Reply to post: Theoretically fine, practically crap

No password? No worries! Two new standards aim to make logins an API experience

doublelayer Silver badge

Theoretically fine, practically crap

I have no problem with the theory of using private keys to encrypt stuff that you use to authenticate. I have no problem using external devices to store them. I do have a problem with people theorizing that this will solve the problem of credential stealing, as most stealing operations don't use network traffic, instead going for the data on client or server. A properly salted hashed password may be slightly less secure, in the sense of taking a million years instead of a billion years to crack, but we have seen that a lot of systems don't go to the proper extent to properly salt and hash their passwords. Those people probably won't be implementing a more complex and entirely new system, so they will be as much at risk as they were before.

So the question remains: is it easier to get a password or a private key if you have access to the client machine, and is it easier to repair such a breach if you use passwords or private keys. In both cases, I contest that passwords are better. While some systems will store passwords on the system, leaving them a sitting duck for attackers, it is possible and frequently the case that users must type them in. Of course, a keylogger can collect them, but it requires more complexity on the part of a malware writer to determine what is the username, what the password, and where those are effective. It doesn't mean it won't happen, but at least it reduces the likelihood. I don't think the same complexity exists with private keys. Some systems will properly store them on external devices, but there are too many lazy users to make that the only option, leaving the other option (storing them on a disk) the more likely. An attacker can learn their location and just copy them over. So now we turn to after the attack, when the intrusion has been detected. In order to reset a password, one simply goes to the reset password function and authenticates oneself with email, and the password has been changed. The old one is revoked and the attacker has lost access. The same can be done with private keys, of course, but the system will result in a lot of inconvenience. For example, I have different SSH keys for each device I use for SSH. I would either have to revoke all of them, or have a system for finding which keys have been captured so I can just revoke those. Furthermore, any system for storing keys that keeps using the old ones will stop working until I can update it. For those of us who are technically aware, this process is quite straightforward, but my family members are going to deal with this crisis by calling me and asking for help. For those who don't have a helpful acquaintance, they will get frustrated. The results of this will not be pleasant.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2022