Your take on the latest Honan article

pinpoint007
pinpoint007
Community Member
Just wondering your take on his latest article about why passwords can't protect us.
With social engineering, does it make sense still to have strong, unique passwords?

Comments

  • Penelope Pitstop
    Penelope Pitstop
    Community Member
    Thanks for the link pinpoint007. Interesting read.

    IMO this latest article is valuable in the sense that it is a better written and consolidated version of his earlier ones on the same subject. Also anything that prompts people into adopting better practices is good for us all.

    However I disagree with his conclusion and headline. I think the customer service protocols surrounding password resets are what need fixing — ultimately that was the vulnerability that was exploited to hack his accounts.


    If Honan had followed his own advice in that article, he would have significantly reduced the possibility of that exploit in the first place and it would have made it easier for him to recover.

    I suspect passwords will remain one of the multiple authentication factors that he advocates for a long time yet due to the convenience part of the trade-off he acknowledges in his article.

    Be interesting to read what the professionals at Agilebits think.
  • khad
    khad
    1Password Alumni
    I don't have many specific thoughts on the article myself as things have been pretty busy lately around here with other things, but Mat Honan still recommends 1Password.

    He's spoken highly of 1Password before. “1Password re-opened every door for me in a way that would have been impossible if I were just storing passwords locally via my browser.” http://www.wired.com/gadgetlab/2012/08/mat-honan-data-recovery/all

    If he gets paid per word he may write a follow-up. That recent article didn't offer much in the way of solutions, but solutions are available.

    Twitter___mat__%40JorisSpruyt_%401Password_a_...-20121120-123443.png
  • jpgoldberg
    jpgoldberg
    1Password Alumni
    Mat Honan doesn't actually say anything new in his article, and I think that he is largely correct. I've been meaning to write a longer response, but here is roughly the outline.

    Passwords suck. There is a well known problem with passwords. There are all of these little secrets that must be managed both by the end user and by the systems that require them for authentication. There are lots of room for error. There are roughly three credible "solutions" to the "password problem"

    (1) Password managers (1Password to the rescue!).

    1Password makes it easier for people to behave securely than to behave insecurely. But 1Password can't solve the problem of managing passwords at the server end. An insecure password reset mechanism (like what happened to Mat) isn't something that 1Password can fix. However, because with 1Password enables you to have unique passwords for each site and service, the damage from capture of a single password can be limited.

    (2) Single Sign On (SSO) systems.

    As you browse around, you will find more and more sites offering you to log in using your Facebook (or similar) account. These can have the problem that people don't treat their Facebook passwords as well as they might treat their 1Password master password, and we don't know how well Facebook treats them. The other difficulty with some of these SSO systems is that Facebook (or whoever) gets information about what non-Facebook sites you are logging into and when.

    With 1Password, on the other hand, all of your data is local to the machine, and we never get any information about when you use or don't use 1Password. If you spend all of your time logged into CookingWithDogDrool.com we never have access to that information. Your 1Password data is your own, and we never see any activity around it.

    (3) Client Certificates.

    About 15 years ago, I was a great enthusiast of client certificates as a solution to the password problem. (The problem has been known about for a while.). Just as websites have server certificates that are used to prove to you who they are (that you are really talking to the real agilebits.com, for example), the same mathematics allows for client certificates. It would be a cryptographic certificate that lives in your web browser and can prove to anything it talks to who you are.

    So if people like me were pushing for client certificates to replace passwords 15 years ago, how come we don't have them? Well, the problem is with certifying those certificates. We have enough problems with Certification Authorities for signing certificates for websites. Getting this right and usable for individuals has just proved too difficult.

    For an illustration of the problems we have with Certification Authorities just as they are used today (which is child's play compared to certifying client certificates) take a look at

    http://blog.agilebits.com/2012/06/07/flames-and-collisions/

    and

    http://blog.agilebits.com/2011/09/06/who-do-you-trust-to-tell-you-who-to-trust/

    So where does that leave us.

    Of these three, I still hold out hope that Client Certificates, (3), are the long term solution. But I don't know how we get there from here, and I don't know even how "there" will work in terms of certification authorities and trust. I am not comfortable with the kind of centralization involved in SSO systems.

    So I think that for the near term and for the medium term, password managers are the best solution to the password problem. Sure these can be augmented with second factor authentication for high value targets (like for email or for something like Dropbox) where a breach can have large consequences.

    Also over the past few years, server administrators have been getting lessons (often harsh) about how they need to better protect passwords. See

    http://blog.agilebits.com/2012/06/06/a-salt-free-diet-is-bad-for-your-security/

    for a discussion of that.

    So while I would love for there to be a way to get client certificates to actually work for people, I've learned a lot about how people do things. And a system that works against the grain of how people think and behave is not going to succeed. So sure, passwords are a bad system, but 1Password allows people to use them securely in a way that works for people instead of against them.

    Cheers,

    -j
  • jhollington
    jhollington
    Community Member
    This is an interesting discussion. I too believe that client certificates are the best solution we have right now, but are sadly woefully inadequate. I think the reality is that we're going to have to wait for something better to come along (that hasn't necessarily been invented yet).

    I've worked with several high-security organizations where client certificates have been fully implemented -- in some cases for well over a decade. Of course, that's always easy in a closed-loop environment -- client certificates are issued by the corporate entity to its own users. The end users don't really need to care about "trusting" the client certificates per se, since it's the organization who is trusting the users to have access to its network. In this case, certificates are often distributed via smart cards, and of course every machine is equipped with a smart card reader. Again, a closed loop where every piece is under strict organizational control.

    For the public at large, I think the bigger problem is that we will never adopt client certificates until we can agree on a single trust point, which I don't think will ever happen. PGP back in the early days (when it was still Phil Zimmermann's pet project), tried to establish an informal web of trust for PGP keys via cross-signing, and then Thawte later tried to formalize that a bit more with its X.509 certificates, but ultimately there were too many CAs and too many standards.

    So who becomes the ultimate CA that everybody would be able to sign on board with and trust? Corporations like Google and Microsoft are too busy fighting with each other to agree to any kind of real Federated Trust system, and the same can be said for Governments.... If the U.S. were to set itself up as a CA for its citizens, then how are those from other countries handled? Of course this also doesn't even enter into the question of those who wouldn't trust the government to actually run a proper Certification Authority, even just for reasons of simple bureaucratic incompetence.

    Ultimately I think that the only real solution that will replace passwords is for biometric and/or token-based systems to become both inexpensive and reliable enough to be adopted as a standard in all computer systems. Of course, that's also a chicken-and-egg scenario. Every computer has a keyboard, so every site will continue to push for passwords, and those that want to play the security game will add a second-factor, which makes things more secure, but also considerably more complex, thus not really solving anything.
This discussion has been closed.