key can be used with a client-side cert and
TLS. This solution could provide automatic login, which is
easier for the user than entering a username and password.
* The web page site can do authentication at the HTTP level
by offering a nonce to which the client adds another nonce
and signs both of them. This solution can be coded to
transparently revert to user name + password as a migration
strategy.
* etc.
One thing to remember, don't let the impossible best be the
enemy of the better. Keeping secrets from well-funded attackers
with direct access to all the user's hardware is an unsolved
problem. Don't throw out improved resistance to attacks such as
cross-site password guessing and low entropy secrets because the
solution doesn't solve a problem that passwords can't solve either.
Cheers - Bill
-------------------------------------------------------------------------
Bill Frantz | When it comes to the world | Periwinkle
(408)356-8506 | around us, is there any choice | 16345
Englewood Ave
www.pwpconsult.com | but to explore? - Lisa Randall | Los Gatos,
CA 95032
More information about the cryptography
mailing list