NYCPHP Meetup

NYPHP.org

[nycphp-talk] AJAX and State

Elliotte Harold elharo at metalab.unc.edu
Sat Sep 22 12:23:21 EDT 2007 

Kenneth Downs wrote:

> True, but we need a better answer than that.
> 
> Can you explain what mechanisms are storing the passwords, and why no 
> additional weakness has been introduced?
> 

The issue here is really one of psychology and usability. A poorly 
usable authentication system will cause users to route around it, for 
example by always using the same password, by choosing easily remembered 
passwords, by writing them down on Post-it notes stuck to their 
monitors, or all of the above. The theoretical strength of 
authentication systems is irrelevant in the face of user 
counter-measures such as these.

Only systems that take users into account will be secure in the real 
world. Usability is not a sufficient condition for secure 
authentication, but it is a necessary one.

Given the wealth of passwords users are expected to remember in order to 
participate in the Web, the only plausibly usable system for managing 
client password lists that maintains some level of security is single 
sign-on. Server-based single sign-on systems have failed because no 
standard centralized repository has been established. Thus the only 
choice is to place this repository on the client. (I suspect that would 
still be the right answer even if one of the server based systems had 
succeeded, but the point is moot because none did.)

The vast majority of users will only accept such a system if it is 
actually easier to use than pen and paper. The only such system is the 
one that doesn't require the user to do any extra work. That means the 
browser itself (or a plug-in integrated into the browser) remembers the 
password.

EVERYTHING ELSE THAT HAS BEEN TRIED TO DATE HAS FAILED. NO EXCEPTIONS.

Now assuming you're willing to work under those constraints, you can 
make the browser repository a little stronger. You can use better 
encryption for the password store. You can make sure that the memory 
area in which the browser stores its passwords is promptly zeroed out 
after use. And you can play a few other tricks that don't affect the 
user experience. But that's about it.

A browser-based password store is the most secure authentication system 
devised to date. In practice, everything else that has been tried has 
been less secure. I suspect we're not going to improve on this state of 
affairs until we move away from usernames and passwords completely.

-- 
Elliotte Rusty Harold  elharo at metalab.unc.edu
Java I/O 2nd Edition Just Published!
http://www.cafeaulait.org/books/javaio2/
http://www.amazon.com/exec/obidos/ISBN=0596527500/ref=nosim/cafeaulaitA/

More information about the talk mailing list