[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Cryptography] Possible reason why password usage rules are such a mess

On Sat, Nov 21, 2020 at 1:24 AM Osman Kuzucu <bizbucaliyiz AT hotmail.com> wrote:
An addition to that, I believe that we don't need long/unmanageable passwords for having a good account security. Instead we should enforce additionaly security checks like 2FA or e-mail notice upon signing up on a new device/browser/IP address. 

Those types of check are better than nothing but not really providing very much security and introducing an incredible level of user aggravation. Password authentication is beginning to fail in the same way that email is now failing as a result of countless ad-hoc attempts to mitigate spam.

Passwords were a way to authenticate user actions in the past but now we have different options to ease the process. Just like how you call your bank and they ask various security questions before sharing any information with you about your account, websites and all apps that require authentication should utilize those secondary authentication methods. Then we won't have any problem in terms of password security.

The argument I am making is that we need to design an infrastructure for this express purpose rather than continue to try to cobble together 'good enough' security based on what inevitably turn out to be half-assed guesses as to what security is actually being achieved.

IP addresses change regularly. Users make use of different browsers on the same machine. SMS is not secure in any shape or form, SS7 hijacking is a trivial technical challenge yet it is depended on, etc. etc.

Time to do the job right.

The cryptography mailing list
cryptography AT metzdowd.com