Hacker News new | past | comments | ask | show | jobs | submit login

I'll bite: what's wrong with username and password?



Because in order to prove that you know the secret you have to reveal the secret. That makes it unavoidably vulnerable to phishing.


Not necessarily.

To prove that I have a secret key, I encrypt something of your choosing, and you decrypt it with a public key. This is enough proof, and private parts remain unexposed.


Re-read the question to which I was responding: "what's wrong with username and password?"


The Guy Who Invented Those Annoying Password Rules Now Regrets Wasting Your Time https://gizmodo.com/the-guy-who-invented-those-annoying-pass...


http://bash.org/?244321 is probably the most egregious example. People reuse passwords, humans are bad at making them, etc.


That's funny and I agree that _some_ people are bad at using passwords, but I have a feeling whatever replaces them will be worse for everyone. It's like some people cut their fingers with knives so let's all use plastic knives instead.


I don't know anyone personally that are good at using passwords, myself included.

Often I get shocked to find highly tech savvy people taking crazy risks.

But even the most careful people I know occasionally reuses passwords or picks easy to guess ones out of convenience. Most of the time it is a calculated risk, but the problem is it is hard to tell when you accidentally create a chain of weaknesses that can be leveraged into something more substantial.


Some people = probably 95-99% of internet users.


As a standalone method of authentication, insecure is more ways than I can list.

I didn't think this was controversial or obscure. Authentication on my work laptop is fingerprint + 2FA, then password and 2FA for VPN. Access to most other resources at that point is certificate driven.

I wish my bank would use certificates, for instance. I absolutely get the human (ultimately cost) factors involved, but my bank is one of the few entities with which I would go through the hassle of in-person key setup/renewal.


Remembering them.

But to add along the same lines: what's an equally easy alternative?


There was an old post by Bruce Schneier where he suggested people write down passwords on a piece of paper and keep them securely. This is something people have been already doing for centuries with wallets, keys, etc.




Consider applying for YC's W25 batch! Applications are open till Nov 12.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: