💾 Archived View for yujiri.xyz › software › passwords.gmi captured on 2024-02-05 at 09:46:24. Gemini links have been rewritten to link to archived content
-=-=-=-=-=-=-
written 2024-01-10
The tech industry is in a craze about eliminating passwords. This has actually been going on for a long time. First it was making passwords not *necessary* to log in, by offering email-based password resets that you can't disable. I've written separately about why that's bad practice.
Forgot password considered harmful
But then they also started making passwords not *sufficient* to log in, with many services now *requiring* 2-factor authentication. And sometimes they're taking this to the logical conclusion of not having passwords at all.
We've all heard the arguments for this craze: people's accounts keep getting hacked because passwords are insecure, no one can remember them, and supposedly passwordless logins are the only thing that can save us from insecurity.
But hold on. All of the problems with passwords are actually problems with people using them wrong. Of course if your password is "password123", it's not very secure. And people forget them because security "experts" spent years drilling into everyone the idea that writing your passwords down is bad.
Really, what you should do is use randomly generated passwords *and write them down*. The best kind is pass*phrases*, as demoed by xkcd:
These are both very secure and easy to remember. Of course, most websites won't actually let you do this because security experts also spent years drilling into everyone the idea that the most important thing for password strength is to have a number, a capital letter, and a symbol, so most websites require that now. Failing this, you can either add those features to a passphrase, or just use a randomly generated gibberish password (I like to get them from `head /dev/random | md5sum`, but then you still have to add a capital letter and a symbol).
In fact, modern browsers like Firefox autogenerate this kind of password for you, and also store and autofill them, so you can't even argue that passwords are bad because they're easy to misuse. Browsers have made them hard to misuse.
As for where to write them down, I personally just store mine in a text file. A lot of people sing the praises of password managers, but I've never used one (unless Firefox's password storage counts); I don't feel the need.
And incase anyone's concerned about the security of having them stored in plain text: if malicious software is in a position to read files from your disk, you're pwned one way or another. It could also just read authentication cookies from your browser, for example. Malicious desktop software really isn't a valid security concern because all our operating systems are designed so that that's game over regardless.
Could a password be compromised other than by guessing? I think a lot of people are worried about this, because often websites get hacked and user data exposed. But as long as you use a *different* randomly generated password for each website (which modern browsers also make easy), that's not a concern. Of course your account with the website that got hacked is pwned, there's nothing you can do about that. But even if that website was storing your password is plain text, it can't lead to a compromise of any of your other accounts.
The only way an account protected by a good password could reasonably be compromised is if your device is stolen. How we analyze that case depends on what kind of device we're talking about:
As you can see, there's no case - at least not for most people's lives - where having your account protected by only a password is a significant risk that could be avoided by 2-factor authentication or whatever else the industry is trying to force on you at time of reading.
Single factor authentication with a memorable password also has the advantage of being able to sign in on a new device without having an old one available.
As someone who's really into asymmetric cryptography and designed an end-to-end encrypted messenger, you might ask why I don't suggest something like public/private key pairs so you can authenticate to websites without disclosing a secret. I don't think it's possible to realize any benefits of such a system in the context of the web. Because of surreptitious forwarding attacks, you still have to verify that you're talking to the right server before you send any form of authentication, so you need TLS one way or another, and TLS already encrypts the password in transit. Since a password is a secret only used to authenticate to one website, there's no point in trying to hide it from that website.