For decades now we've been authenticating into sites using passwords, a secret shared between the user & the website.
Passwords are fine if you only have a handful, say for the devices you use to interact with these sites or your password manager. But when practically every site we interact with wants us to register an account your not going to create secure passwords... Especially with the misguided "security requirements" on most sites!
Please use a password manager! I endorse Bitwarden.
1/2
@dragestil If you need to sync passwords between computers (I barely do), Bitwarden is the software I've personally audited. And bloggers I trust who more knowledgeable than me in the field have audited it too.
I'm reasonably confident that the client leaves no room for the server, or anyone attacking it, to read your passwords.
I'm not saying others are bad, I just haven't looked into them.
Ultimately though we need to move beyond passwords for web authentication, password managers will help us with this transition.
Even if you're handling passwords securely (most aren't, I didn't always), there's no guarantee that the websites you sign up to are. Even for major sites. From there it can leak!
The major browsers are pushing for "passkeys"! Where we give websites a "public key" & prove that we hold the corresponding "private key" without revealing it.
I've long agreed with this move! And I'll be keen to implement it in my browser.
Except the existing spec for this is a JS API, so I'd need to rewrite the spec for me to be able to implement it! Then I'll see if I can get buy-in on this issue: https://github.com/w3c/webauthn/issues/1255
I'll be getting input from Radically Open Security. I have checked that Bitwarden can sync passkeys.
3/3 Fin!
P.S. Yes, I haven't always had good password hygiene.
@alcinnz I'm sad that Mozilla Persona got canned... Do you remember/know much about that? It was ahead of its time, and got resoundingly ignored by corporate browsers sponsors who wanted to collect user metadata and chose to put their weight behind OpenID and OAuth2... https://en.wikipedia.org/wiki/Mozilla_Persona If you're familiar, wondering if you have an opinion about it?
@lightweight Yeah, its been a long & winding path. I get the impression unnecessarily so.
I perhaps naively wish browsers didn't deprecate the <keygen> element blaming the poor UX implemented on the standard. Just to design a JavaScript API, putting me in the situation where I have to rewrite that spec!
@lightweight@alcinnz i hadn't heard about it until now, but based on the wikipedia page, it seems a bit iffy. in particular, using email as the identifier seems a little short-sighted. what if I want to change my email?
@lightweight@alcinnz Been discovering old mozilla code and stuff, really great gems to be found on Mozillazine.
I now understand why people raged when Mozilla screwed themselves over then they went over to webextensions
@alcinnz I agree with password managers until everyone can migrate to 'passwordless' authentication using FIDO2/webauthn. Fedora 39 is looking adding new support for passwordless system auth for systems enrolled into FreeIPA for example. Yay for YubiKey to unlock the things.
I personally use 1Password and their beta app has been supporting generating and saving passkeys for a while. 1Password also allows pass-thru for sites where you previously enrolled a hardware key like YubiKeys 😊
@alcinnz I would still like to see a hybrid future where hardware key pass thru is still an option, and have manager apps to take care of everything else. I have been asking 1Password if they can support using passwordless accounts (register with a passkey, using a hardware key to unlock the app, etc), which is a natural next step in moving away from passwords.
Add comment