Story 2014-09-01 2RYV When will the era of passwords come to an end?

When will the era of passwords come to an end?

by
in security on (#2RYV)
I personally have to manage upwards of 180 passwords on a regular basis and lots of folks deal with more than that. Sure, you can simplify by reusing passwords, but common sense says that's a bad idea. But better systems inevitable require you manage them in a password app or equivalent, which opens another vulnerability, as cracking that data store can net a crook your entire password collection. Clearly, there's progress to be made here.
The reported theft of 1.2 billion email passwords by Russian hackers earlier this month was just the latest in a long string of major password security breaches that have led some people to wonder if the use of passwords should be abandoned.
But given recent breaches of systems and so on, the BBC is asking the inevitable question, which is has the flawed password system finally reached its end, and if so, what will replace it? Check out their review of alternatives, including digital portraits, voice recognition, and more.

What about Pipedotters: how do you manage your passwords, and which direction makes sense for this not-evolving-fast-enough technology?
Reply 9 comments

random passwords (Score: 1)

by seriously@pipedot.org on 2014-09-01 19:18 (#2RZ1)

So far, for websites I use pseudo-random password (generated using "$ openssl rand -base64 24") and I let the browser memorizes them (but I don't export it to my backups). So only my browser password to remember. The day they get erased or I change laptop, I guess I'll just click on the "Forgot your password ?" links wherever I need it. And websites I never visit ? oh well, I don't need them anyway (I'm pretty sure I've lost my slashdot credentials a long time ago and I have zero intention to get them back :-) )

As for ssh (or ssh-based) connexion, I use public/private key pairs with passphrases, I only have 3 different pair of keys so far, so only 3 different passphrases to remember

I would actually be interested in knowing which tool to use to manage all my passwords outside of the browser and still have them auto-complete when I log into a website.

I would be even more interested into some easy smartcard-like technology where I would use one of my USB stick with my GPG key on it to manage all of that. step 1: format USB key and fill it with some sort of GPG key, step 2: plug the USB key into laptop (+ maybe some 2-step verification ?) step 3: identified. step 4: the moment you unplug the USB key, you're offline.

But I know nothing about security or cryptography, so probably this is all highly insecure and/or dumb ...

SuperGenPass (Score: 1)

by kwerle@pipedot.org on 2014-09-01 20:40 (#2RZ5)

YubiKey (Score: 1)

by bryan@pipedot.org on 2014-09-01 22:22 (#2RZ7)

I've been contemplating adding YubiKey support to Pipedot. A YubiKey is a physical device, about the size of a USB thumb drive, that has one button on the top and acts like a USB keyboard. Unlike other "authenticators", when you want to sign in somewhere, instead of manually relaying a random code from a keyfob or smartphone, you simply press the button and the YubiKey generates and types a secure one-time code for you.

Would anyone else be interested in such a device? They would cost about $25 each and could be used on other sites that support them as well.

Re: YubiKey (Score: 1)

by bryan@pipedot.org on 2014-09-01 22:22 (#2RZ8)

Re: YubiKey (Score: 1)

by harmless@pipedot.org on 2014-09-02 01:01 (#2RZH)

That thing seems to rely on a central server. No deal.

Also, most of my accounts on web sites - this one included - is worth almost nothing. I *might* pay a dollar to not lose it; but for two, I'd rather make a new one.
Of course there are some that are important. But using a strong password for only a few sites is not a problem.

Keychain (Score: 1)

by harmless@pipedot.org on 2014-09-02 00:48 (#2RZG)

For me, the system keychain (OS X/iOS) is good enough.

As for replacing passwords with something else: I haven't seen a convincing replacement yet and I can't think of one myself either.

One problem is, that passwords work for a huge variety of use cases.
Example: A random web page wants me to sign in for no apparent reason. I can just make up a new password and use a temporary email address. I wouldn't want to use any authentication method - like a smart card or something - that was tied to my identity.

Tools (Score: 1)

by nightsky30@pipedot.org on 2014-09-02 12:04 (#2RZX)

We use keepass.

http://keepass.info/

File (Score: 1)

by hyper@pipedot.org on 2014-09-02 15:09 (#2S04)

I'd rather upload a file than enter a passwordorupload a file and put in a password

Easy strategy (Score: 1, Interesting)

by Anonymous Coward on 2014-09-04 08:25 (#2S1G)

Simply don't get an account. I don't need to remember a password for Pipedot because I don't have an account. Also, since I don't have an account, it cannot get hacked. ;-)