[Cryptography] Possible reason why password usage rules are such a mess

[Phillip Hallam-Baker]

On Sat, Nov 21, 2020 at 1:24 AM Osman Kuzucu <bizbucaliyiz at hotmail.com>
wrote:

> An addition to that, I believe that we don't need long/unmanageable
> passwords for having a good account security. Instead we should enforce
> additionaly security checks like 2FA or e-mail notice upon signing up on a
> new device/browser/IP address.
>

Those types of check are better than nothing but not really providing very
much security and introducing an incredible level of user aggravation.
Password authentication is beginning to fail in the same way that email is
now failing as a result of countless ad-hoc attempts to mitigate spam.

Passwords were a way to authenticate user actions in the past but now we
> have different options to ease the process. Just like how you call your
> bank and they ask various security questions before sharing any information
> with you about your account, websites and all apps that require
> authentication should utilize those secondary authentication methods. Then
> we won't have any problem in terms of password security.
>

The argument I am making is that we need to design an infrastructure for
this express purpose rather than continue to try to cobble together 'good
enough' security based on what inevitably turn out to be half-assed guesses
as to what security is actually being achieved.

IP addresses change regularly. Users make use of different browsers on the
same machine. SMS is not secure in any shape or form, SS7 hijacking is a
trivial technical challenge yet it is depended on, etc. etc.

Time to do the job right.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://www.metzdowd.com/pipermail/cryptography/attachments/20201122/69af8516/attachment.htm>