Google Declares War On the Password

An anonymous reader writes "Wired reports on a research paper from Google employees about the future of authentication on the web. 'Along with many in the industry, we feel passwords and simple bearer tokens such as cookies are no longer sufficient to keep users safe,' the authors write. Their plan involves authenticating just once, to a single device, and then using that to unlock all of your other accounts. "We'd like your smartphone or smartcard-embedded finger ring to authorize a new computer via a tap on the computer, even in situations in which your phone might be without cellular connectivity." Recognizing that this isn't something they can accomplish on their own, they've gone ahead and created a device-based authentication protocol that is 'independent of Google, requires no special software to work — aside from a web browser that supports the login standard — and which prevents web sites from using this technology to track users.'"

Brilliant idea

[0123456]

Because I totally want anyone who steals my phone to be able to access every other site I use.

Re:Brilliant idea

[Andrio]

The best feature of the password is that it's in your head. You carry it around everywhere, and it can never be physically taken from you.

This proposed plan just makes cellphones that much more attractive to steal.

Re:Brilliant idea

[Dexter+Herbivore]

The best feature of the password is that it's in your head. You carry it around everywhere, and it can never be physically taken from you. This proposed plan just makes cellphones that much more attractive to steal.

The WORST feature of the password is that it's in your head. I have 20+ login passwords between work and home, my security is lower because you have to simplify them to remember them. If we can find a way to escape the tyranny of passwords that can generally be cracked by anyone who's determined anyway it can only be progress. Not that I have any faith in any organisation to do it after many failed or barely passable attempts (biometrics, smart cards etc).

Re:Brilliant idea

[kaiser423]

True, but if that password manager gets compromised by, say, Red October via capturing your keystrokes, everything is compromised for all sites until you take the time individually change each one,.

Currently, with Google Authenticator, I have it set up to authenticate me for a number of things, as if it gets compromised, simply telling it to re-sync again re-secures all of my credentials. Much, much better management. Single point control.

Re:Brilliant idea

There sure are a lot of people responding to you to explain the convoluted acrobatics they do to manage their passwords.

If nerds have to do a bunch of tricks just to give themselves a little faith in their passwords, what hope does everyone else have?

Tracking

[QuietLagoon]

... Their plan involves authenticating just once, to a single device, and then using that to unlock all of your other accounts. ...

That certainly makes it much, much easier for google to track you as you go around the web.

how about REMOVING ARBITRARY PASSWORD LIMITS!

[Umuri]

Relevant xkcd
But seriously, how many times have you seen minimum (ok, can see a point here) or maximum (WTF) limits on a password length? Or requirements of what it can or cannot contain.

Is there any reasonable excuse for why a password must not contain certain characters, besides breaking poorly made scripts? I mean password security 101 says they'll hash it anyway, so why should it matter?