[Discuss] eliminating passwords

[Kent Borg]

On 07/29/2013 05:08 PM, Tom Metro wrote:
> I'm guessing the feature is underutilized not because it is viewed as 
> insecure, but because 1. developers just aren't aware of it, 

I was once working on a project for an embedded device and part of the 
layers of security was a client certificate that needed to be 
installed.  It was only one part.

> Sure, but which is an easier task: teaching grandma how to use Keepass 
> to shuttle credentials between two applications, or fixing flaws in 
> Firefox's security architecture (if any[1]) such that private keys are 
> held securely?

Far easier and more secure to tell grandma to keep her passwords on 
paper. Nothing to teach beyond to note each site, and the username and 
password.  Oh, and something about each password containing some parts 
that are truly random.  Give grandma an attractive little notebook and a 
pair of dice.  If the two of you want to get really fancy, have her work 
out a simple obfuscation that is applied to each written password.

No need to swoop in in ten years when the security landscape changes and 
today's technical solution is no longer a good solution.

Sometimes really good computer security components are really, really 
old technology.

-kb