Kenneth Downs wrote:
True, but we need a better answer than that.
Can you explain what mechanisms are storing the passwords, and why no
additional weakness has been introduced?
The issue here is really one of psychology and usability. A poorly
usable authentication system will cause users to route around it, for
example by always using the same password, by choosing easily remembered
passwords, by writing them down on Post-it notes stuck to their
monitors, or all of the above. The theoretical strength of
authentication systems is irrelevant in the face of user
counter-measures such as these.
Only systems that take users into account will be secure in the real
world. Usability is not a sufficient condition for secure
authentication, but it is a necessary one.
Given the wealth of passwords users are expected to remember in order to
participate in the Web, the only plausibly usable system for managing
client password lists that maintains some level of security is single
sign-on. Server-based single sign-on systems have failed because no
standard centralized repository has been established. Thus the only
choice is to place this repository on the client. (I suspect that would
still be the right answer even if one of the server based systems had
succeeded, but the point is moot because none did.)
The vast majority of users will only accept such a system if it is
actually easier to use than pen and paper. The only such system is the
one that doesn't require the user to do any extra work. That means the
browser itself (or a plug-in integrated into the browser) remembers the
password.
EVERYTHING ELSE THAT HAS BEEN TRIED TO DATE HAS FAILED. NO EXCEPTIONS.
Now assuming you're willing to work under those constraints, you can
make the browser repository a little stronger. You can use better
encryption for the password store. You can make sure that the memory
area in which the browser stores its passwords is promptly zeroed out
after use. And you can play a few other tricks that don't affect the
user experience. But that's about it.
A browser-based password store is the most secure authentication system
devised to date. In practice, everything else that has been tried has
been less secure. I suspect we're not going to improve on this state of
affairs until we move away from usernames and passwords completely.
--
Elliotte Rusty Harold [EMAIL PROTECTED]
Java I/O 2nd Edition Just Published!
http://www.cafeaulait.org/books/javaio2/
http://www.amazon.com/exec/obidos/ISBN=0596527500/ref=nosim/cafeaulaitA/
_______________________________________________
New York PHP Community Talk Mailing List
http://lists.nyphp.org/mailman/listinfo/talk
NYPHPCon 2006 Presentations Online
http://www.nyphpcon.com
Show Your Participation in New York PHP
http://www.nyphp.org/show_participation.php
