[Cryptography] Ynt: Possible reason why password usage rules are such a mess

[Osman Kuzucu]

Gönderen: Lodewijk andré de la porte <l at odewijk.nl>
Gönderildi: 22 Kasım 2020 Pazar 00:18
Kime: Osman Kuzucu <bizbucaliyiz at hotmail.com>
Konu: Re: [Cryptography] Possible reason why password usage rules are such a mess

I'm sort of waiting for the large IT corps to do 'continuous authentication' where we just get a location pinned to ourselves all the time.

E.g. a device OS (win/macosx) ID's a person to be near, a website gets a token to act-in-the-name of. Passwords additional. Cellphones/watches/shoes get "it's me" support move. IOT devices and control over them are supporting arguments. Friends and colleagues support authentication / password override / re-authentication efforts. NFC scanning an identity document dedups and assures.

Biometrics are funky, authenticated (trust platform) webcams could receive modules for processing imagery and perform arbitrary ID on objects, faces, fingerprints.

All this to reduce the dominance of remember something makes it you.

We might also reconsider the utility of accounts in many situations. An account or ID can be far more generalized without losing functionality in most all access conditions.

Device-as-identity is also possible for many more, e.g. warehouses may use dedicated scanning devices, welcome the coms badges, etc.

Facing the truth - passwords are just easy. In set situations, forgetting them costs users involved a great deal.

The 'can't spend money unless you're near' cyphernetwork is still a ways out I guess~

Passwords "were" just easy. Right now due to the restrictions on password choice, and before mentioned brute-force techniques and leaks, they are not easy anymore. My bank keeps asking me to change my password every 3 months, doesn't let me use any password that I used in the past. In order to do that check, they have to store my previous passwords as well. In case of a leak, not only I'll lose my current password data but also all the previously used passwords which I might be using for different banks at the time because different banks also keep asking me to change my password.

Google does a good thing here I guess, they first authenticate your mobile device, and whenever you signup from a new device or have a suspicious activity, they ask you to confirm the action from your mobile device. It doesn't take any longer than 10 seconds to verify the authentication and move on.

At the end, the reason why we have passwords is to authorize the user. However, current solutions are evolving based on a solution we found in the past, and assuming it's still the easiest/best solution. I believe if we focus on the problem, we can come up with better and more secure solutions.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://www.metzdowd.com/pipermail/cryptography/attachments/20201121/fdf8c45f/attachment.htm>