Passwords

While I agree with the author here that passwords, to paraphrase, suck, I disagree regarding OpenID. This commenter at Slashdot gets it right:

What OpenID does is, in proper implementations, it allows us to sign in with any provider we choose. I could choose my own server as a provider — thus, it’s not necessarily “someone else’s web site”. And I don’t have to use passwords — I can use a password and a “security question”, I can use public-key cryptography, or I can hire a secretary to sit at the server in question and only authorize requests when she receives a phone call from me.

Even if we assume everyone continues to use the same password, with the same account, everywhere, it’s still better than a conventional login. With the conventional login, every site I log into could steal my password and use it to login as me elsewhere. With OpenID, only my OpenID provider can do that.

One single-point-of-failure is better than N single-point-of-failure.

Setting a good, complex password with your OpenID provider is at least as secure as using that same password at multiple sites (if they support it — various sites have various password rules).

The problem is, people choose bad passwords, but passwords aren’t going away anytime soon. I think there’s a slight chance of people choosing a stronger password if they know they don’t have to enter it all day long.

Advertisements

2 responses

  1. I’m surprised we haven’t all moved on to biometrics or Smart Cards or something like that, yet. Or some combo thereof.

  2. Carlo Scannella | Reply

    We should have — we’ve been told for the last ten years they are the future. The problem is cost and distribution — to hard to get smart cards out to people. Biometrics don’t really work all that well, either (at least last time I tried a fingerprint reader).

    The NYT article talks about “info cards,” something I haven’t really looked into yet.

    But in any case, PWs are going to be with us for a while.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: