[153712] in North American Network Operators' Group
Re: Dear Linkedin,
daemon@ATHENA.MIT.EDU (Alexander Harrowell)
Mon Jun 11 03:39:54 2012
From: Alexander Harrowell <a.harrowell@gmail.com>
To: nanog@nanog.org
Date: Mon, 11 Jun 2012 08:38:38 +0100
In-Reply-To: <20437.22970.99377.799263@world.std.com>
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
--nextPart1936944.AgTVe2dEav
Content-Type: text/plain;
charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
The Cambridge University Computer Lab has had a crack at this question=20
in their Technical Report 817 on Web authentication:=20
http://www.cl.cam.ac.uk/techreports/UCAM-CL-TR-817.html
Their conclusion is to use the Mozilla password manager (or close=20
analogue, but they like it because it's open source, free, and=20
available). Anyway, it's well worth reading.
A question: password managers are obviously a great idea, and password=20
manager + synchronisation takes care of multiple devices. However, if=20
the passwords themselves are poor, this doesn't help.
As well as a browser vault, we need a Passwords API to let a Web site=20
request the creation of a password. You will need:
a MakePassword() action that creates a random, cryptographically strong=20
password for the specified domain and specified username, with the=20
specified TTL, and registers it in the vault.
a same-domain constraint
an SSL only constraint
a RequestLogin() action, leading to either automatic login or a user=20
dialog as desired
a RevokePassword() action, that flushes the existing password and forces=20
the creation of a new one. this can be explicitly invoked, for example=20
after a security incident, or else activated when a TTL runs out.
a user interface action that permits the user to invoke Revoke on all or=20
a subset of the passwords.=20
This addresses: making up passwords, not sharing passwords, remembering=20
passwords, revoking compromised passwords.=20
No, it won't help if the evil maid sprays liquid nitrogen into your=20
laptop in suspend mode to render analysis of RAM easier yadda yadda, but=20
nothing will*, and if you face that kind of threat, you're operating in=20
a different league and passwords are the least of your worries. Because=20
you're not using them...are you?=20
Also, if the enemy can defeat SSL they can still phish you, but that's=20
going to be a very hard one to eliminate entirely, whatever happens.=20
(and how many security incidents are like that compared to ones=20
involving password compromises?)
Why didn't W3C do this 10 years ago? Kind of amazing, given how common a=20
pattern username/password is, that there is no mention of the word here:=20
http://www.w3.org/TR/
*you can of course encrypt the disk that contains the password vault,=20
but in general, someone with physical access will win.
=2D-=20
The only thing worse than e-mail disclaimers...is people who send e-mail=20
to lists complaining about them
--nextPart1936944.AgTVe2dEav
Content-Type: application/pgp-signature; name=signature.asc
Content-Description: This is a digitally signed message part.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.16 (GNU/Linux)
iEYEABECAAYFAk/VoJUACgkQ0c69vkueJcRdAgCfRz1sT2VUYdBqgFoSwfhlb4DQ
u7QAn2WI3vLkzjeDE22Qg8l6XlYLU0EF
=woXN
-----END PGP SIGNATURE-----
--nextPart1936944.AgTVe2dEav--
