Cutting the Gordian Knot of Web Identity


#1

Perhaps you've seen this recent XKCD about password choice?


This is a companion discussion topic for the original blog entry at: http://www.codinghorror.com/blog/2011/09/cutting-the-gordian-knot-of-web-identity.html

#2

Something like LastPass gives you the browser plugin and cloud storage. OK, it’s not your dream scenario, but it’s a start.


#3

You reinvented the password manager.


#4

No – I’m proposing this should work out of the box for every website and every browser in the world, on any device.

With absolutely no configuration or thinking or plugin setup or software installation required.

(ideally using W3C blessed standards, but whatever it takes)


#5

Another issue that you run into immediately is the use-case of multiple people using the same computer and user account, and thus, the same browser profile to access the internet, such as the public computers available at most public libraries.


#6

Hopefully there would be some “Kiosk Mode” in the browser for this scenario, Siebren.


#7

I dare say you’re inventing the past. Soon enough my personal bio-chip will log me in to anything I need access to automatically as soon as I touch the keyboard or the mouse.


#8

… I dream of the day when I never need to see another password field in my browser ever again …

But from your description I read that you’ll see password field when you “Log In” into your browser :slight_smile:

This dream is almost done with chrome password sync.
And it doesn’t need no extra work in pages.


#9

The problem with doing a lot of things automatically is that some people have multiple identities online. I decide on a per site basis what identity to use (my real identity or my nickname etc).

In the case where you could trust every single site with your real identity this wouldn’t be necessary but in my opinion we’re a long way from that scenario being reality thus I will be choosing an identity for every single site.

From a security point of view I wouldn’t like the above idea either, having functionality like this will enable a worm/virus to not only infect my local machine but possible spread havoc on all my registered accounts as well. Not to mention registering me for new services I don’t want…


#10

Have you heard of BrowserID before? It’s a Mozilla project where they try to move identification in the browser. A very promising approach, that might remedy some of your outlined problems:

https://browserid.org/

(When I first learned about it I thought all the way back to your driver’s license post.)


#11

If all the passwords are generated and unseen to the user anyway, wouldn’t it be better to use public/private key pair ala passwordless ssh? then there’s less of a need for https and it’s slowness all over everywhere.

And yeah chrome password sync is a thing of beauty and about 3/4 of the way there…


#12

But from your description I read that you’ll see password field when you “Log In” into your browser :slight_smile:

Yes, but my computer runs for days with one instance of Chrome… I’ll gladly accept one browser login every few days!

And yeah chrome password sync is a thing of beauty and about 3/4 of the way there…

Agreed, that’s what emboldened me to propose this as (gasp) a standard.


#13

BrowserID is a Mozilla Labs project, and I’ve come to expect their projects to get discontinued, like it happened to Prism, Ubiquity etc.


#14

“more and more websites need to know something about who you are to work”

Ah, no. More and more websites WANT to know something about who you are, because your personal data is their money. The more you give them, the better.

You’re describing a single point of failure here, an excellent entry point for data collection, for profiling your behaviour, and to finally control your life. When someone restricts your access to this central login repository, then you’re out.

It’s the very same thing with the movement away from freely programmable production machines, to controlled consumer machines like smart phones, web pads and the like with the restricted app stores. The people are currently giving away the freedom they gained by the computer and internet revolution – and most of them seem to be happy in doing so.

Your dream WILL come true, because the consumer machines require such an infrastructure. But it will turn out to finally be a nightmare, I’m sure.


#15

Ok, I must confess, it sounds a lot like LastPass.
It’s much more what lastpass wants to do, rather than what lastpass does, but it’s all there.

Using lastpass, it will detect a sign-up page. It will allow you to auto-fill the page with the identity of your choice and generate a strong password. Once you’re in it will detect the login pages and auto-fill your credentials. I believe you can set it to auto-login to certain sites too.

LastPass stores your credentials in the cloud, but encrypts them on your endpoint so that they’re secure. It runs on almost any device, although the degree of integration is very limited on things like iphone and android, and is usually missing from within applications themselves (spotify, any phone app), which is annoying.

Remember, our web passwords are way beyond just websites now, don’t forget our beloved mobile apps.

Are we asking for a version of lastpass that can be easily integrated with sites, browsers and apps, from both a practical and legal point of view? I guess we don’t want to make a monopoly here, so it presumably couldn’t be last pass explicitly.


#16

Very good proposal!
What about multiple accounts for one person? Some people like to keep some accounts separated from others (eg a twitter account for a company and a personal facebook), but still be able to manage those sites within the same browser sessions.

Agreed, starting multiple browsers is a small price to pay though…


#17

The weakness I see with your proposal is the need for some kind of cloud storage for usernames and passwords: the end user will have to sign in to their authentication provider anyways. I you have to do that, why not just use OAuth? Sure, your proposal also implies that the default authentication provider / password vault be automatically filled in the browser so that the user does not have to say whether it’s Google, Facebook, etc., but couldn’t this also be done when using OAuth?

Or is your proposal mainly about shifting the complexity of integrating with a third-party authentification provider from the websites to the browser?


#18

Too late :wink:
http://www.technologyreview.com/web/38511/?ref=rss


#19

I must admit I use a mishmash of techniques but LastPass is very good at achieving most of what you suggest, it can even be used with YubiKeys to give you a physical “Key” to your logins. I also universally use disposable email addresses to sign up (via Spamgourmet.com). Not only does this not expose my personal email address to spam/abuse but means I can find out which unscrupulous bar steward was prepared to sell me out!


#20

@Sohail Hussain +1 for LastPass. There’s no way websites will ever agree on any standard as they believe my 10MinuteMail is quite valuable. I’m happy to let LastPass record the hoops needed to login a particular site and let me go on with my work (heck it even creates passwords for you, I have no idea what 90% of my passwords are any more).
Progress is not based on optimal paths but paths of least resistance. I hope Dick Hartd will prove me wrong but until then using (insert favourite password manager) will do.