Saturday, May 7, 2011

Are passwords an outdated way to login to web services?

Writing the previous entry, made me recollect something that I was thinking about on the way home from work Thursday or Wednesday. Are passwords outdated when it comes to logging into a web service? Really. I think they are to be honest.

At work and at home, I use 'keys', not passwords. My ~/.ssh/config and /etc/hosts files are configured so that I can run 'ssh pcname' and log into machines automagically; no need for a password. I do it this way, because while I can set a passphrase on SSH keys: the ratio between chance of theft and frequency of logging in, is wide enough that I've little need to worry. If someone walks off with my computer, the SSH keys to my other PCs are the least of my worries, assuming that they didn't take those too!

Quite readily one could just adapt something like the SSH2 public key authentication to browsing the web; and maybe improve on it while they're at it. Even better, rather than relying on the browser to "Remember passwords" it can simply be made to ask a key agent. While Windows out of the box has always lacked something comparable to my knowledge, GNOME and KDE have had keyring management services for as long as I can remember; Konqueror was the first web browser that I ever used that integrated with something approximating one (KWallet). Although I rather prefer the GNOME keyring stuff, hehe.

This could then if desired, be linked to your computer login. For example, login to your desktop can unlock the keyring and allow pre-authorized requests to utilize it's services. There are obvious implications for such things but I rather would like to see what it could do in like the next ~20 years.


All that of course, still means that if you leave your computer unlocked and your bank account open, you deserve what you get ^_^.  For what little I consider it worth, my systems are usually programmed to auto-lock after a short delay, and I frequently lock them before going AFK, if there's any sense to it. I.e. at home, the PC is more likely to get carted off by a thief, then the one at work, lol.

No comments:

Post a Comment