Re: [apps-discuss] [saag] [websec] [kitten] HTTP authentication: the next generation

[Theodore Tso <tytso@MIT.EDU>]

On Jan 8, 2011, at 11:07 AM, Phillip Hallam-Baker wrote:

> I think that Ben is right that we are solving the wrong problem.
> 
> The problem is that users are asked to maintain accounts at literally HUNDREDS of accounts. 
> 
> And some cretins, some utter morons, some bog-brained berks think it is reasonable to tell the user to have a different password for every one!
> 
> I can't remember the account names, the password is easy as I only had one (for non financial) - until those cretins at Gawker screwed up. Now I have to reset my password at all those places.

The fact that web sites, like Gawker, will screw up, is why you need to maintain different passwords at every single one.  And at least Gawker admitted that they screwed up, and told everyone to change their passwords once this came out.  Many large corporations would have tried to stonewall and claim their security is perfect or at least not publicize the security breach to their users.

Personally, I think the horse left the barn a long, long time ago, and this is not a problem we can fix today.  What I use for my non-financial accounts is the LastPass plugin, which scans HTML form pages looking for username/password form fields, and if it finds them, looks up the username/password in a database which is stored in the cloud in an encrypted fashion, and populates them into HTML form.  It also will automatically generate nice, long, random passwords for every site when you change your password, and allows you easily use long, hard-to-memorize (and thus secure) passwords that are different for every single web site.

The only reason why I don't use it for my financial web sites is because it's a closed source browser plugin, so I can't audit it to make sure it's not stashing away passwords and publishing them to the manufacturer via some covert channel.  But if they want to steal my Financial Times and Economists logins, hey, they can be my guest.

It may be ugly that we're dealing with this at the HTML/presentation battle, but any other solution will take years to roll out, and the issues of trust and liability which to date have doomed any large-scale PKI rollout are going to bite us here.   And in a federated scheme, the question of which federated entities a user should trust to potentially give access to *all* of their web sites is still at best a research problem.  So at least for web security, maybe the best we can do is to make things easier for the browser or browser plugins to manage different accounts at hundreds of different web sites.   This may ultimately be an easier, and be a much more easily deployable, solution than some kind of federated authentication proposal.

-- Ted