Slashdot Mirror
Google Declares War On the Password
An anonymous reader writes "Wired reports on a research paper from Google employees about the future of authentication on the web. 'Along with many in the industry, we feel passwords and simple bearer tokens such as cookies are no longer sufficient to keep users safe,' the authors write. Their plan involves authenticating just once, to a single device, and then using that to unlock all of your other accounts. "We'd like your smartphone or smartcard-embedded finger ring to authorize a new computer via a tap on the computer, even in situations in which your phone might be without cellular connectivity." Recognizing that this isn't something they can accomplish on their own, they've gone ahead and created a device-based authentication protocol that is 'independent of Google, requires no special software to work — aside from a web browser that supports the login standard — and which prevents web sites from using this technology to track users.'"
Would you all PLEASE do not RTFA this time? I cannot, for the love of God, read another whiny story about "I'm Matt Honan and I was fucked in the ass (metaforically speaking) by a 15 year old". And if this post get slashdotted, Wired will post another 100 stories about that. So please DNTRFA!
Grey's Law: Any sufficiently advanced incompetence is indistinguishable from malice.
I use a password manager to solve this problem. It stores all (or a large set of) my passwords in an encrypted database. I have one very strong password that lets me access the database. The passwords it stores are all strong (sometimes hard to remember) passwords that I do not have to store in my head.
I still have all of my eggs in one basket, but that basket is sealed in a solid iron box.
It really is. I love their current implementation. It's actually security done right. I use Google Authenticator on my phone. If I login from an unknown computer, it asks me for a pass code also, which I just bring up on my phone. I only need to remember the password to my phone/tablet. It's easily the most seamless and secure two-factor authentication I've ever used, and I've used a lot of them....
I also use it as a token to access a couple of other sites. I believe that Apache has a module that can sync to Authenticator. It's great two-factor.
It also comes with a list of one time codes that I can carry around for when I don't have access to my phone or tablet.
It's like a permanent key/password manager for all of Google. It'd be great to turn it into my whole life. Much easier to just de-sync the Authenticator, then re-sync rather than blow away passwords for all sites, then re-create them for all sites if something gets compromised.
TL;DR I trust Google to do this right because they're already miles ahead of everyone else.
True, but if that password manager gets compromised by, say, Red October via capturing your keystrokes, everything is compromised for all sites until you take the time individually change each one,.
Currently, with Google Authenticator, I have it set up to authenticate me for a number of things, as if it gets compromised, simply telling it to re-sync again re-secures all of my credentials. Much, much better management. Single point control.
LastPass offers Google Authenticator security over the vault, which means even if they get the master password they still wouldn't be able to access my vault. This does, however, mean the vault is technically not under my complete control (since I don't store it locally, although I do keep a semi-regular back of it). But, the advantage is worth it in my opinion.
"None can love freedom heartily, but good men; the rest love not freedom, but license." --John Milton
I stopped using LastPass and switched to hiding keepass in SpiderOak when last year and someone downloaded LastPass' entire, albeit encrypted, password database. I was burned bad by that break in, because I had to sit there and changed dozens of passwords just in case. I migrated to keepass and generated very strong long random passwords for each website with it. I can't login to any sites now without it. I'd also recommend locking your keepass with a key file that you keep hidden elsewhere in addition to a password just in case your main password is stolen. Oh, and if you use webmail like gmail, make sure to use two-factor authentication that they provide to give some added security. It is far too easy to reset an account with very little knowledge of the person who owns the account, e.g. Wired's editor. I have a personal example of this myself, a coworker didn't know the password to a gmail account that we had set up for sending out continuous build integration emails (I.T. has lots of ports blocked and won't configure exchange for us) and we needed to reconfigure it. I simply guessed the location he had logged in at (he's in another country) but that didn't work, and then I tried his various known email addresses and one of them was accepted. Google gave me full access to the account, it was ridiculously easy. But, I digress. However, we still need at least a second part of the equation to protect a scheme like the one they're recommending. What they're offering is only one-factor and is just as poor if not more poor than using a password alone, it's only together that they're strongest.