Why Are we Still Using Passwords?

So, I was tooling around the internet (it’s my job!) and I came across yet another website that wanted me to “create an account” in order to do something that I wanted to do. And so I did. I mean, this is what we all do on the internet, right?

And then it struck me–a bit late–that this was patently absurd. It’s already a little odd/annoying that seemingly every website on the internet forces us to create and manage a new account/identity, let alone multiple identities on the same service. I mean no one has more than one twitter account, right? And nearly every account that we make with every service has it’s own “identity” and password.

Which means, practically, that we all have (at best) two or three passwords which are mildly to moderately secure, and we use those over and over again, and rarely change. Which is not secure at all. But it’s also a problem if we use passwords that are really secure and then can’t remember them. Solutions like 1password are great, and help those who want to be really secure with this problem, but this really just treats the symptom, and not the problem that a user-generated password is the way to find security. And while passwords are better than no passwords, there are better ways.

There are, as I see it, two solutions to provide better user security on the internet:

1. Open ID. This is a protocol by which users can create an access an account on site A by signing into and verifying their identity with site B. It works, and it means that we end up signing into fewer sites and have fewer versions of our passwords in circulation.

   • This works best I’m convinced, if we use big openID providers like Flickr, Blogger, and LiveJournal, and then delegate that openID to a third party website (a domain that you own, say), so that if your account ever gets compromised/abandoned, all the sites which depend on that openID aren’t compromised/abandoned as well.
   • You wonder how this identity can be trusted? This is really an existential concern more than a pragmatic one because OpenID is no less legit than providing your (fake) name and (freely available) gmail email address.

2. Public Key encryption. Using PGP/GPG the internet should develop some sort of handshake for the web where by, we sign up for sites, upload a public key, and then when we want to sign in the server generates a dynamic string and encrypts it with our public keys and sends it to us. Our computers then ask for our key pass-phrase (or not), decrypt the string, and send it back. The server compares what we send to what they sent, sees that it works, and then lets it in.

   • This is really secure, particularly if the handshake happens over SSL.
   • This is relatively simple from a computer science perspective. All that really needs to be done is) write something sexy that makes the UI work, and then get Google or someone to start using it. Everyone else will follow.
   • It’s subject to man in the middle attacks, but then, everything is, and unlike a password that you only have to “hear” once in order to steal, guessing someone’s private key, based on only a few encrypt/decrypted strings is computationally (I understand) damn hard.

   Who’s with me?