Every new site that provides a personal service needs to authenticate you the next time you return. They need to make sure you are able to access your account and others are denied. The standard way to do this is to have you create a secret password to identify yourself when you return. And there begin your troubles, noble websurfer.
Most people don’t just have one web-based service they use, they have between a few and a few dozen. The safe thing to do, of course, is to create a unique password for every site you sign up for. One for Gmail, one for Amazon, one for PayPal, one for your internet banking, one for… you get the idea. Strong passwords are very random, with plenty of crazy symbols and odd capitalization. Of course, the way the human brain works, the longer and more random the password, and therefore the stronger, the harder it is to remember! If your mind is anything like mine (which is to say, human), you’ll know the futility in trying to create and remember unique, secure passwords for each site that requires one.
So, we cheat. We create relatively weak passwords. Or, we reuse them. Or both (in college, every private multiplayer game we created was always secured by the password “spandex”). Reusing passwords is particularly Bad News Bears because you can’t know what the site you’re sending it to will do with it. Will they store it securely? Will they sell it to criminals in Russia? Are they criminals in Russia? So if you currently use the same password for http://somerandomforum.tk as your bank or email account, you might want to reconsider. As you might imagine, the extent to which I follow my own advice depends on the perceived risk of getting a password stolen, and the potential damage an attacker could do with that particular password.
And, there are other problems with passwords. Even if we could all remember hundreds of complex passwords and the sites they belong to, they’re still vulnerable. They can be captured by eavesdroppers if used over an unencrypted channel, or users can be fooled into giving them away in a phishing attack.
A recent (well, August. I’ve been busy) NY Times piece introduced me to an alternative to passwords. It’s called an Information Card, and is in essence the digital equivalent to an ID card. Under this system, the computer does the heavy lifting of creating a unique token for each site you visit, so a malicious site can’t use the information it gains to break into your other accounts. It also will only transmit the information over a secured channel, so there’s essentially no way eavesdroppers can intercept your credentials.
However, there are still ways to attack this system, even if the author, Randall Stross, doesn’t seem to think so. In one breath, he quotes Scott Kveton (of the OpenID foundation) as saying, “there is no silver bullet, and there never will be.” Then, in the next, he goes on to talk about information cards as if they’re some kind of panacea. They aren’t.
MS Windows Cardspace, an implementation of information cards
Essentially, you are trading keeping a secured secret in your head (a password) for a secured secret on your computer (an information card). This means that if an attacker gains access to your computer, they can steal your cards. And, since the cards are simply bits of data, they can be copied, meaning they can be stolen without you ever noticing they’re gone—that is until you notice accounts being compromised. A PIN is no defense; attackers might design viruses or worms to steal them after you’ve entered your pin, then silently delete themselves, removing any evidence you’ve been compromised.
Still, relying on keeping your computer secure does seem like a safer bet than passwords, at least for the time being. If the movement gains momentum, it might do some good. Also, smart-card readers of various sorts are becoming relatively standard on business laptops. In the future, an information card could be embedded on one of these smart-cards, this would make them hard to steal and very hard to duplicate.
I’d be tempted to try it out on spikecurtis.com, but its designed to work only with SSL-encrypted connections, which I don’t have the credentials for. The only site I know of that uses them now is Microsoft’s Live ID, only in beta, and only with IE 7 (there is a Firefox plug-in, but it doesn’t work with Firefox 3).