3.13.2010

Usability versus security or how browsers password managers got 0wned!


Last days there has been a storm on the Internet regarding security. Internet Explorer was hit again and again, and now it seems that even browser passwords are not safe as password managers. I want to talk about the latest, and to respond to Jeremiah Grossman's question: YES, I think that Password Managers are the best tool that users have!
I agree that they offer somehow the best solution from the user's POV, but i have a few objections to make here:

1) How is there to say that a standalone password manager don't have bugs? Let's not forget, password managers are also written by humans, and we are far from perfect.
2) People are lazy by nature. Why do 2 steps (open the password managers and then copy-paste the password), when you could do it in just 1 step? The results are the same, you're still virtual insecure.
3) I could invoke the true statement that a computer that's connected to the Internet is never secure, but I will not say it. Short said, nothing is impenetrable (e. g. remember your tweet? [@claudiufrancu all websites can be messed with. The question is only how and to what extent.]). The same thing applies to programs running offline (this and this are good examples).

The thing is how much security you implement, and how much usability you still have. Users in general want simple stuff: search the web, check e-mails, see videos, chat. They don't want to know all these details about security, and it's normal. When i drive a car, i'm not supposed to know the frequency of my key chip that starts it, or hide it, or keep it in a vault when i'm not driving. I think the analogy applies to the users. They want things that work and are secure.
I think that from a security POV Joanna Rukiwska's approach (Red, Yellow and Green VM) is the best, far better the the password manager's approach, but maybe the users don't have the time/CPU/skill/desire to do it.
From the users POV i think that the built-in pm's that are in web browser's will be long used. They are simple, they do the trick and they almost work. If we want something better, I think it's time to give the users a break and start coming up with good idea's and implement them (in my opinion a 2 way factor protection would be best, like a token that produces a 1 minute password after you input your password, but for this we would need a really big standardization regarding web security and password policies).
As long as we rely on one password, as long and complicated as it is, it can and it will be broken easily. We need to start implementing another type of security, a type where the user does not have the power to pick "123abc" as a password for it's e-mail. Only then we will make progress on the security side, until then we're running in circles.

2 comments:

  1. You bring up some valid points. But if we haven't got passwords right even after so long, then a new system doesn't look very convincing. Perhaps its about time w3g came up with some standard for something as basic and popular as password manager to avoid the issues highlighted.
    BTW this looks promising. Cheers.

    ReplyDelete
  2. @lava
    You see, passwords are the weakest link from a chain. You can have security without passwords (at least the classic ones) if you implement something strong enough e.g. 2-way password authentication.
    It's time to step up and do better!

    ReplyDelete