[Cryptography] Cost of remembering a password

[Jerry Leichter]

On Aug 16, 2014, at 7:38 AM, Michael Kjörling <michael at kjorling.se> wrote:
> ...All major web browsers for example have the ability to locally store passwords used (whether or not it's secure is a different matter and also depends a lot on the user's chosen master password/passphrase), but what is
> lacking is a _user friendly_, fully integrated, enabled by default
> means to automatically generate and store secure passwords, and with
> today's proliferation of different types of devices share passwords
> between e.g. a desktop computer, a smartphone and a tablet.
> 
> Then, ideally, when I view a sign-up form that asks for a password,
> the password field would have some sort of visible indication next to
> it that allows me to automatically generate and store a secure
> password for that particular web site....
Actually, recent versions of Safari do that.  When they recognize a password field on a page that they don't have a password stored for, they generate one and offer to save it for you.  If you share your keychains through iCloud, the generated passwords become accessible on all your Apple devices.  Doesn't help with non-Apple devices, though.

There are pluses and minuses to this.  For most people, letting Safari (well, the Keychain application with which it's integrated) generate and save passwords would probably lead to a huge leap in security.  But I don't like that anyone who has momentary access to my unlocked laptop *also* has access to all my Web logins.  It may be possible to move the automatically generated passwords to a secondary keychain which would not be unlocked on login.  (That's actually how I save passwords now - but I keep them under manual control.)

Right now, the offers to save passwords in a way I don't use are ... annoying.  Apple is providing a solution that probably helps most people, but I have to find a way to integrate it with my own workflows.

                                                        -- Jerry