Tuesday, September 6, 2011

Jeff Atwood just blogged about how logging in to sites could be done much easier. Three cheers for someone thinking about a solution for this insane situation!

At the end he lists 2 catches, one of which is that you need to trust some server online to be a secure place to store your passwords. I don't see why that should be though. If, as he says, you'd log in to your browser, why can't the browser encrypt the stored passwords and then store them to a not-so-secure place online?

Maybe he's concerned that an attacker could get them, wait a few years for a security problem to be found in the encryption, and then crack them. That scenario is somewhat mitigated by the fact that if a security problem is found, you could walk through the list of accounts and change the passwords for any important ones.

Maybe with the right meta tags or whatever, the change password process could be done automatically by the browser. If that was the case, the browser could change all your passwords periodically without there even being a discovered security weakness in the encryption. That would make all the security people happy who think changing passwords regularly is good. And in fact it would be good since it provides the advantages of changing passwords (limited exposure if a password is stolen) without the disadvantages (user inconvenience of  having to learn a new password).