[Cryptography] password fatigue; was: Lastpass
Thierry Moreau
thierry.moreau at connotech.com
Wed Jun 17 09:32:22 EDT 2015
Hi!
Thanks for this well-written review of a central issue.
On 06/17/15 02:37, John Denker wrote:
>
> 3c) The only way I can see to solve the password fatigue
> problem is to get web services to stop asking for a
> per-site password and instead use some sort of zero-
> knowledge authentication. Schemes for doing this have
> been known for a long time.
> https://en.wikipedia.org/wiki/Secure_Remote_Password_protocol
I must admit I never studied the SRP protocol details. I looked at it
from time to time, however.
However, it may be significant that I never learned any *enrollment*
protocol companion for SRP. Let me ask the question in the perspective
of the present claim that larger SRP deployment is a good strategy for
using a single password for multiple sites.
Say Alice enrolled a dozen sites with a single password using SRP for
routine authentication. When enrolling with a next site, she worries:
a) is the local implementation supporting the enrollment procedure
trustworthy with respect to not disclosing my password to the next site?
b) if I'm unsure about question a), I will have to revoke my enrollments
with the already enrolled 12 sites ... hum ... the SRP designers must
have foreseen this, don't they?
c) why nobody taught me something about SRP enrollment security?
(Obviously an enrollment protocol that discloses the password to the
site with the assumption that the site will delete it at the end of the
protocol is not an acceptable solution.)
> 4) Yes, securing your system is seriously hard. Of
> course that includes securing the subsystem that
> handles your zero-knowledge authentication.
I see only one direction, which is actually not present in the
marketplace. You need a separate system with limited functionality,
features-lean instead of features-rich, on which the end-user performs
the security-critical applications.
Regards,
- Thierry Moreau
More information about the cryptography
mailing list