[nycphp-talk] AJAX and State
Kenneth Downs
ken at secdat.com
Sat Sep 22 14:26:29 EDT 2007
Elliotte Harold wrote:
> Kenneth Downs wrote:
>
>> True, but we need a better answer than that.
>>
>> Can you explain what mechanisms are storing the passwords, and why no
>> additional weakness has been introduced?
>>
>
> The issue here is really one of psychology and usability. A poorly
> usable authentication system will cause users to route around it, for
> example by always using the same password, by choosing easily
> remembered passwords, by writing them down on Post-it notes stuck to
> their monitors, or all of the above. The theoretical strength of
> authentication systems is irrelevant in the face of user
> counter-measures such as these.
>
>
<snip>
> A browser-based password store is the most secure authentication
> system devised to date. In practice, everything else that has been
> tried has been less secure. I suspect we're not going to improve on
> this state of affairs until we move away from usernames and passwords
> completely.
>
Well you've convinced me.
Technically there is nothing really to the issue of changing the PHP code.
However, this leaves the issue of what we are telling customers, if
anything.
The conversation we ought to have with the customer is all about what
type of single sign-on the users are using. But, methinks most
programmers instead are having a conversation about their own efforts in
handling passwords, which is misleading and irrelevant.
--
Kenneth Downs
Secure Data Software, Inc.
www.secdat.com www.andromeda-project.org
631-689-7200 Fax: 631-689-0527
cell: 631-379-0010
More information about the talk
mailing list