I no longer really use passwords to log into websites. Instead I use an authentication agent that lives in my browser and proves my identity to websites. Sadly, the authentication protocols of the Web require sending my secret token rather than doing some safer public key protocol. And the details of figuring out how to transmit the token to each website are needlessly complex.

To put it another way, passwords are completely broken; even strong passwords like “qeadzcwrsfxv1331” are crackable. With LastPass in my browser I literally do not know what my password is on pretty much every one of the 479 websites I log in to. I already run a complex authentication protocol. The stupid thing is that it’s a very bad protocol, involving stuffing secrets into random form elements on the web page.

Mozilla Persona is a strong proposal for how to end passwords in a better way, at least for desktop computers. And Tim Bray has lots of good notes on the authentication and identity. I still think OpenID is sufficient, or maybe the newer OpenID Connect system. Hell, at this point I’ll accept log in with Facebook or Google+ Sign-In. But whatever it is needs to be universal. And it really should be vendor neutral.

  2013-05-28 17:47 Z