Cutting the Gordian Knot of Web Identity


From a privacy point of view, I rather like being able to keep accounts at different websites entirely separate. This kind of system might be acceptable provided that it remained entirely optional, which is impossible to guarantee.


Unfortunately, there are 2 words that can bust this dream, just like any other “secure” password mechanism: keylogger malware. You either have to intially sign into your browser, or the “cloud” identity store at some point (think public terminal browsing), and then you’re still vulnerable to man-in-the-middle attacks for stealing your online identity, which has suddenly become much more dangerous because your bank account, 401K login, etc. are all tied into the cloud identity store, so once that’s cracked, you’re toast. At least with separate passwords, you might be smart enough to protect your bank password more vigilantly (i.e.: don’t access your bank account from a public terminal).

That said, I agree with the initial premise: password proliferation on the internet is totally busted and in need of urgent help.


“To the security issue, why do your passwords need to be stored in clear text on the cloud, whatever form it takes? Could we not have them stored encrypted with your browser password also being the key that decodes your stored cloud passwords?”

Fair point, though it would make it difficult to change your browser password.


Unfortunately, I think any developer capable enough to work with such a standard is also the same developer pushing for OpenID logins. “Just use OpenID, damnit” will quickly become “Just use standard login/password registration forms, damnit.”

But frameworks auto-generating username/password stuff will be slow to migrate, or old UIs that integrate across multiple non-browser mediums will never migrate, or…

you get my drift. I say we just push harder for OpenID.


Another question that would need to be addressed is how the browser authenticates the site requesting a login.
If this isn’t secure it would make it very easy to create an automatic phishing site as the password is being sent without any user input.


You have just described LastPass.


Finally! It seriously took me about 5 minutes to create a profile (which I still had to provide a username/password for ;)) because the other sites didn’t work! That said, I do believe passwords can be abolished. Though, I don’t trust any other identity provider. There is no reason why I should be bound by some other system to verify who I am other than me.

That said, I think a fairly solid solution would be to use the PGP model that would act as a plug-in for browsers. You would have an application that would sit on your PC and it would create and manage a secret key. Profiles could be generated from this secret key and generate public keys which can be shared at will. The browser plug-in would then detect if the site is using the same authentication scheme and, if the site is authorized by you, the public key and profile would be shared with the site over an encrypted connection and you would have instant access to your sites. Granted, this would need a critical mass of user penetration to be considered useful but it would require no passwords and could be shared across devices (This could create a management headache. Though, why you would have a different address for your ebay profile from device to device is beyond me.).

The entire purpose would be to store identity profiles and not payment methods so there shouldn’t be much worry about the boogie man lurking around the corner. The only real issue is if your computer is compromised and your keys were stolen. This would also defeat keyloggers, as Izaak mentioned, as no keystrokes would ever be required to generate and pass around the keys that identify your profile. There would be no risk of mistaken identity from site to site as the keys for each profile would be unique.

Basically, I trust no corporation or institution to vouch for me as ultimately they will only serve their own interests and there is always the risk that if the “trusted” source says you’re someone different, through fluke or otherwise, than who you say you are then who are you to disagree? Eventually we must all take responsibility for who we are online and I think only we, as individuals, can do that. This might not be a perfect system but I do believe it to be in line with these ideals.


I also want to remind you that SSL is horribly, terribly, keeps-me-up-at-night broken. My browser still has 1024-bit trusted roots, which were expected to become breakable as early as 2006 or as late as, um, 2011, depending on your source. And once any of them is broken, the attacker holds the keys to the Internet. (This is in addition to demonstrated attacks: sslstrip and sslsniff, outright forged certs (the Comodo reseller snafu and hacking of DigiNotar), certain CAs signing multiple certs for “localhost”, and the unbridled “we’ll do what we were supposed to be doing in the first place, for a price” avarice of EV certificates.)

The multiple identity problem, raised above, is important to me as well: I need to select Skyborne vs. other identities at will, e.g. to write about sexuality without having any stigma from that attached to my real life.


Dare I say it? Card Spaces and InfoCards. It was very similar to your “drivers license”. It also allowed for various identity providers so you aren’t limited to 1 issuer.

There are only 2 small problems that I think prevented it from being used.

  1. Identities were not portable. (BIG PROBLEM)

  2. It was mostly Windows.

If you solve problem 1 then problem 2 will solve it self because web sites would start supporting it.

Of course, info cards are very similar to client certificates. I believe these can be installed on multiple PCs. However, don’t think they have the security of InfoCards due to the fact that every web site sees the same id, where as with InfoCards each web site gets a different token so they can’t match you from site to site.



Aren’t we most of the way there?

To sign in just now and post this very comment, I hit “sign in”, it asked me which credentials I wanted to use, and ta-da.

I can’t remember the last time I had to sign on to SE. I hit log in, use OpenID, and it works.


The problem I see there, AnyGould, is that your identity provider is still some third party. If you’re on the web to be able to hit a web site there is no reason any resource should be hit other than your PC for identity verification. “Trusted” identities for sensitive systems is a different concern but just for posting on shouldn’t take any sort of “trusted” status and you telling this site who you are should be enough. But, this is one thing I care particularly about though so I am biased.


Your “dream scenario” sounds remarkably similar to how LastPass works now. On the downside, auto-scrape and fill of account creation and login info isn’t quite perfect. On the upside, they already store a strongly-encrypted password list in the cloud that is only decoded on the device, and it’s available on almost all devices and browsers.

They don’t have a captcha, and I don’t see what the purpose of it is either. Why bother having the browser side verify that there’s a person at the computer?


Why not just mature and use Public Key Infrastructure?


Mozilla seems to put your idea to work:


Sounds marvelous. One thing that I especially like about it is that I don’t see any reason why it couldn’t be implemented by LastPass, and they have a lovely bookmarklet interface that means they’re portable to just about any browser.

Have you considered asking LastPass if they’d be interested in prototyping a test implementation of something like this? They’d seem to be ideal since they already have the secure-password-management-in-the-cloud side of things taken care of, and users who would presumably be very receptive to even more automation. You could implement the provider part on Stack Exchange to give it some production usage.


I’ll see your xkcd comic and raise you another

Already see this effect in the comments


“They don’t have a captcha, and I don’t see what the purpose of it is either. Why bother having the browser side verify that there’s a person at the computer?”

I think the point is to stop the cloud sending all your personal details to any website that requests them.


The problem is, I don’t want what you describe. I don’t want my browser holding those credentials or passing them by proxy. It’s too easily compromised or spoofed. I don’t want the cloud holding those credentials, for the same reason. Regardless of what the credentials are, I want them either in my brain or in a passphrase-encrypted store which does not directly interface with the browser.

So, your proposal needs a big “do it the old way” button.


Why do we need password protected accounts for websites at all? I can (and will) tell lies on account-creation pages as well. And, really, who cares who I am? Even with the account-based model I can easily make 42 different accounts.

No, the real solution is banging the heads of all web-devs who think they’ll need accounts against a sufficiently stable wall - until they don’t think that anymore.

Nobody with at least half a brain stores anything private unencrypted on the web. Passwords didn’t save the dropbox or PlayStation-Network users, and they won’t save you.

So, just get rid of your fake security and wannabe identification device named password-“protected” accounts.

Problem solved.

For real security use encryption. With a password. Stored in your brain.


In Belgium, everyone (over 12 years old) has an electronic ID-card. Which basically contains a few certificates which you can use for digital signatures. (E.g. paying your taxes online.) You only need a cardreader, and the software (which is open sourced and can be found here:
I’m not an expert on the topic, but I suppose a certificate for everyone might work… More info here: