- From: Amir Herzberg <herzbea@macs.biu.ac.il>
- Date: Mon, 12 Jun 2006 18:26:56 +0300
- To: Chris Drake <christopher@pobox.com>
- CC: public-usable-authentication@w3.org
Chris Drake wrote: > There's another aspect to this security problem that it conspicuous by > it's obvious absence - people have multiple logins everywhere - most > people using the same password on all of them. <skip> > A *really* **good** authentication scheme not only solves the > relying-party-must-authenticate-to-user problem, but ALSO solves the > stupid user problem too. > Right! Now, with a good password-manager solution, this should be easy - we can easily turn one password into many site-specific keys. Plus, we can try to force users to use different passwords (which, of course, is not as good, but easier to do - see problems below). There are `only` two problems: 1. This requires the password manager to set or change the user's password. This _can_ be done, but since no standard exists for this, this is problematic. A standard may help. 2. What happens when the user moves to a new machine, etc.? Best, Amir Herzberg
Received on Monday, 12 June 2006 15:27:47 UTC