Google cryptographer and all-round security expert Ben Laurie's been blogging some great security thinking lately. Today he's got a really fascinating, thoughtful piece about the problems of passwords:
So, where does this leave us? Users must have passwords, so why fight it? Why not admit that its where we have to be and make it a familiar (but secure) process, so that users can actually safely use passwords, phishing-free?
Do Passwords Scale?
The answer to this is deeply sad. It is because we have done a fantastic job on usability of passwords. They’re so usable that anyone will type their password anywhere they see the word “password” with a box next to it. Phishing is utterly trivial because we have trained the world to expect to be phished every time they see a new website.
Of course, we can fix this cryptographically - that’s easy. But let’s say we did that. How do we stop the user from ever typing their password into a phishable box from this day forward? So long as they only ever type the password into the crypto gadget that does the unphishable protocol, they are safe, no matter who asks them to log in. But as soon as they type it into a text box on a web page, they’re screwed.
So, this is why passwords are the worst usability disaster ever.
“Check out what the backboard did to the shingles right behind it. Crazy, right?” Here’s the uncropped picture:
Saw this at a car show today. The guy drove it there… This concept inspired the economist Gordon Tullock to come up with the idea that instead of mandating safety belts, it would save far more lives if the government required that large spikes were installed in the center of steering columns, because this would […]
Brock and Bowdy were doing what toddlers do: being stupid. In the process of trying to climb their dresser via the drawers, they tipped it over, pinning Brock. Luckily Bowdy was able to free his twin brother, but these incidents are common. Ikea recently recalled several dressers for the same problem that led to fatalities. […]
Although there will never be a consensus about the best way to make coffee, any coffee connoisseur will agree that controlling the grind of your beans and balancing water temperature are the keys to a tasty cup. Since your plastic coffee pot doesn’t really allow for that kind of customization, going back to the French […]
Not all hackers are malicious information thieves—white-hat ethical hackers work with technology companies to ensure the security of their computer systems and user data. With all of today’s high-profile data breaches, ethical hackers are in considerable demand. To learn these critical skills and break into the high-paying cyber security field, try taking the courses in this […]
Making people aware of goods and services in the digital age requires an array of new strategies from social media and email to number-crunching tools like Google Analytics. To get a handle on the techniques used to capture attention and convert traffic into dollars in a crowded online environment, the Full-Stack Marketer Bundle offers 22 hours of training to get […]