NYT Password Security Discussion Overlooks Universal Logins 127
A recent NYT piece explores the never-ending quest for password-based security, to which reader climenole responds with a snippet from ReadWriteWeb that argues it's time to think more seriously about life beyond passwords, at least beyond keeping a long list of individual login/password pairs:
"These protective measures don't go very far, according to the New York Times, because hackers can get ahold of passwords with software that remotely tracks keystrokes, or by tricking users into typing them in. The story touches on a range of issues around the problem, but neglects to mention the obvious: the march toward a centralized login for multiple sites."
In matters of security (Score:5, Insightful)
In matters of security, the most important tool anyone can have is common sense. Phishing scams, "dangerous" websites, revealing important information willy nilly...all things that cause major problems in the digital world, and all things that could be almost completely avoided if common sense was more prevalent.
Granted, some people "don't know any better"...but that's why you educate those types of people if you know any.
Re: (Score:3, Insightful)
Well, it doesn't help that companies are ill informed a lot of the time. I got a call today claiming to be from my ISP, asking for feedback on the service. At the end of the call they said they just wanted to verify my identity and asked for my DOB and the answer to my secret question that gets used as a password backup/reset mechanism, so they could confirm they were talking to the right person.
I told them absolutely not, they phoned me, I only prove my identity with private information when I've phoned a
Re: (Score:3, Interesting)
I live in France and when you're late for your electric bill they have a robot call you that propose you to enter your credit card information to pay your bill 'on the phone'.
Again, I am pretty sure it's them calling, and I am pretty sure also that this is something new as I never got it before. But this is scary. And I can't help but be scared at how many people will provide their credit card information on such an incoming call...
Re:In matters of security (Score:5, Insightful)
My credit card company (Visa) calls me occasionally about suspicious activity on my card. When they leave a message, the number they leave is NOT the same as the customer service number on the back of my card.
It's been explained to me that this number gets me to the same place as the customer service number with a few less steps. But I've told them that I'll never call anything other than the number on the card. And that its a really bad idea to train customers to return calls to just any number and expect them to identify themselves with SSNs, relatives names, and provide their card number.
If anyone is supposed to be smart enough to figure social engineering attacks out, it should be Visa and their ilk.
Re: (Score:2)
They've figured out the ultimate social engineering attack: the credit card.
Re: (Score:2)
It has a Visa logo on it, it's Visa doing it. They only license their trademark to partners in good standing.
You want us to think they're astute enough to manage to push every little contract change, etc, to their partner banks, but NOT enough to be able to check for proper security practices?
Re: (Score:2)
No, it's not. It's really not. VISA allow the logo to be used on hundreds of thousands of card products across the world. Thye provide card/transaction standards, a worldwide authorisation network and various other things. Their relationship is with @aquiring banks and issuing banks.
You cannot get a credit card from visa. They do not deal with individual accouns or providing credit like @bank does. tThey are not like Amex. It's the company that you got your Visa card from that are your problem.
Re: (Score:2)
Yeah, I get that that's their story. What the banks do isn't their problem because they're only partners...
But they partnered with the bank. They allowed them to use their logo, and they have a compliance program to make sure the bank is doing a proper job.
Crazy legal fictions don't change the reality of the situation which is that you have a Visa card with a Visa logo on it, much of the profit goes back to them, and they run the show. You might not be able to call them for anything, even reporting criminal
Re: (Score:2)
In charge... Well you *could* see it like that....
The profit is mostly your banks. VISA make transaction fees but have nothing to do with the debt itself. It's not a crazy legal fiction in any sense, your bank offers you an instrument of debt. Your bank sets the interest rates and credit limits. Your bank ensures the security of the whole thing. VISA is just the comms network and the set of standards that go with it.
They're really not in charge of or responsible for anything much to do with your credit card
Re: (Score:2)
In charge... Well you *could* see it like that....
Yeah, imagine one of the partner banks not paying Visa their fees, or trying to put a Visa and Mastercard logo on the same piece of plastic. Visa would put a stop to that instantly.
In charge. Their trademark, their rules.
VISA make transaction fees but have nothing to do with the debt itself. It's not a crazy legal fiction in any sense, your bank offers you an instrument of debt.
Yeah, money is flowing around between you and the bank and Visa because of the debt, but Visa is only involved in the transaction fees, as if that makes any difference and isn't just an excuse to abandon their responsibility.
That's what I mean, legal fiction. Plain as day, they're involved.
Re: (Score:2)
In matters of security, the most important tool anyone can have is common sense.
And paying attention. However, not everyone has common sense, and some people have an attention defecit.
I'm listening... (Score:2, Insightful)
Re: (Score:2)
I was referring to things like phishing emails, nigerian bank scams, etc.
One example would be if you get an email from Paypal/your bank/etc saying something about your account, don't click on the link...type the URL in yourself.
That sort of thing.
Re: (Score:2)
So, you were proposing a partial solution of half measures and best guesses? Wow, you sure laid the smackdown on all those unknowledgeable l00zers.
Re: (Score:2)
I fail to see how educating people on the basics of avoiding scams is a bad thing..nor do I see how it's an attempt at a "smackdown".
Re: (Score:2)
Good try at moving the goalpost, or redefining the question, but I'm compelled to call you on it.
In matters of security, the most important tool anyone can have is common sense.
This is what you said, it is the statement in question, and it is wrong. Common sense is, obviously, a great thing to have and to exhibit in pretty much all situations; but it is not at all the most important tool in matters of internet security, as user GoChickenFat pointed out. Common sense can only get you so far, and after that, more important tools take over to help protect people who are both informed or u
Re: (Score:2)
Fair enough!
Idiots (Score:5, Funny)
Why don't you hunter2s shut the hunter2 up!
Re:Idiots (Score:4, Funny)
Why don't you *******s shut the ******* up!
Jeez, you really are a mad linguist.
Re: (Score:2)
No, he's a Marklar.
Re:Idiots (Score:4, Funny)
Why don't you *******s shut the ******* up!
You must have used some really foul language. Slashdot never censors posts like that!
Re: (Score:2)
Where are my mod points when I need them? This is FUNNY, not flamebait!! Please someone read the linked thing and correct the mod. on the parent.
Re: (Score:2)
OP posts in plaintext the phrase "hunter2".
Next post quotes OP, but replaces hunter2 with *******, demonstrating that they are aware of the famous (infamous?) bash quote.
You then reply with a link to the bash quote with a comment that basically states "here, let me clue you in".
*baffled*
Re: (Score:2)
My first Whoosh on Slashdot. That should be one of the achievements.
Single point of failure (Score:3, Insightful)
Re: (Score:1, Interesting)
Speaking of Microsoft,
Link from TFA regarding password strength [microsoft.com]. It's where they got that table in the article. At the Microsoft site, they have a link...
They have a Password Checker: [microsoft.com] is your password strong test?
That's just a mock phishing example waiting to happen.
Re: (Score:2)
- aaaaaaaaaaaaaaaaaaaaaaaaaaaaa
- 123456789012345678901234567890123456789012345
- qwertyuiop[]\asdfghjkl;'z
- `1234567890-=qwertyuiop[
I'm thinking they don't do dictionary attacks here...
Re: (Score:2)
A dictionary attack would fail completely in all of those cases, and a brute force attack would be required. Since the length of the password is unknown, more than likely even the "aaaaaaaaaaaaaaaaaaaaaaaaaaaaa" password is no easier to crack than any other possible password. If the length is known, then of course passwords like those you listed are the first ones you try, but with an unknown length there is nothing wrong with that password or any other in your list.
So, what is your point?
Re: (Score:2)
However, while it's not like I've gone to trouble of checking it, it's my understanding that modern password guessing dictionaries are incredibly extensive and have lengthy sections of common key combinations such as single letter repetitions of all acceptable lengths, numeric sequences, and keyboard patterns like qwerty, extended qwerty (qwertyuiop[]\asdfghjkl;'z), as well as many more folks have been dreaming up for decades now.
Of
Re: (Score:1)
Re:Single point of failure (Score:4, Insightful)
Maybe the NYT article doesn't mention centralized login because such an obviously bad idea?
Re: (Score:2)
Re: (Score:2)
Maybe the NYT article doesn't mention centralized login because such an obviously bad idea?
It's not quite as simple as that.
On the face of it, yes, it introduces a single point which, if compromised, has pretty bad consequences. But at the same time, if there's only one password to remember the likelihood of it being written down, exactly the same as the username or otherwise trivially guessable probably drops dramatically.
Now, if something like OpenID were to support certificate-based authentication...
Re: (Score:3, Interesting)
While it might reduce by a marginal amount the likelihood of the account being compromised, the potential consequences would be profoundly greater. That's a poor trade-off.
Several years ago, the pretty-damn-good and carefully-guarded common password that I used for buying things from sites such as Amazon, eBay, iTunes, etc. - reasonably well-run, reputable companies - was compromised somehow. (I have other different passwords that I use for message boards, others for banking, others for work-related accou
Re: (Score:2)
Always a great idea. Windows registry anyone?
It doesn't actually have to be a single point of failure though... What ever happened to OpenID [openid.net]?
Re: (Score:2)
Not exactly. I use clipperz.com to store my passwords, and one of the features it provides is a direct login. The way this works is that it submits the password form directly, without you having to visit the website and copy paste the password from clipperz. It's impermeable to keyloggers and clipboard sniffers because you don't copy or type the password anywhere. Now, if your system is already hosed, your could theoretically be hacked. But, at that point you're SOL anyway.
Yeah, I know the drawbacks of usin
Re: (Score:2)
Pretty cool. Is there an open source equivalent? One that can be hosted on one's own servers?
Re: (Score:2)
Replying to my own post because clipperz actually appears to be Affero GPL... !
Re: (Score:2)
Hey, that's pretty neat. Thanks for pointing that out.
Torn (Score:5, Insightful)
In the end I compromise and simply use a variation of one password for those.
There is the problem with centralized logins: the masses don't consider the first part, and only think of the convenience.
Re: (Score:2)
OTOH, for stupid online forums and unimportant stuff such as random blogs, it makes sense. Unfortunately, those are the ones NOT proposing openId...
Re: (Score:1)
I don't even have a list of all the sites I've given my crap password to. But if they were all authenticated with openID, I would only have one problem to fix.
Comment removed (Score:5, Informative)
Re: (Score:2)
This is why you choose a reliable OpenID provider for your account. A reliable provider should have a good security record and (ideally) explain the details of their authentication system including how the passwords are stored.
Since OpenID is open, you can also be your own provider.
Re: (Score:2)
KeePass is a pretty good solution. it saves all your passwords into an encrypted file. All you have to remember is the password to get into KeePass and you have access to all your passwords. Most of the tim you can just click on the username field on the webpage, click on the sitename in KeePass, hit ctrl-v and it'll enter your username and password and submit it.
So you can have all your passwords for every site be a unique password of random characters, but have to only remember one password. Works for Win
Re: (Score:3, Informative)
I like SuperGenPass [supergenpass.com]. It never actually saves a copy of your passwords, it algorithmically generates them from the site's domain name and your master password. (Actually, from any two strings. By convention it's the domain and master password, but you could use any identifier/keyword pair.)
It's made to run as a bookmarklet which auto-populates password fields on web forms. There's also a mobile version [supergenpass.com] for when you're using someone else's computer. Either way the password is dynamically generated by JavaS
Re: (Score:2)
The best thing to do is to look at how you currently operate and see if OpenID would improve security or not. If you're already using passwords in a particular way, you probably aren't going to change much.
A lot of people reuse their passwords, despite the fact that best practices suggest a unique password for each site. In this case, it just makes sense to go with OpenID.
If you already use lots of unique passwords, and you have no problem remembering them, then keep on doing that. OpenID gives you littl
How does centralized login solve keylogging? (Score:3, Interesting)
So they just need one password to access all your profiles?
Unless it was not actually your password for all those sites, but the password to a database (only available locally) that contained the password to those sites, I don't see how that's a solution. Actually, I thought the main problem with passwords was that people already used the same password for all their sites.
Re: (Score:2)
It's not one password shared among all the sites for the web it general work as thus, You go to the site you want to log in as it, it talks to the third party log in site and redirects the user there to log in they do whatever they need to log in and get redirected back to the original site with a cookie that site validates the cookie. If the user is already logged in they never even see the third party site, the primary site never sees the credentials and that third party site can use more than just pass
Re: (Score:3, Insightful)
And this solves the keylogger problem how?
It doesn't. You still have to authenticate at some point; at most, it reduces the opportunities for a keylogger to catch the password (if you only have to type it in every couple of weeks).
In exchange, it provides phishers with a dream environment. The only way to be certain you're actually connected to your authentication provider is to use SSL and make sure that you see the lock -- and if your security depends on Joe Random User doing that, you've already lost.
Sha
Re: (Score:2)
Showing that the submitter doesn't even understand the very basics of security.
Re: (Score:2)
The only way to be certain you're actually connected to your authentication provider is to use SSL and make sure that you see the lock -- and if your security depends on Joe Random User doing that, you've already lost.
Shalon Wood
You have no idea what you're talking about; this is a huge nonsequitar from the discussion on keylogging, although technically mostly accurate (there are ways to break this, but they rely on specialized conditions).
Re: (Score:2)
With 2 factor authentication keyloging is practically useless, you using a one time password that only works once. The two most common types of this are the keyfobs that use a large random number, the time and some math to generate a new string of numbers every minute, and a list of numbers you use once. Banks like the list as it's pretty easy to print a list of passwords on a piece of paper and mail it to you. Key fobs quality varies but for the ones that do not plug into the computer you would need a l
Re: (Score:2)
If OpenID takes off like a rocket, I'll pay for User/Pass/FOB to secure my account. Would be awesome
Google+OpenID+FOB=Awesome
Re: (Score:2)
You're assuming (incorrectly) that authentication to your OpenID provider is necessarily by means of a password. This is not a requirement: you could use SSL certificates, Kerberos, smartcards, or any other security technology that takes your fancy. You could also (for example) require that the login be authorised from
Id go for this if it was a ssl certificate (Score:2)
Re: (Score:2)
Re:How does centralized login solve keylogging? (Score:4, Insightful)
Exactly my thoughts.
Keyloggers still work, phishing scams still work, and social engineering still works. If centralized logins become the norm, the bad folks will simply target the centralized logins.
Your risk with centralized logins, however, skyrockets. Now, instead of losing control of one login to one website, you lose everything. Moreover, they don't even have to guess what sites you have access to, they can simply dig through the centralized login site and find it once they have your account info.
The NYT article is interesting, but the SlashDot summary is near useless. There is no need to specifically include universal logins in the discussion, because universal logins suffer from exactly the same issues that individual logins do. The only possible reason for including them is the fact that the potential loss is much much higher with a universal login.
Re: (Score:2)
Keyloggers still work, phishing scams still work, and social engineering still works.
Except that this DOES address those issues, it doesn't make them impossible, but you are missing some advantages here.
Let's say you maintain passwords with 10 different services (not unlikely anymore). Does the typical person know the practices of each of those services? Do they keep track of when those practices change? No, of course they don't.
But let's say you reduce that to one service. All of a sudden you CAN expec
Re: (Score:3, Informative)
Correct. What this does is improve the safety for people who can manage the presence of mind to avoid phishing for a particular site, while increasing the overall damage done for everyone who gets compromised.
However I'm not going to log in to my OpenID provider on an untrusted computer. I might be willing to log in to, e.g. Facebook on an untrusted computer. So now my options are a little more limited.
Re: (Score:2)
Except that this DOES address those issues, it doesn't make them impossible, but you are missing some advantages here.
It only addresses the issues for people who are paying attention to them. Those are the same people who are already unlikely to be taken in by the various forms of social engineering.
Let's say you maintain passwords with 10 different services (not unlikely anymore). Does the typical person know the practices of each of those services? Do they keep track of when those practices change? No, of course they don't.
But let's say you reduce that to one service. All of a sudden you CAN expect people, if demonstrated to them and repeated, that KEYLOGINSERVICE will only contact them by this method (FedEx?, etc) will NEVER ask for ANY information if they are calling you (or may NOT call you). Our website will look like THIS exactly, and here are several ways to verify that.
Most people do not pay attention to the privacy policies of any website, regardless of how many websites they actually need to log in to. That's why phishing scams and the like work so well. Furthermore, the rules to avoid social engineering are not website specific, they are universal, and they apply whether you use a centr
Re: (Score:2)
So they just need one password to access all your profiles?
No.
The idea is to implement some kind of centralized authentication - not necessarily a password. You could do one of those RSA keychain fobs... Or some kind of smartcard or biometric or something... Since it's centralized, you only need one doohickey/password/scan/whatever. And once you're authenticated against that one central site, you don't need to continually re-authenticate everywhere you go.
In theory, you can do something more secure. The end user only needs one doohickey. The individual websit
Re: (Score:2)
resistance.... (Score:1, Interesting)
OpenID isn't the solution (Score:3, Informative)
The trouble with OpenID is it's still one identity that you're carting around, allowing yourself to be tracked across multiple sites.
A better solution is just to use a password manager (KeepassX, Last Pass, etc.) which lets you manage your own multiple identities in a secure way. This gives you the convenience of a single sign-on with the security of a distinct identity for every site where you want it.
Re: (Score:1)
wrong. password managers would be susceptible to the same problems - sniffers, etc, and they are less comfortable if you're using multiple computers.
You can customize your own OpenID server for keeping sessions on trusted IP addresses, but requiring some rotating logic only known to you when visiting from guest computers.
Re: (Score:2)
All the Mac, Linux and BSD-based workstations I use regularly have KeePassX installed, and I keep a mirror copy of the database on my IronKey, as well as synching up the critical personal information with the built-in Windows programm on the IronKey for if I need to use a Windows machine without KeePassX on it. I don't honestly know what the root passwords to my personal VPS servers, my account passwords, or any of my banking passwords are. I know the pass phrase for the ironkey, and the passphrase for th
Re: (Score:2, Interesting)
Re: (Score:2)
No, I hadn't seen the portable version of KeePass, I guess since I just install it from ports or the package repository and don't actually get it from the website. This is much handier though.
Re: (Score:2)
Correct my if I'm wrong, but couldn't the only one that could realistically track your actions through OpenID be your authentication provider themselves? Don't trust them? Make your own. If you mean that people can track you based on your credentials exposed through OpenID, then I'd say there's absolutely nothing new there. The one flaw I find with OpenID is its reliance on HTML in order to present the authentication. If they came up with some non-html login form standard to allow for application logins, I'
Re: (Score:1)
OpenID is really expensive to run though; it requires a verisign security cert, which runs $250+/year.
Re: (Score:2)
Could you give some more details on this? As far as I can tell, there's no registration requirement for OpenID, and you can be a provider with all open source software. Who requires a verisign security cert?
Re: (Score:1)
Realistically, just keep a few different classes of passwords depending on the website. For Slashdot, Fark, your general BBS, etc, a less secure password is not that big of an issue, and I'll use one or two different passwords depending on the security restrictions of the website.
Then, you have websites like Woot that will allow you to use your Facebook, Yahoo, OpenID, whatever passwords, but Woot stores your payment information. That's not the kind of place that you want
Re: (Score:2)
There's no reason why you couldn't have an OpenID for each and every single site and a single shared password for all of them, e.g. site.yourname.openidprovider.net, since either way you're trusting the identity management capability.
Wait.... (Score:3, Funny)
Re:Wait.... (Score:5, Funny)
Better yet! I can post my bank account balance on facebook in one click! And my actions portfolio! My credit rating! Yeeeeeaaah!!!!
TPTB'd like to keep our identities (Score:2, Insightful)
Re: (Score:3, Insightful)
Passports, Driver's Licenses, Social Security numbers... yeah the governments just can't be trusted with your identity. Lets trust in Google/Yahoo/Facebook/Microsoft/IBM/etc for our identity needs. Even better, lets have hundreds of incompatible schemes and make user sign up and use them all. That surely has to be more secure than having a single point of failure. I mean look, There's only one ROOT signatory (Verisign) and you just KNOW they fuck up everything they touch, right?
Three factor authentication... (Score:2, Insightful)
I like OpenID, but if you couple it with a three factor authentication, whether it be a smartcard, or biometric, or whatever.. that's when it becomes useful.
Too bad the current implementation doesn't support it. Sadly, World of Warcraft and Starcraft II do.
Go figure.
Re: (Score:1)
Three factor authentication? So, something you know (password), something you have (smartcard), and something you are (biometrics)?
Or did you mean two factor?
Re: (Score:1)
Sorry, it's early in the week :)
Re: (Score:2)
Yes, virtual Mondays suck almost as much as real Mondays (my office was closed yesterday for Labor Day, so today is Virtual Monday for me, too).
KeePassX (Score:3, Informative)
I am very happy with KeePassX. It stores your passwords and related information in an encrypted file. You can copy a password out of it to paste into a web-form. This means
The obvious problem is that you need a password to open the KeePassX file. However, this at least does not go via browser, and I can manage to remember one complex, very secure password.
KeePassX is open-source, available for Windows/Mac/Linux, and compatible across all of these. Nice solution - give it a try! [keepassx.org]
p.s. I have no relation to the project - just a happy user!
Re: (Score:2)
The obvious problem is that you need a password to open the KeePassX file.
Actually, you can use a file based key in addition to a password, for some 2 factored goodness.
The password metaphor (Score:4, Insightful)
What has always amazed me about authenication for access-control via a computer is the widespread use of "passwords". We treat computer access-control like it's a brand new problem, however it's really just the same old access-control problem that we solved at least 4000 years ago [wikipedia.org].
Why don't we have passwords to get into our houses? Why don't we have passwords to get into our cars or P.O. boxes or even safe-deposit boxes? Because passwords are a pain in the ass that are inherently insecure because we, as humans, are terrible at remembering arbitrary strings of numbers/letters/symbols. What we are good at remembering - objects/ideas and the words associated with them - make for terrible passwords because they are so darn easy to guess.
The idea of a lock and key is one which we have been using for millenia for security, so why haven't we applied this simple metaphor for electronic access-control. We even have the technology readily available: Public Key Authentication. But for some reason the only place I've ever seen it used is in OpenSSH. In fact, it's considered superior to password authentication in OpenSSH and recommended over a password.
So why not have RSA keys to our email, online banking etc. just like we have keys to our houses, cars etc?
Re: (Score:2)
Ok, so explain how an PKI key system would work.
I have visions of either having your key out there somewhere, and some way to securely access it, or having your key on something like a token.
If the key is out there, do I access it by providing a passcode to authenticate myself? Sounds like a password to me.
If it's on a token, well, where do I insert that, or do I use the token to get a passcode. Again, a password, though we use tokens here so it is at least something 'I HAVE', one of the three factors we
Re: (Score:2)
Website/program/service = lock
USB/Memory stick/certificate = key
Lock and key are matched up the first time you set up the service, just like we do with frickin doors and shit.
Seriously, why is this hard to understand?
It's a lock, and it's a key that fits the lock. There is one lock and one key (or multiple keys, if the need is there).
Re: (Score:2)
Ok:
Web service or whatever runs on my computer (I know it's out there ).
USB/memory/cert are something have.
User ID I know.
And I was explaining how I use a token at work. I get it.
But a cert on a stick isnt enough.
Re: (Score:3, Informative)
The UK Government Gateway used to issue keys to every individual user. You can use the GG to do everything from file tax forms to start a business. I've never had to do anything as secure and never been as worried about someone finding out those login details on any other website, including my own personal bank account. It was an absolute pain in the arse. 50% of their phone calls were for lost / reissued keys. It didn't stop automated tools scraping keys from compromised computers and causing all sort
Re: (Score:2)
I suspect it's more inertia than anything else - the technology didn't exist when it first became necessary to authenticate users, so people did the best they could think of - passwords.
Over the years, the concept has been tweaked to to make it more secure - eg. only storing hashes of passwords, demanding passwords of a particular complexity - but ATEOTD we're still polishing the same turd.
Technically speaking, it's entirely true that keypair authentication is much more secure, but there are still a lot of
Re: (Score:3, Interesting)
Keyfobs make malware work much harder. You don't insert them--you press the button and a number pops up. Enter that number and your password into the website, and you're in. The number changes in X seconds (where X is usually 60 or less.)
It makes it hard for malware to do its job. Now the malware must do its work right then, while you're in your authenticated session. It has to work automatically to e.g. perform a balance transfer. Other mitigation such as CAPTCHAs make it even harder for the malware
My front door has a key code. (Score:2)
What about using your phone? (Score:1)
Re: (Score:2)
Take a look at Blizzard's Battle.net Authenticator.
It generates a new key every 2 minutes I believe, and you have to enter that along your account name and a password.
If someone steals your password, it's useless without the authenticator.
I have it on my Android phone.
No one can log into my Battle.net account, without my phone.
Which is also password protected, heh.
I'd welcome a single sign on solution, that adapted this.
My country (Denmark) is currently forcing a single signon system down throat of official
Re: (Score:2)
Phone could be password protected, with remote-wipe.
Re: (Score:2)
Makes more sense to just use one password (Score:2)
Re: (Score:2)
yes you could do that first thing, or that second thing, or any of a large number of other things which are all better than the first two options. good luck.
Central login and privacy (Score:2)
Central login by definition links your multiple accounts to a single identity. In most cases it is not a problem. But do you really want somebody to know you login with the same ID to you bank, health insurance and pr0n site? I don' think so. I'd prefer to have several identities on-line. One for secure stuff (bank, financial, medical info etc), one for shopping, one for unimportant stuff like forums, diggs, facespaces etc and one or many for things that I may not be so proud off like pr0n sites. The qualit
Work in Progress (Score:2)
One password everywhere, no passwords stored on remote servers, validation of the server too--like SSH.