[Cryptography] Passwords (Smallest feasible work factor today?)

[Jerry Leichter]

> I use a metal lockbox full of 3x5 cards as my password manager.  And when asked, I recommend it….
Thus again proving that the “password replacement” problem is easy to solve if you’re willing to toss a requirement that many people have.  In this case - and many others - it’s the requirement to be able to use your passwords conveniently in all kinds of situations, e.g., on your phone when out on a walk.  It’s an extended version of what I’ve described as the “shopping in a bathrobe” requirement: When my wife can’t sleep, she will sometimes do some on-line browsing, leading to late-night shopping. If doing this requires some kind of physical verification object - it’s going to be annoying.

I don’t recall the link, but there’s a paper listing a whole bunch of attributes of passwords that many users of them find useful or even essential.  In aggregate, these are extremely difficult to replicate - which is exactly why passwords remain in wide use.

Frankly, the *technical/crypto/protocol* requirements have all been solved multiple times.  The limitations are all on the “hardware” side - and will likely only be solved when we get to a point where everyone can be assumed to have at least one appropriate piece of hardware available to them at all times. At least in parts of the world, we are clearly on this path, with phones and watches and the beginnings of smart rings, combined with some biometrics (e.g., the Apple Watch acts as a validation if you’ve signed into it and not subsequently taken it off your wrist). I suspect the end of this path is implants.  But we have a ways to go.

                                          -- Jerry