It's time to stop using passwords to authenticate users. They were never
a very good form of security and they're only getting worse. The latest
fiasco is Apache
had a breakin
with their bug tracker where passwords were logged for
three days. The hashed password database was stolen too, facilitating
dictionary attacks. At least Apache was hashing passwords: there are
plenty of dumbass
that store passwords in plain text.
Password database theft is particularly bad if users use the same
password on multiple sites. Yeah, I'm sure you've never done that. I
have 560 passwords stored in Google Chrome right now. To any hackers
reading: of course all my passwords are different. They're all at least
16 characters, multicase, and use Urdu punctuation.
So if not passwords, then what? Four alternatives:
factor authentication, a secure hardware gizmo that generates
one-time logins. I have two now, one for my Warcraft account and one for
my bank account. They're too expensive to use on every web site but are
great for a few high risk accounts.
- Authentication delegation like OpenID (or in some use
cases, OAuth). OpenID works great, right
now. Product designers fret about the user experience, but it's not that
bad. The real problem is political, there's no major trusted third party
providing OpenID without some competitive motive.
This technology is at least 10 years old, but outside of ssh never
widely adopted. The web browser version (client side SSL certificates)
is poorly supported and has terrible UI. That's a fixable problem.
- Password agents. A little browser plugin that
maintains a secure set of strong passwords, one for every site you log
in to. Works with existing password-based servers but if you're using a
browser without your agent (hello iPhone) you're stuck.
That's four different user authentication options that are all more
secure than your dog's name with 3s instead of Es. They work best in combination. I'd really love an OpenID provider that used a two factor authentication system
to protect me. If it also had a password agent to bridge logins into an
old password protected site, then I'd be all set. In fact, that right
there is a technology roadmap for a startup. Only problem? It wouldn't
make enough money to be worth the liability.