OpenID: Why Passwords Just Won’t Cut It

I’d bet you have passwords scattered all over the net. It starts when you login to your ISP account. Then one each for all your email accounts. Then your Facebook, your MySpace, your iTunes, all your IM accounts, your twitter, your Flickr, your Amazon, the list goes on virtually for miles. And each one unique, with at least 8 characters, using a combination of upper and lower case, numbers and puctuation symbols.

Hate having to keep entering that over and over and over? Services like OpenID promise to get rid of that headache. With backing from giants like Google, Yahoo! and AOL, just to name a few, OpenID will most likely grow to become the standard by which all the others are judged. But is this a good idea?

Super-Duper Master Password

It’s nearly impossible to remember all those passwords. That’s why most of us, myself included, use what I call “variations on a theme” passwords. It limits the number of passwords we have to remember. The truth is, though, that these kinds of passwords are not that hard to guess or work out with the right software. With OpenID you could generate one really great password and use it everywhere. Up front, it seems like a great idea to reduce the load on your memory while still improving your security.

The problem is, there is no really great password. Especially if it’s being used to authenticate so many services. With each authentication, there’s the chance the password could be intercepted. A successful phishing attack could leave you with every account you have on the web, stolen from you. Your entire online identity, gone.

Passwords: The Wrong Way

In “The Beginner’s Guide to OpenID Phishing“, we find 3 easy ways to perform these “man-in-the-middle” attacks. The first two are pretty easy to code, and fairly easy to protect against, but the third is the real reason why OpenID, and any password-based login application, will fail every time. In the third example, the “phisherman” simply causes a standard login box to appear on the screen. Two fields are required, the Login and the Password. To quote from the article:

“At Level 3 we simply cut the provider out of the game. For a moment, consider how users think of authentication. In 99.99% of all cases they will think of entering a username and a password. Then how will grandma respond to the following little box once you have given her OpenID?”

The box shown requests the standard stuff, and I’m sure that nearly everyone reading might have fallen for it. If it was done well enough, I would fall for it. It’s just the way we’ve been conditioned to think. On the web, you need a username and a password. It’s always been that way, hasn’t it?

Passwords? A Better Way

What’s needed is a better way of authenticating ourselves. Back in the old days, your password was never actually sent anywhere. Again, from The Begiiner’s Guide:

“Web security has more or less become an oxymoron, but lets try really hard to remember how authentication used to be done. Alice and Bob shared a key. Alice would send a challenge encrypted with the key to Bob. Bob would decrypt the challenge, do some computation on it, create a new challenge, encrypt both using the shared key and send it back to Alice. Alice verifies Bob’s response, does some computation on his challenge, encrypts it using the shared key and sends it back to Bob. Bob verifies the response and they now both know that they are talking to the right person and not some man-in-the-middle (phisherman) called Eve. It is not trivial to get this right using shared keys, but since the arrival of public/private key pairs it has become fairly simple.

The point of challenges is that obtaining a single message doesn’t help Eve at all. Only the secret would help her, but that is never put on wire.”

Personal online identity verification is going to continue to pose a problem. From targeted advertising to online services, we need a way to identify ourselves securely from wherever we happen to be. We need to be able to control this information, to possess it like our drivers license, and it needs to be portable. As the web encroaches into our everyday lives, it will be more important in more ways and in more places. I’ll conclude this post with a quote, again from The Beginner’s Guide:

“In practice all of this means the web user will have to generate and respond to challenges and therefore will have to use some separate authentication mechanism. We can not rely on the webpage to compute challenges as the webpage may easily have been bugged. This could be done with a browser-toolbar or built-in, a program on USB stick, or a part of the Operating System such as Cardspace. Users will only be tempted into this way of authentication when such tools have become mainstream. Firefox 3 and Windows Cardspace are about to give a boost, but at this moment we’re simply not ready yet.”

I am Jon, really, I am.