TLDR:
Here is generated summary of the article:
- The author argues that passwords are not a secure way to authenticate users, and that websites should instead issue randomly generated passwords to users.
- The author points out that websites already do this for API keys, which are used to secure high-stakes applications.
- The author argues that this model of password issuance would be more secure than the current system, and would also simplify the login process for users.
- The author also discusses the limitations of TOTP-based two-factor authentication, and argues that it is not as secure as it is often made out to be.
Here are some of the key points from the article:
- Passwords are often weak and easy to guess.
- Users are often not good at choosing secure passwords.
- Websites often do not implement password best practices.
- TOTP-based two-factor authentication is not as secure as it is often made out to be.
- A more secure system would be to issue randomly generated passwords to users.
Passwords are a very simple system that has been used since antiquity, its distribution in the Roman military having been described by Polybius.
Passwords found use in early computing. The Compatible Time-Sharing System (CTSS) developed at MIT in 1961 implemented a
PASSWORD
command, which only hid the characters to be typed.The notion of hashing passwords was created in the early 1970s by Robert Morris. He also invented the crypt(3) algorithm, which used a 12-bit salt and invoked a modified form of the Data Encryption Standard (DES) algorithm 25 times to reduce risk of pre-computed dictionary attacks.
The ease of implementation is why password-based authentication is used everywhere. But I might argue this is too simple and can be exploited by attackers. Year after year, a new hashing algorithm becomes considered not secure enough.