TLDR:

Here is generated summary of the article:

  • The author argues that passwords are not a secure way to authenticate users, and that websites should instead issue randomly generated passwords to users.
  • The author points out that websites already do this for API keys, which are used to secure high-stakes applications.
  • The author argues that this model of password issuance would be more secure than the current system, and would also simplify the login process for users.
  • The author also discusses the limitations of TOTP-based two-factor authentication, and argues that it is not as secure as it is often made out to be.

Here are some of the key points from the article:

  • Passwords are often weak and easy to guess.
  • Users are often not good at choosing secure passwords.
  • Websites often do not implement password best practices.
  • TOTP-based two-factor authentication is not as secure as it is often made out to be.
  • A more secure system would be to issue randomly generated passwords to users.
  • ShunkW@lemmy.world
    link
    fedilink
    English
    arrow-up
    6
    ·
    1 year ago

    You have to balance security with usability. Most users aren’t gonna understand the flow of getting a randomly generated password, and they’re just gonna write it down if they do. This is a delicate balance that all cybersec people know.

    • AndromedusGalacticus@lemm.eeOPM
      link
      fedilink
      English
      arrow-up
      3
      arrow-down
      1
      ·
      1 year ago

      I’m aware of the balancing act. I just thought it was an interesting opinion piece that I myself don’t quite share. My words [will always be bracketed] to tell the difference. Thanks for offering a counter argument to this article!

      • ShunkW@lemmy.world
        link
        fedilink
        English
        arrow-up
        2
        arrow-down
        3
        ·
        1 year ago

        I mean I was just offering my response. But I’ll be sure to remember this one random guy will put his words in [brackets]

        • AndromedusGalacticus@lemm.eeOPM
          link
          fedilink
          English
          arrow-up
          3
          ·
          edit-2
          1 year ago

          I was responding based on the community you’re in. I’m now assuming you are seeing this from either local feed, or subscribed. If that’s the case, then I understand the confusion.

          I wasn’t intending to give off hostility in my words. If that’s what you interpreted, my bad for phrasing it poorly.

  • C.Ezra.M@lemm.ee
    link
    fedilink
    English
    arrow-up
    2
    ·
    edit-2
    1 year ago

    Passwords are a very simple system that has been used since antiquity, its distribution in the Roman military having been described by Polybius.

    Passwords found use in early computing. The Compatible Time-Sharing System (CTSS) developed at MIT in 1961 implemented a PASSWORD command, which only hid the characters to be typed.

    The notion of hashing passwords was created in the early 1970s by Robert Morris. He also invented the crypt(3) algorithm, which used a 12-bit salt and invoked a modified form of the Data Encryption Standard (DES) algorithm 25 times to reduce risk of pre-computed dictionary attacks.

    The ease of implementation is why password-based authentication is used everywhere. But I might argue this is too simple and can be exploited by attackers. Year after year, a new hashing algorithm becomes considered not secure enough.