[Tfug] Authentication procedures

Fri Mar 20 15:49:11 MST 2009

Hi, James,

--- On Fri, 3/20/09, James Hood <ebenblues at gmail.com> wrote:

> I have a different perspective on this. I say, get rid of passwords
> entirely. There is a wealth of research that shows people suck at
> guarding/maintaining passwords. I remember a study showing 20% of
> people would give out their password for a candy bar.

Well, they are willing to give away their civil liberties just
as readily...  :-/

> We should put authentication (and the need to guard it) in terms that
> your average user can understand. I have a USB flash drive on my
> physical key chain that has my private key on it. I also have a hacked
> version of Putty that can look on my flash drive for private keys when
> doing ssh key auth. It's really convenient, because I can go to any
> Windows PC and ssh to my servers w/o typing in a password.

But, if this becomes "standardized", then virii can just be written
to sit and watch for the next "authentication cycle" and snarf
your credentials, etc.  I.e., people would be just as bad at
guarding that "secret" (credential) as they are about their
"passwords".

People need to really think of it as a "key in a lock" -- i.e.,
you wouldn't LEAVE your key in the lock after unlocking it;
you wouldn't *give* your key to anyone that you had any
suspicions about their integrity (though many people do!);
you wouldn't stick your key in a lock if you saw some funky
mechanism wrapped around the lock that wasn't there last
time you used it, etc.

> Wouldn't it be great if there was a standardized way for
> any app to do
> key-based authentication, reading your private key off of
> your flash drive?

I don't see that as any more secure.  That's like keeping
your car key in a standardized place in/on the car and
hoping only "authorized valets" actually go and use it...

> That way people don't have to remember passwords and they'll guard
> their software key with their physical keys. I bet less than 20% of
> people would give someone their house key for a candy bar...

I think the problem is that people can understand what's at risk when
they "give out" the key to their house.  They can form a mental
image of all the things inside the house that they are making
vulnerable by doing so.

But, they can't put a value on what the password is protecting.
E.g., if someone gets the password to their checking account;
I suspect most folks would think it is not possible for someone to
*use* their account without a (physical) check!  And, even if
they assumed this was *remotely* possible, that they would *know*
when this had happened and could "do something" about it. (oh,
really?  what??)  And, others probably think "I've only got
$100 in the account, so that's all I'm exposed as".

I think if people had been victimized they would probably take
a different outlook on how they treated their "secrets".