I’m glad to hear a little sanity coming from the New York Times on this matter (via Slashdot) – typing your password into someone elses website should always be consider a absolute no-no. It’s a phishers dream come true.
Why not? Because the companies see the many ways that the password-based log-on process, handled elsewhere, could be compromised. They do not want to take on the liability for mischief originating at someone else’s site.
If someone wants to design an OpenID-like solution the best answer is to do some form of challenge/authenticate redirect. IE – User visits site A to post a blog comment, wants to use their ID, They click ‘Authenticate me’ and enter the URL to the site that will authenticate them – the user is redirected to that site, SSL certificates should verify you are actually speaking with your authenticator, you login – then redirect back with an appropriate token matching the challenge written by the original site.
It’s a bit more complex than “Enter your password on Joe Shmoes website” – but the security benefits are considerably higher given you can verify you are sending your password only to Joe.
The rest of the times article is a discourse over whether we should abandon Passwords in favour of secret cryptographic keys – I believe the problem here is that ‘he who has the keys, has your account’ this means you either need to use one computer only (and forget about logging into your email from another persons machine), or you need to start carrying your crypto keys around with you and prevent someone from nabbing them.
The downside to passwords is however that they are incredibly weak security measures – a 1024bit RSA private key is a lot stronger than a 128bit password (8 ASCII chars) (each additional bit is a doubling in strength, so a 129 bit password doubles the number of possible combinations – 896 doublings is a lot stronger yet).
The best solutions are of course hybrids – when strong security is required (banking, etc) having some form of USB key that can perform RSA encryption for you within the token without revealing your key may be worthwhile – although it means you need to start carrying it around wherever you wish to do banking – however to activate the device some kind of password would be essential too to prevent someone from stealing it.
Those of us with SecurID fobs and similar OTP methods have been doing this for years. I’m currently on my 5th token (two cards, two ‘old’ fobs, and now the updated ‘keyring’ fob) and have to admit that RSA has a good thing going here. And, admittedly, the new fob finally looks cool.
I was rather leery of OpenID mostly because it is a central repository. The other reason became the fact that I can create my own OpenID server and refer to that on my own site (which I actually did do, for the hell of it). What’s the point of generating a central ID repository if you can circumvent it anyway??
–TSK
T_S_Kimball
20 Aug 08 at 8:31 am