[danielpal]

So ahead of their time:

For security, the commit command will use one-time passwords. This way, even if someone gets the ordinary password of a user, they can't modify the catalog that actually appears at the site.

Yet, it was another era....:

Secure server software ($5000). This does not seem to be an absolute necessity; there are a lot of sites on the web where you can send your credit card number unencrypted, and to date there have been no reports of the numbers being stolen.

[keiferski]

It makes me wonder what practices we consider normal today will be considered horribly insecure in the future.

[doublerabbit]

Well, username and passwords for one

[new2628]

I'll bite: what's wrong with username and password?

[lisper]

Because in order to prove that you know the secret you have to reveal the secret. That makes it unavoidably vulnerable to phishing.

[nine_k]

Not necessarily.

To prove that I have a secret key, I encrypt something of your choosing, and you decrypt it with a public key. This is enough proof, and private parts remain unexposed.

[lisper]

Re-read the question to which I was responding: "what's wrong with username and password?"

[downrightmike]

The Guy Who Invented Those Annoying Password Rules Now Regrets Wasting Your Time https://gizmodo.com/the-guy-who-invented-those-annoying-pass...

[wbl]

http://bash.org/?244321 is probably the most egregious example. People reuse passwords, humans are bad at making them, etc.

[new2628]

That's funny and I agree that _some_ people are bad at using passwords, but I have a feeling whatever replaces them will be worse for everyone. It's like some people cut their fingers with knives so let's all use plastic knives instead.

[vidarh]

I don't know anyone personally that are good at using passwords, myself included.

Often I get shocked to find highly tech savvy people taking crazy risks.

But even the most careful people I know occasionally reuses passwords or picks easy to guess ones out of convenience. Most of the time it is a calculated risk, but the problem is it is hard to tell when you accidentally create a chain of weaknesses that can be leveraged into something more substantial.

[pergadad]

Some people = probably 95-99% of internet users.

[_jal]

As a standalone method of authentication, insecure is more ways than I can list.

I didn't think this was controversial or obscure. Authentication on my work laptop is fingerprint + 2FA, then password and 2FA for VPN. Access to most other resources at that point is certificate driven.

I wish my bank would use certificates, for instance. I absolutely get the human (ultimately cost) factors involved, but my bank is one of the few entities with which I would go through the hassle of in-person key setup/renewal.

[creeble]

Remembering them.

But to add along the same lines: what's an equally easy alternative?

[new2628]

There was an old post by Bruce Schneier where he suggested people write down passwords on a piece of paper and keep them securely. This is something people have been already doing for centuries with wallets, keys, etc.

[divbzero]

Perhaps trusting a large set of CAs by default when browsing with HTTPS?