[Cryptography] passwords, or not

Tue Apr 6 13:17:48 EDT 2021

On 4/5/21 10:28 PM, John Denker via cryptography wrote:
> To avoid sending passwords over the wire, use zero-knowledge
> password proofs. Such things have been around since 1992.
>    https://en.wikipedia.org/wiki/Zero-knowledge_password_proof
> An intelligent discussion of the issues is here:
>    https://blog.cryptographyengineering.com/2018/10/19/lets-talk-about-pake/
>
> Why not just incorporate this into browsers?

I really like the idea of not sending passwords over the wire, and I 
like the idea of incorporating zero-knowledge proof support into 
browsers to make that easier.

> Everybody I know uses some sort of wallet.

I do, too.

> Moving from "password wallet" to "zero-knowlege proof agent" is
> a very small step. The complexity, from the user's point of view,
> is the same. The UI (if done right) is essentially the same.

The "if done right"-part concerns me, and I worry others' concept of 
"right" might be a blunder dressed in "We solved it!" enthusiasm.

For my password manager I choose to have things be very manual. I have 
to decide to enter a password: I have to type (or paste) it. I don't 
want the every website I am near to automatically unlock for me. I want 
to decide to log into my Amazon account or not. (I will frequently click 
on something that lands me at Amazon and it is none of their business it 
is me unless I decide so. Why delete cookies if they are constantly 
being rebuilt?) More importantly I want to only be logged into financial 
sites if I choose so.

I am very worried about the security of password managers. (Are they 
immune to that malady that hits all other software: Bugs? No!) I want to 
limit the risk of having bugs, and limit the severity when (not if) they 
come up.

Limiting the likelihood and number of bugs: Simpler password manager. 
Fewer features.

Limiting the severity of the bugs that do exist: Keep it isolated. Do 
not have it talking directly to web browsers and other programs. Not 
automated, always a manual decision—including a logically necessary 
manual step—to unlock anything.

But heck, I'm weird, I don't want my car to unlock just because I am 
near it either. I want to decide to unlock and start my car. (Though I 
don't want automatic sudo privileges, I don't want automatic ssh 
privileges, go figure.)

So yes, have browsers implement zero knowledge proofs for logins, but 
let me still manually supply it with my copy of the secret, do not make 
me use some "full-featured" keysafe, and do /not/ do me any favors by 
keeping any copies of any of my secrets.

-kb, the Kent who wants to reduce the surface area.

P.S. My Linux desktop, when I mount an encrypted volume, wants to keep a 
copy of the passphrase until I logout (which happens infrequently), or 
even keeo it forever. I always have to remember the extra click to say 
"No, dammit, don't keep my passphrase." Seems to defeat much of the 
point of encrypting a volume if it will automatically decrypt when 
plugged into the nearest computer. Reducing the really good security of 
a Linux encrypted disk to innumerable additional risks, all for 
dangerous convenience.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://www.metzdowd.com/pipermail/cryptography/attachments/20210406/2eb26f3e/attachment.htm>