A Thought on Web Security
April 29, 2013 10:36 AM   Subscribe

I long for the future where I can safely assume my passwords are stolen.
posted by stoneweaver (20 comments total) 13 users marked this as a favorite

 
That'd be handy and I'd sign up for it. But it's another layer of security-wonk stuff, and it's pretty doubtful that it would reach people who aren't already using two-factor authentication or password managers. That was part of the goal, yes?
posted by echo target at 11:10 AM on April 29, 2013


It's actually almost a worse solution, because it depends on action from both parties (mydogfriends.com has to have support for the auditing hook in its account settings thing, AND the user has to use it). Using either two factor authentication or a password manager only relies on action from one party or the other to implement.
posted by axiom at 11:15 AM on April 29, 2013 [1 favorite]


I'd much rather have token-based 2 factor auth everywhere. RSA really needs to provide a public API that allows a site to grab an ID from your token and pass it along with the value on the token to their auth infrastructure. The thing here, though, is bill the end user for the auth on a monthly basis.

I'd _happily_ pay $5 a month to have my own RSA token and be able to auth against a cloud service of theirs to 3rd party websites.
posted by bfranklin at 11:16 AM on April 29, 2013 [1 favorite]


The promise of single-sign on with OAuth/OpenID may whittle down the having-to- keep-track-of-thousands-of-logins issue and offload the authentication to someone else, but if your user’s Twitter account gets compromised it very quickly becomes a single source of failure. (emphasis mine)

This makes no sense whatsoever as written. If it's too much of a derail to actually describe an exploit along these lines she should at least link the text to one, because as it stands it's at best meaningless and what it seems to imply is completely wrong.
posted by George_Spiggott at 11:27 AM on April 29, 2013


(On followup, this may be what she's referring to. )
posted by George_Spiggott at 11:29 AM on April 29, 2013


Most things don't need passwords. I've linked there before. As I noted then, not all the ideas in the article scale well, but I do think the idea of using email verification as a proxy for passwords is nice.
posted by frogmanjack at 11:51 AM on April 29, 2013


Why your password can’t have symbols—or be longer than 16 characters
posted by the man of twists and turns at 12:07 PM on April 29, 2013 [1 favorite]


An easy to use password manager that creates random passwords and is available from any computer and hooks in with your browser is needed. I use keepass and haven;t figured out how to use passwords on two different PCs tough.

Nothing about keepass was easy to set up and I wouldn't recommend my parents try and set it up.

What to do?
posted by joelf at 12:14 PM on April 29, 2013 [1 favorite]


Yeah, I'm wondering about an easy-to-use keepass for my folks too. And also about whether they should try two-factor authentication. This is a constant issue with account access issues-- however you do it, it needs to be doable for my grandma or it just won't get used.

the man of twists and turns, I disagree with at least the first bit of that article-- I have a Charles Schwab account, and my password there is more than 6 characters. Unless they're lopping off the end and not telling me, or perhaps it's a legacy (I've had the account quite a while), that limitation is just not accurate.
posted by nat at 12:19 PM on April 29, 2013


>It's actually almost a worse solution

It's not really a solution in that it doesn't impact the "Hackers got your password" scenario, it's just adding a bit to the "... and then what?". Call it 'public alerting' service.

It's an interesting thought experiment (to a security guy). 3rd party audit trails are very useful for certain things. But in this case I can't see how poor Grannie, even if she's a competent power user, will know what to do with the results.

And that's before you get down in the technical weeds with Q's like: "Is an obfuscated URL really identifier between users?"

>"RSA really needs to provide a public API"

... with a single DDoS, I can take out authentication to hundreds or thousands of sites.

>>but if your user’s Twitter account gets compromised it very quickly becomes a single source of failure.

>This makes no sense whatsoever as written. If it's too much of a derail to actually describe an exploit along these lines she should at least link the text to one, because as it stands it's at best meaningless and what it seems to imply is completely wrong.


could you explain? As I read it, if you use twitter as your endpoint to validate some users ("sign in with twitter!") and twitter goes dark, those users can't authenticate. Further, if you use your twitter to see these log records, and your account is compromised, you won't be able to view the logs that would alert you something is going on.
posted by anti social order at 12:20 PM on April 29, 2013


KeePass makes a bit more sense if you get a tiny microSD card reader & card on your keychain and carry it around with you. I basically follow flabadblet's advice here.
posted by echo target at 12:25 PM on April 29, 2013 [3 favorites]


joelf: LastPass fulfills all of your requirements.
posted by zsazsa at 12:36 PM on April 29, 2013


As I read it, if you use twitter as your endpoint to validate some users ("sign in with twitter!") and twitter goes dark, those users can't authenticate. [...]

Ah. Got it. I read "failure" in "single point of failure" as "security failure", and inferred that she was suggesting that compromise of your Twitter account would compromise your account on other sites. Which might even be true but would need substantiation. Your interpretation makes more sense.
posted by George_Spiggott at 12:37 PM on April 29, 2013


An easy to use password manager that creates random passwords and is available from any computer and hooks in with your browser is needed. I use keepass and haven;t figured out how to use passwords on two different PCs tough.

1Password + Dropbox is exactly what you want. All your computers & mobile devices in sync, extensions for all major browsers, plus secure access over the web.
posted by designbot at 12:37 PM on April 29, 2013 [1 favorite]


Lastpass + Yubikey here.

If you don't want to buy a physical token you can also attach Google Authenticator.
posted by odinsdream at 1:06 PM on April 29, 2013 [1 favorite]


Has anyone ever done a serious independent audit of Lastpass? I know Steve Gibson loves them but with all the dumb things he's said about Bitcoin lately my level of trust in him has dropped somewhat.
posted by Aizkolari at 1:11 PM on April 29, 2013


KeePassX (cross platform) + DropBox + MiniKeePass (iOS) + KeePassDroid (Android) here. Keeps everything in sync, though a lot more manual than 1Password, which is lovely but proprietary.
posted by scruss at 1:43 PM on April 29, 2013 [1 favorite]


Web security? I just caught up with the subject with some reading and then watched a few YouTube videos. My take away was to wonder why it is acceptable that browser design is so hostile to end user security. A modern browser architecture which serves the needs of advertisers and marketing companies so well, also seems to inherit a specialization that superbly supports hosting and distributing malicious code, without user knowledge or consent. My message for browser vendors; Don't put a genie in every bottle if you don't want genies to come out of bottles.
posted by vicx at 7:25 AM on April 30, 2013


... with a single DDoS, I can take out authentication to hundreds or thousands of sites.

Anycast much? Hell, decentralize it by offering cheap appliances that handle it to said sites.
posted by bfranklin at 8:23 AM on April 30, 2013


KeePass works with Dropbox and/or Google Drive, the same way 1Password does. You don't need to carry it around on USB/SD (but you certainly can). There's also the free MiniKeePass for iOS. (Link does not open iTunes.) I just Googled and there is at least one Android app as well.

I'm not sure I understand when you say that KeePass wasn't easy to set up. All you have to do is install it and create (or point to) a database and it's working.
posted by IndigoRain at 9:41 AM on May 1, 2013


« Older Interview with Kirk Thatcher...  |  "On an average afternoon in th... Newer »


This thread has been archived and is closed to new comments