* Phillip Hallam-Baker wrote: >The biggest weakness in Internet protocols is relying on passwords for >authentication. What can we do to make the password mechanisms more secure >and to wean the Internet off passwords?
When I started learning about web development in the late 1990s it came a bit as shock to me that other people can know my passwords. They are supposed to be secret! Later I learned it isn't even necessary for any- one other than me to know my passwords, except for convenience maybe. I also learned implementations of mechanisms like HTTP Authentication are so bad users cannot know whether they are logged in and cannot log out! These days it is normal and expected that devices and operating systems steal your passwords and passwords that have been entrusted to you. Not to mention this web forms + cookie madness. As far as web browsers are concerned, whether you are identifying to a web site, using which identity, including login and logout, is clearly a browser user interface concern, not a web site concern. My passwords are only needed on my devices so they can prove that I have them. These days I can easily synchronise them myself by holding my smartphone in front of a webcam if copying files over a wireless network is too hard. I can also easily back them up by printing a protected version of them. Beautifully, I can also use other people's devices to use services that I identify to without risking that my passwords are compromised. As far as theory is concerned anyway. That is what I would be interested in. -- Björn Höhrmann · mailto:[email protected] · http://bjoern.hoehrmann.de Am Badedeich 7 · Telefon: +49(0)160/4415681 · http://www.bjoernsworld.de 25899 Dagebüll · PGP Pub. KeyID: 0xA4357E78 · http://www.websitedev.de/ _______________________________________________ perpass mailing list [email protected] https://www.ietf.org/mailman/listinfo/perpass
