Dear Linkedin,

• Previous message (by thread): Dear Linkedin,
• Next message (by thread): Dear Linkedin,
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

The Cambridge University Computer Lab has had a crack at this question 
in their Technical Report 817 on Web authentication: 
http://www.cl.cam.ac.uk/techreports/UCAM-CL-TR-817.html


Their conclusion is to use the Mozilla password manager (or close 
analogue, but they like it because it's open source, free, and 
available). Anyway, it's well worth reading.


A question: password managers are obviously a great idea, and password 
manager + synchronisation takes care of multiple devices. However, if 
the passwords themselves are poor, this doesn't help.


As well as a browser vault, we need a Passwords API to let a Web site 
request the creation of a password. You will need:


a MakePassword() action that creates a random, cryptographically strong 
password for the specified domain and specified username, with the 
specified TTL, and registers it in the vault.


a same-domain constraint


an SSL only constraint


a RequestLogin() action, leading to either automatic login or a user 
dialog as desired


a RevokePassword() action, that flushes the existing password and forces 
the creation of a new one. this can be explicitly invoked, for example 
after a security incident, or else activated when a TTL runs out.


a user interface action that permits the user to invoke Revoke on all or 
a subset of the passwords. 


This addresses: making up passwords, not sharing passwords, remembering 
passwords, revoking compromised passwords. 


No, it won't help if the evil maid sprays liquid nitrogen into your 
laptop in suspend mode to render analysis of RAM easier yadda yadda, but 
nothing will*, and if you face that kind of threat, you're operating in 
a different league and passwords are the least of your worries. Because 
you're not using them...are you? 


Also, if the enemy can defeat SSL they can still phish you, but that's 
going to be a very hard one to eliminate entirely, whatever happens. 
(and how many security incidents are like that compared to ones 
involving password compromises?)


Why didn't W3C do this 10 years ago? Kind of amazing, given how common a 
pattern username/password is, that there is no mention of the word here: 
http://www.w3.org/TR/


*you can of course encrypt the disk that contains the password vault, 
but in general, someone with physical access will win.

-- 
The only thing worse than e-mail disclaimers...is people who send e-mail 
to lists complaining about them
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 198 bytes
Desc: This is a digitally signed message part.
URL: <http://mailman.nanog.org/pipermail/nanog/attachments/20120611/d5ce09f4/attachment.sig>

• Previous message (by thread): Dear Linkedin,
• Next message (by thread): Dear Linkedin,
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]