NYT Password Security Discussion Overlooks Universal Logins 127
Posted
by
timothy
from the your-voice-is-your-password dept.
from the your-voice-is-your-password dept.
A recent NYT piece explores the never-ending quest for password-based security, to which reader climenole responds with a snippet from ReadWriteWeb that argues it's time to think more seriously about life beyond passwords, at least beyond keeping a long list of individual login/password pairs:
"These protective measures don't go very far, according to the New York Times, because hackers can get ahold of passwords with software that remotely tracks keystrokes, or by tricking users into typing them in. The story touches on a range of issues around the problem, but neglects to mention the obvious: the march toward a centralized login for multiple sites."
OpenID isn't the solution (Score:3, Informative)
The trouble with OpenID is it's still one identity that you're carting around, allowing yourself to be tracked across multiple sites.
A better solution is just to use a password manager (KeepassX, Last Pass, etc.) which lets you manage your own multiple identities in a secure way. This gives you the convenience of a single sign-on with the security of a distinct identity for every site where you want it.
KeePassX (Score:3, Informative)
I am very happy with KeePassX. It stores your passwords and related information in an encrypted file. You can copy a password out of it to paste into a web-form. This means
The obvious problem is that you need a password to open the KeePassX file. However, this at least does not go via browser, and I can manage to remember one complex, very secure password.
KeePassX is open-source, available for Windows/Mac/Linux, and compatible across all of these. Nice solution - give it a try! [keepassx.org]
p.s. I have no relation to the project - just a happy user!
Re:Torn (Score:5, Informative)
There used to be a time that you could easily host your own OpenID with e.g. http://siege.org/phpmyid.php [siege.org]
You point to http://yoursite.example.com/ [example.com] instead of the one from Google or any other OID provider.
That way you limit the chance of giving somebody else access as you manage your own login and password.
Some others might be found here : http://openid.net/developers/libraries [openid.net]
Re:The password metaphor (Score:3, Informative)
The UK Government Gateway used to issue keys to every individual user. You can use the GG to do everything from file tax forms to start a business. I've never had to do anything as secure and never been as worried about someone finding out those login details on any other website, including my own personal bank account. It was an absolute pain in the arse. 50% of their phone calls were for lost / reissued keys. It didn't stop automated tools scraping keys from compromised computers and causing all sorts of pain (even with separate password required). Issuing them took forever. And in the end you had to prove who you were to get one which was inevitably less secure than the key itself, prove who you were to get one revoked/reissued, prove who you were to do anything with them. Especially around the tax filing time, they were so busy re-issuing keys to people who'd lost them and just wanted to file their return before they got charged, you couldn't get through on the phone lines.
They scrapped it after only two years, I believe, and replaced it with a password system like the banks - two unique items of information posted to you in separate envelopes and requiring both to login. Although there's still a crush around filing time, it's not anywhere near the shambles of before. And to be honest, it wasn't the government fault. People are just inept at holding items secretly, especially when they are downloaded from a secure website that they have to authenticate against in some way anyway, and when the reissue process has to be secure anyway. It could work, if you could make everyone get used to saving such things in a good place but they are no better or worse - the gains in security are lost in practicality almost immediately. Even *generating* that amount of keys must take months.
Re:How does centralized login solve keylogging? (Score:3, Informative)
Correct. What this does is improve the safety for people who can manage the presence of mind to avoid phishing for a particular site, while increasing the overall damage done for everyone who gets compromised.
However I'm not going to log in to my OpenID provider on an untrusted computer. I might be willing to log in to, e.g. Facebook on an untrusted computer. So now my options are a little more limited.
Re:In matters of security (Score:1, Informative)
I agree this is a very, very bad practice. However, you are mistaken in your facts. It is not Visa that is doing this it is your bank. The number you call is your banks number and not Visa. Visa has very little contact with the cardholder and the policies that brought this about were due to your bank. Easy enough to change banks!
Re:Torn (Score:3, Informative)
I like SuperGenPass [supergenpass.com]. It never actually saves a copy of your passwords, it algorithmically generates them from the site's domain name and your master password. (Actually, from any two strings. By convention it's the domain and master password, but you could use any identifier/keyword pair.)
It's made to run as a bookmarklet which auto-populates password fields on web forms. There's also a mobile version [supergenpass.com] for when you're using someone else's computer. Either way the password is dynamically generated by JavaScript running locally. The mobile version is also good for pages which have funky login prompts that don't play nice with the bookmarklet. (I'm looking at you slashdot!)