[Cryptography] Passwords are dying - get over it

Bill Frantz frantz at pwpconsult.com
Mon Dec 23 12:36:12 EST 2013 

On 12/23/13 at 10:53 PM, waywardgeek at gmail.com (Bill Cox) wrote:

>Sounds good, but what's the alternative?  It scares me to have a key ring
>decrypt all my passwords at once, and just hang around in memory.  The
>closed-source password safes are a non-starter, IMO.  I agree the password
>situation sucks.  I'm not very familiar with alternatives.  What do you
>suggest?

I suggest a signature scheme which operates automatically. Each 
user has a private key which is kept secure using the normal 
technologies. There is no magic here, and there is no 
improvement over the current practices of keeping private keys 
in TPMs, dongles, files, password encrypted files etc.

I'll use web site login as an example, because it is common and 
a necessary authentication problem to solve. There are several 
directions one could go, and they aren't mutually exclusive, 
although a single web site would probably use only one of them.

     * The private key can be used with a client-side cert and
     TLS. This solution could provide automatic login, which is
     easier for the user than entering a username and password.

     * The web page site can do authentication at the HTTP level
     by offering a nonce to which the client adds another nonce
     and signs both of them. This solution can be coded to
     transparently revert to user name + password as a migration
     strategy.

     * etc.

One thing to remember, don't let the impossible best be the 
enemy of the better. Keeping secrets from well-funded attackers 
with direct access to all the user's hardware is an unsolved 
problem. Don't throw out improved resistance to attacks such as 
cross-site password guessing and low entropy secrets because the 
solution doesn't solve a problem that passwords can't solve either.

Cheers - Bill

-------------------------------------------------------------------------
Bill Frantz        | When it comes to the world     | Periwinkle
(408)356-8506      | around us, is there any choice | 16345 
Englewood Ave
www.pwpconsult.com | but to explore? - Lisa Randall | Los Gatos, 
CA 95032

More information about the cryptography mailing list