undefined | Better HN

0 pointsdoublerabbit6y ago0 comments

Well, username and passwords for one

0 comments

I'll bite: what's wrong with username and password?

Because in order to prove that you know the secret you have to reveal the secret. That makes it unavoidably vulnerable to phishing.

nine_k6y ago

Not necessarily.

To prove that I have a secret key, I encrypt something of your choosing, and you decrypt it with a public key. This is enough proof, and private parts remain unexposed.

1 more reply

downrightmike6y ago

The Guy Who Invented Those Annoying Password Rules Now Regrets Wasting Your Time https://gizmodo.com/the-guy-who-invented-those-annoying-pass...

wbl6y ago

http://bash.org/?244321 is probably the most egregious example. People reuse passwords, humans are bad at making them, etc.

new26286y ago

That's funny and I agree that _some_ people are bad at using passwords, but I have a feeling whatever replaces them will be worse for everyone. It's like some people cut their fingers with knives so let's all use plastic knives instead.

2 more replies

_jal6y ago

As a standalone method of authentication, insecure is more ways than I can list.

I didn't think this was controversial or obscure. Authentication on my work laptop is fingerprint + 2FA, then password and 2FA for VPN. Access to most other resources at that point is certificate driven.

I wish my bank would use certificates, for instance. I absolutely get the human (ultimately cost) factors involved, but my bank is one of the few entities with which I would go through the hassle of in-person key setup/renewal.

creeble6y ago

Remembering them.

But to add along the same lines: what's an equally easy alternative?

new26286y ago

There was an old post by Bruce Schneier where he suggested people write down passwords on a piece of paper and keep them securely. This is something people have been already doing for centuries with wallets, keys, etc.

j / k navigate · click thread line to collapse

0 comments

new26286y ago

I'll bite: what's wrong with username and password?

lisper6y ago

Because in order to prove that you know the secret you have to reveal the secret. That makes it unavoidably vulnerable to phishing.

nine_k6y ago

Not necessarily.

To prove that I have a secret key, I encrypt something of your choosing, and you decrypt it with a public key. This is enough proof, and private parts remain unexposed.

1 more reply

downrightmike6y ago

The Guy Who Invented Those Annoying Password Rules Now Regrets Wasting Your Time https://gizmodo.com/the-guy-who-invented-those-annoying-pass...

wbl6y ago

http://bash.org/?244321 is probably the most egregious example. People reuse passwords, humans are bad at making them, etc.

new26286y ago

2 more replies

_jal6y ago

As a standalone method of authentication, insecure is more ways than I can list.

creeble6y ago

Remembering them.

But to add along the same lines: what's an equally easy alternative?

new26286y ago

j / k navigate · click thread line to collapse