W3C home > Mailing lists > Public > public-usable-authentication@w3.org > June 2006

Re: Conspicously absent: social engineering and cross-domain problems

From: Amir Herzberg <herzbea@macs.biu.ac.il>
Date: Mon, 12 Jun 2006 18:26:56 +0300
Message-ID: <448D87C0.30705@cs.biu.ac.il>
To: Chris Drake <christopher@pobox.com>
CC: public-usable-authentication@w3.org

Chris Drake wrote:
> There's another aspect to this security problem that it conspicuous by
> it's obvious absence - people have multiple logins everywhere - most
> people using the same password on all of them.  
<skip>
> A *really* **good** authentication scheme not only solves the
> relying-party-must-authenticate-to-user problem, but ALSO solves the
> stupid user problem too.
>   
Right! Now, with a good password-manager solution, this should be easy - 
we can easily turn one password into many site-specific keys. Plus, we 
can try to force users to use different passwords (which, of course, is 
not as good, but easier to do - see problems below).

There are `only` two problems:
1. This requires the password manager to set or change the user's 
password. This _can_ be done, but since no standard exists for this, 
this is problematic. A standard may help.
2. What happens when the user moves to a new machine, etc.?

Best, Amir Herzberg
Received on Monday, 12 June 2006 15:27:47 UTC

This archive was generated by hypermail 2.3.1 : Tuesday, 6 January 2015 19:53:15 UTC