It's time to stop using passwords to authenticate users. They were never a very good form of security and they're only getting worse. The latest fiasco is Apache had a breakin with their bug tracker where passwords were logged for three days. The hashed password database was stolen too, facilitating dictionary attacks. At least Apache was hashing passwords: there are plenty of dumbass sites that store passwords in plain text.

Password database theft is particularly bad if users use the same password on multiple sites. Yeah, I'm sure you've never done that. I have 560 passwords stored in Google Chrome right now. To any hackers reading: of course all my passwords are different. They're all at least 16 characters, multicase, and use Urdu punctuation.

So if not passwords, then what? Four alternatives:

  1. Two factor authentication, a secure hardware gizmo that generates one-time logins. I have two now, one for my Warcraft account and one for my bank account. They're too expensive to use on every web site but are great for a few high risk accounts.
  2. Authentication delegation like OpenID (or in some use cases, OAuth). OpenID works great, right now. Product designers fret about the user experience, but it's not that bad. The real problem is political, there's no major trusted third party providing OpenID without some competitive motive.
  3. Client side cryptography authentication. This technology is at least 10 years old, but outside of ssh never widely adopted. The web browser version (client side SSL certificates) is poorly supported and has terrible UI. That's a fixable problem.
  4. Password agents. A little browser plugin that maintains a secure set of strong passwords, one for every site you log in to. Works with existing password-based servers but if you're using a browser without your agent (hello iPhone) you're stuck.
That's four different user authentication options that are all more secure than your dog's name with 3s instead of Es. They work best in combination. I'd really love an OpenID provider that used a two factor authentication system to protect me. If it also had a password agent to bridge logins into an old password protected site, then I'd be all set. In fact, that right there is a technology roadmap for a startup. Only problem? It wouldn't make enough money to be worth the liability.
  2010-04-13 21:20 Z