+1 for LastPass.
mmmm, I agree that something must be done, but your solution seems flawed to me⌠You have one password to rule them all, if someone gets your master password, you are screwed, he has access to all the sites ever.
I get that like this xkcd comic says http://xkcd.com/792/ (noticed how many things can be explained with an xkcd comic?), a lot of people use the same credentials for different sites, but thatâs another subject.
+1 for LastPass,
The Security Research Team at the Cambridge University Computer Lab came up with a more radical idea to represent utopia, named âPicoâ ( http://www.lightbluetouchpaper.org/2011/03/27/pico-no-more-passwords/ ). Proposing a clean slate approach.
Another solution my guts believe is safe is (I have no formal proof) to replace
http://âŚ/signin
by
https://âŚ/signin?uid=123456798123456798âŚ
With the uid to be a huge random unique key.
TLS makes sure nobody can read the url, so your uid/ukey is safe on the wire.
Bookmark it.
Make sure your laptop is not stolen. (anywayâŚ)
Done.
Lastpass does a lot of this for me, although when it does mess up, it dies hard. Thankfully they make it pretty easy to manage the accounts it stores, and can handle multiple accounts well.
- re. the XKCD - he ignores that many sites have a password length limit - and a few of them, at least, will be silently truncating, which makes a phrase worse than using linenoise.
Also, I donât know about him, but in my world, the sites I care about all limit login attempts or speed, so you canât brute force - the â1000 guesses per secondâ problem is solved by not having the same password on every account; use different ones on banking and Important accounts - none of which will tolerate that sort of behavior from outside, and a shitty generic one on useless sites like forums because who gives a damn about forums.
And lastly, the Bad People donât care about my account. They care about getting âeasyâ accounts; the people who use âPassword123â and the like are all screwed.
On your suggestion - I absolutely reject any centralized system where a single point of failure breaks everything and a single security issue compromises everything I do.
Have fun pushing it - I ainât taking it.
I mean, sure, it makes your life as a website operator easier.
Good for you. Not my problem as a user, however. I donât care about making your life easier (nothing personal!); I care about mine, and âmagical browser-based just works once you give a browser your master super-passwordâ is BAD.
I donât want to have to give Someone Elseâs Computer my Master Credential Authorization to, say, play Kingdom of Loathing.
No. Just no.
For those wondering about still needing to sign in to the browser or cloud service, this is where something like a smartcard, keyfob, or other physical authentication device would come in handy. They are unappealing in todayâs world of separate accounts on every site, but under this scheme (when paired with a quality account recovery service) it makes a lot more sense.
Iâm curious about how we would prevent a malicious (or temporarily hacked) web site from showing a specially crafted sign-in page to the browser, and having the browser send along your private information to the wrong place without you every noticing. It seems⌠exploitable.
Also: captchas are not appealing to me for this. But I reference my first point: combine it with a hardware security key, and maybe the hardware key allows you to bypass the captcha.
Couldnât agree more. There has to be a better way. And, there very nearly is with OAuth. However, and this is a pet peeve, whenever I use a OAuth account to log in to a 3rd party site, they require far more entitlements than they need. Thus making me nervous, and resorting to site specific user/passwords.
To enable me to post this comment. I logged in with my Twitter ID, which asked fir the following entitlements (this is the actual text):
⢠Read Tweets from your timeline.
⢠See who you follow, and follow new people.
⢠Update your profile.
⢠Post Tweets for you.
What a joke!!!
A little more respect, and weâd already be there with a Internet identity.
I get that Jeffâs saying a browser standard and not a plugin like LastPass, but WRT @Christopher and some of the other âLastPassâ posts: one of the nuances about LastPass is that it only stores encrypted copy of your password database in âthe cloudâ. A local copy is downloaded to each device using it, and is accessible offline. So it supports âoccasionally connectedâ scenarios, though obviously you canât sync up new passwords from other devices while offline. The encryption is AES256 I believe, so it should be good until quantum computers come out next year. 
Seriously, Jeff, look at LastPass if only for the technical details about what would be necessary to implement something like this. Iâd love for it to be standard, better integrated into websites, and free-er, but it really follows the spirit of what youâre saying here, I think.
Another kink in your plan is that not only websites need passwords. As a consultant, I have VPN passwords, AD accounts, 3rd party apps. Not to mention personally, I have PIN codes for bank cards, membership cards, etc. So, youâre right that it all boils down to identity, but a full solution has to be bigger than a web browser.
Is argue that TSL (aka SSL) is not broken. The âtrusted authoritiesâ model is broken, which typically only effects HTTP+SSL for browser communication. WebId is not affected by this, nor is the public+private key system in general. We should just move to client keys period, which is all the âtrusted authoritiesâ are emulating because of the lack of processing power in the past.
I do NOT want to use any âinternet IDâ.
Besides, itâs certainly not working well with Korea.
A bit of a low-tech version of what you are talking about, but itâs worked well for me for years (Password Safe + DropBox): http://mooneyblog.mmdbsolutions.com/index.php/2010/04/16/password-management-for-dummies-and-developers/
No. No no no no no. Iâm sick of people behaving like websites are the only things that require passwords. Your âsolutionâ offers no affordance for those of us with passwords on our Windows accounts (several at work and home), our phone lock screens, buildings, bank/telecoms telephone lines, etc etc etc. We need a password solution that doesnât require internet access. This âcloud-basedâ solution is completely worthless for a massive number of use cases.
And no, donât give me that crap about ubiquitous internet. Maybe in your country, but itâs YEARS AND YEARS away from being a reality where Iâm from.
Wouldnât this tie me to a single browser? I use several browsers on several devices, and I need access from all of them.
Jeff, you are a genius.
Yes, yes, yes. I have a text file with my passwords/usernames and I have to refer back to it when going to another site. Itâs a gigantic pain in the ass.
This is a major restriction of the web, versus the desktop. But Iâd like for the web to act more like the desktop. When you logon to your desktop, you input your username/password and are able to access all programs without a hitch. This is what Iâd like for the web later, as you stated, having an ID/Password and accessing any site in the world on any device.
There is however, one big catch. The only way itâs possible is if either:
- People use one identity
or - The system is able to present multiple identities and you plug which identity you want to use into the website.
Realistically, the more websites we go to, the bigger a problem this will be. I know Iâm not the only one that goes to tons of forums/blogs/e-com sites and gets pissed off when you have to click the âforgot password button.â
CAPTCHAs donât work well in any case. Spammers just pay people to solve them and computers are better than humans at deciphering mangled text/identifying puppies/etc once trained.
http://bitland.net/captcha.pdf
The number one biggest concern I have reading your description of this is when you say the word âetceteraâ in this sentence: âretrieves the userâs standard information fields like name, email address, etcetera from some form of secure https cloud storageâ. Sites are all the time asking for information I may or may not be willing to give. Especially when Iâm trying something out. So maybe I start with a mailinator address and a fake birthday, and then based on the usefulness Iâll sign up for a real account. But even then, thereâs not much chance Iâm giving my real phone number. I donât want any sort of automatic data pull happening from some cloud storage. I have to control what data I share, 100%.
I remember reading an article by Doc Searls back in 2005 where he completely missed the same point: http://www.linuxjournal.com/article/8357. Identity information is essential⌠valid demographics are often optional. If the system doesnât allow me to remain semi-anonymous, fake data, or outright lie when Iâm asked for information that I donât want to give, the system wonât gain acceptance. Identity and demographics are different and have to remain so for any system like this to work.
I agree with the approach above using SSL certificates. Using a single cloud solution is a single large point of failure. If Amazon Service or Google ever goes down (and they both have) then the internet is broken. I put a more formalized solution up for the method described above using SSL and a private key store.
Sure sounds a lot like CardSpace.