[Cryptography] Cost of remembering a password

Michael Kjörling michael at kjorling.se
Sat Aug 16 14:07:04 EDT 2014


On 16 Aug 2014 12:35 -0400, from leichter at lrw.com (Jerry Leichter):
> There are pluses and minuses to this.  For most people, letting
> Safari (well, the Keychain application with which it's integrated)
> generate and save passwords would probably lead to a huge leap in
> security.  But I don't like that anyone who has momentary access to
> my unlocked laptop *also* has access to all my Web logins.

That, to me, sounds like a design matter, which would be easy to
design out of the question entirely if the desire to do so is there.

One could _for example_ require the master passphrase to be entered
before the passwords can be accessed or used other than on the sites
they are connected to, along with timing out sessions to the password
manager after a reasonable, perhaps configurable amount of time (with
the ability to time out the session immediately without affecting
anything else) forcing entry of the master passphrase before any
logins can be accessed.

Hardly rocket science. (And rocket science isn't that hard.)

The key would be to reduce what the user needs to remember to,
ideally, a single passphrase, rather than dozens of passwords or more;
and then integrate support for that everywhere (by allowing easy
access to it on password entry fields).

-- 
Michael Kjörling • https://michael.kjorling.semichael at kjorling.se
OpenPGP B501AC6429EF4514 https://michael.kjorling.se/public-keys/pgp
                 “People who think they know everything really annoy
                 those of us who know we don’t.” (Bjarne Stroustrup)


More information about the cryptography mailing list