a.harrowell at gmail
Jun 11, 2012, 12:38 AM
Post #77 of 87
The Cambridge University Computer Lab has had a crack at this question
in their Technical Report 817 on Web authentication:
Their conclusion is to use the Mozilla password manager (or close
analogue, but they like it because it's open source, free, and
available). Anyway, it's well worth reading.
A question: password managers are obviously a great idea, and password
manager + synchronisation takes care of multiple devices. However, if
the passwords themselves are poor, this doesn't help.
As well as a browser vault, we need a Passwords API to let a Web site
request the creation of a password. You will need:
a MakePassword() action that creates a random, cryptographically strong
password for the specified domain and specified username, with the
specified TTL, and registers it in the vault.
a same-domain constraint
an SSL only constraint
a RequestLogin() action, leading to either automatic login or a user
dialog as desired
a RevokePassword() action, that flushes the existing password and forces
the creation of a new one. this can be explicitly invoked, for example
after a security incident, or else activated when a TTL runs out.
a user interface action that permits the user to invoke Revoke on all or
a subset of the passwords.
This addresses: making up passwords, not sharing passwords, remembering
passwords, revoking compromised passwords.
No, it won't help if the evil maid sprays liquid nitrogen into your
laptop in suspend mode to render analysis of RAM easier yadda yadda, but
nothing will*, and if you face that kind of threat, you're operating in
a different league and passwords are the least of your worries. Because
you're not using them...are you?
Also, if the enemy can defeat SSL they can still phish you, but that's
going to be a very hard one to eliminate entirely, whatever happens.
(and how many security incidents are like that compared to ones
involving password compromises?)
Why didn't W3C do this 10 years ago? Kind of amazing, given how common a
pattern username/password is, that there is no mention of the word here:
*you can of course encrypt the disk that contains the password vault,
but in general, someone with physical access will win.
The only thing worse than e-mail disclaimers...is people who send e-mail
to lists complaining about them