PasswordMaker Forums

Miscellaneous => Other => Topic started by: breyed on April 18, 2006, 10:56:46 AM

Title: Technology to finally obsolete PasswordMaker?
Post by: breyed on April 18, 2006, 10:56:46 AM
As much as I love PasswordMaker, in the back of my mind, I've always known that it is really just a huge workaround for a gaping whole in the infrastructure of the web.  An article (http://msdn.microsoft.com/msdnmag/issues/06/04/SecurityBriefs/default.aspx) in this month's MSDN magazine describes a new identify management system called InfoCard that I expect will plug the hole.  Because it carries the weight of Microsoft, yet without compelling marriage to Microsoft, my guess is that it will be adopted quickly as Vista is released.
Title: Technology to finally obsolete PasswordMaker?
Post by: Eric H. Jung on April 18, 2006, 02:53:08 PM
Hi Ed,

Glad to see you're still using PasswordMaker. I agree wholeheartedly that once the infrastructure changes, PasswordMaker will be obsolete. I haven't read that article yet, but I will... somehow it smacks of MS's failed Passport initiative. What makes this likely to succeed when Passport didn't? (feel free to just tell me to read the article )

p.s. there are alternatives to MS single-signon solutions, such as Shibboleth (http://shibboleth.internet2.edu/).
Title: Technology to finally obsolete PasswordMaker?
Post by: LkonKbd on April 22, 2006, 11:06:39 PM
Greetings from LeonSprings, Texas USofA,

All of that may come to pass, BUT; there are some of us out here that just do NOT trust Microsoft to do anythingy that is secure.  I for one, Eric, would like to see PasswordMaker to continue for as long as we can hold on to somethingy that has proven to be a very reliable and protective method of keeping us safe from MicroBarf.

Anyone else that may have thoughts on this feel free to comment, for or against.


Thank you for reading this,
Title: Technology to finally obsolete PasswordMaker?
Post by: breyed on April 24, 2006, 01:24:59 AM
Quote from: Eric H. Jung
I haven't read that article yet, but I will... somehow it smacks of MS's failed Passport initiative. What makes this likely to succeed when Passport didn't? (feel free to just tell me to read the article )

This is indeed one of those Read The Fine Article situations.   But the short answer is that Infocard is an "Identity Metasystem", and doesn't pretend to be a complete solution by itself.  The minimum infrastructure investment for servers to comply will be small and inexpensive: it looks like they can basically just wrap their existing ad hock authentication systems with a new set of web services.

The InfoCard team has their Seven Laws of Successful Identity Systems (http://msdn.microsoft.com/msdnmag/issues/06/04/SecurityBriefs/default.aspx?side=true#Seven), and InfoCard meets all seven.  I'm no Passport expert, but it seems to me that it meets one.  So the failure of Passport is not a good indicator of InfoCard's prospects.

The way I like to think of it is this: Imagine how convenient it would be for PasswordMaker if someone with some weight to throw around would propose a standard for providing and updating usernames and passwords, or the equivalent thereof.  It looks like that's happening, only with a scope broader than just authentication credentials.
Title: Technology to finally obsolete PasswordMaker?
Post by: tanstaafl on April 24, 2006, 01:07:44 PM
Personally, I will NEVER trust any third party. closed source solution to managing MY account credentials.

About the only room for MAJOR improvement I see for PWM would be to grow from a Firefox extension into a full fledged, standalone, cross-platform application that can handle pretty much any kind of password prompt, whether it is a basic HTTP auth prompt, or a network resource access prompt.
Title: Technology to finally obsolete PasswordMaker?
Post by: morguns on April 25, 2006, 03:13:23 AM
Quote
Personally, I will NEVER trust any third party. closed source solution to managing MY account credentials.
you can say that again!
Title: Technology to finally obsolete PasswordMaker?
Post by: thibros on May 08, 2006, 08:42:36 PM
Quote from the link in the first post:
Quote
To understand how this works, consider a traditional Web site that allows you to register with a user name and password. If that Web site accepted self-issued InfoCards, you could use a self-issued InfoCard to register. There would be no password; just select a card when prompted, and the Web site would record your PPID and make a note of the long-term key sent in the token. That key would replace the traditional password, and would be unique for every site you visit. Under the covers this key would be computed as a function of a master key, which would be generated randomly for each self-issued InfoCard, and the public key of the relying party. It would be as if you'd chosen a unique password for each Web site you visit, without actually going through the hassle of managing all those passwords yourself.
So actually this is based on the same principle as PasswordMaker, computing a unique key for every site. But with the downside of 'no access' while not at the PC with the infocards, or the security risk of duplicating infocards to several locations.

New is the ability to get the infocard( = master key) from another organization, so one site will believe you're the same person you claim to be on another site. That's an interesting concept.
Title: Technology to finally obsolete PasswordMaker?
Post by: Eric H. Jung on May 08, 2006, 09:21:26 PM
Quote
New is the ability to get the infocard( = master key) from another organization, so one site will believe you're the same person you claim to be on another site.
That is not new. Shibboleth (http://shibboleth.internet2.edu/), at least, came before this MS initiative... and probably others I don't know about.
Title: Technology to finally obsolete PasswordMaker?
Post by: LkonKbd on May 29, 2006, 04:03:22 AM
Quote from: Thibros
Quote from the link in the first post:

So actually this is based on the same principle as PasswordMaker, computing a unique key for every site. But with the downside of 'no access' while not at the PC with the infocards, or the security risk of duplicating infocards to several locations.

New is the ability to get the infocard( = master key) from another organization, so one site will believe you're the same person you claim to be on another site. That's an interesting concept.

'Thibros,'

Nice to see others with some abilities to evaluate this new process using INFOCARDS, I see a possible hole in the ability to transfer to another site for your access.  If the NOgoodies get into your system and manage to duplicate your accesses, could they not have your secure info?  Excuse me as I am not a programmer, just a dumb user.  Plus this same problem is also there for any other secure system for creating and maintaining your access.

'Eric,'

Excuse me on this as I am still attempting to understand all of these different problems.  My main objective at this time is to find someway of getting the passwords to different sites to be extended to 32, or better yet 64 bits and using all of the Alpha/Numeric/SpecialCharacters.  My banking institution has increased theirs to 32 bits in length.  That is a good start, now onward and upward 'to infinite and beyond' or somethingy like that.

Thank you for reading this and if I have any of this WRONG please excuse me and explain on my level, if possible, if not then just tell me that is wrong and go back and study my books some more.

Bye-Cycle,