Hacker News new | ask | show | jobs
by Quekid5 2380 days ago
You're probably right theoretically, but people tend to choose really weak password if they can choose anything.

Maybe passwords should always just be auto-generated and people should be told to write them down in a... actually, nevermind that. Passwords should be a thing that's integrated in your browser/computer experience... this is something that can and should be handled by computers. You should only ever have to log into your computer and be secure from then on.

This whole insanity of point-to-point invention of secrets needs to die.
2 comments
ethbro 2380 days ago
> Passwords should be a thing that's integrated in your browser/computer experience... this is something that can and should be handled by computers.

I had this crazy idea, whereby computers could themselves come up with very long, random sequences of bits.

They would then use these openers (couldn't think of a better word) to authenticate to each other, secured by mathematical operations, in place of passwords.

Sadly, I've never seen it used on websites, so it must not be a good idea. /s

link
HorstG 2380 days ago
Certificate auth for http with TLS and Kerberos auth for http is specified, supported by all (major desktop) browsers.

However: The UX on the browser side is shitty as hell. Certificates display weird nagscreens, without being able to specify proper defaults like "use this cert for that site and don't bother me again". Certificate enrollment has been broken (not that the form element was ever great) by all major browsers, to be replaced by "do something in Javascript maybe, if we get around to implementing a new API some time". Oh, and no logout...

Kerberos needs a parameter at browser start or an about:config setting, is incompatible with using multiple TGTs let alone automatically selecting the right one or gasp getting a new TGT for the user from the proper KDC. The only thing that kinda works mostly is using the standard company login TGT. Oh, and logging out doesn't work...

Oh, and of course most mobile systems are broken or just unsupported.

The sorry state of browser auth is 100% on browser vendors dragging their feet on those problems that have been known for around 20 years or so. And no, webauth won't save us, it'll just be another shitshow most likely.

link
ethbro 2380 days ago
This is the reply I was honestly hoping to get.

I always felt like one of the UX blockers for key exchange was the assumption that people couldn't be expected to learn the basics, because it's too complicated.

And every attempt to ignore or hide it has just made the entire thing more complicated or confusing.

You can shoot yourself in the foot with a gun or crash your car into a wall, and yet most people manage not to do so on a daily basis.

Sometimes simplicity is a false virtue.

link
Quekid5 2380 days ago
I mean... it's probably beyond the imagination of man since it clearly hasn't been invented at this point.
link
squiggleblaz 2380 days ago
I guess that's the argument for diversity in tech.
link
ethbro 2380 days ago
... Dinosaur eats man. Woman inherits cryptography.
link
lmm 2380 days ago
> You're probably right theoretically, but people tend to choose really weak password if they can choose anything.

Not in my experience. If I can choose anything I'll write a decent-length phrase. If I'm forced to use numbers and symbols I'll make the shortest thing I can.

Certainly there's no reason to reject a 20+ letter all-lowercase password. Apply your capital/number/symbol rules to passwords shorter than 16 characters if you must.

link
Quekid5 2371 days ago
This is a really old-timey snipe, but...

You are not a typical computer user. The typical computer user is Karen from accounting, and Bob from HR.

link