In our current lives the first line of protection against identity theft, money loss, bank fraud, privacy vulnerabilities and a long etcetera is a password. In principle to be secure a password needs to be something only you know; if you think hard enough you’ll realize that the sentence doesn’t make sense. If it is something only YOU know, how are you going to access your e-mail account? How can Google know that your password is right if they don’t even know what is it? This is a really big issue: a password is something at least two people know, to prove the identity of one of them.
At first sight it may not look as something too important, unless you start to consider in how many different places you have used the same password (or slight variations of it). Imagine that you use the same password for your e-mail and for a service, for instance this blog. I can tell you for registering you only need your e-mail and password. Since I have direct access to the database on which this website runs; I could just read your password and use it for accessing your e-mail account. And then I can just access all your services to which you’ve set your e-mail as a password recovery tool. Plain and simple; are you not afraid yet?
Responsible websites encrypt your password to prevent this; the idea is that you transform your password into a long chain of characters with the use of a specified algorithm. With the password and that given algorithm you can generate that chain of characters, but the opposite is close to impossible. In this case you can prove that you KNOW the password, even if the owner of the website never has access to it. However, you will never know who is and who isn’t responsible with protecting your password. Imagine a small website asking for 4-digit password. Sounds like your bank pin number? Even if the website acts in good faith, it may always be object of a hacker attack.
Interestingly enough, there has always been a solution to the issue of sharing passwords, but somehow no one cares about implementing them in a convenient way. People used to SSH, that is to remotely connect to another computer with the command line, probably have already faced the advantages of registering a public key into the remote machine. Public keys are generated with an algorithm from a private key (do you see any similarities with passwords?). With the public key you can encrypt a message that only the holder of the private key can decode. Public key encryption is a whole subject in itself, and beyond the scope of this post. It can be seen as a key and a safe; you send the open safe to someone, who puts information in it, closes the door and sends it back to you. The only way of opening it is with the proper key, that you have in your power.
If I were a web service that has your public key, I can send you an encrypted message that only the holder of the private key will be able to read and reply accordingly. For instance I can generate a random chain of characters, encrypt it and send it; only the holder of the private key (that is YOU) will be able to send me back the exact same string. A clear advantage of this system is that even if you register with the same public key in different websites, they can’t do anything in the absence of the private key. As long as you keep the first one safe, the rest holds safe, even if the websites get hacked, or someone can see the database, etc. It may seem cumbersome at first, until you realize that all web-browsers have already implemented a solution called certificates.
I will enter into the details of certificates in a later post; however the interesting thing is that you can easily authenticate into a website without even remembering a password. You can generate a super long, random, private key (no one ever will be able to guess it) and store in a file within your browser. You can even go one step further and encrypt the file with a password, protecting anyone with access to your computer from seeing your private key. From this key you then generate the public key and you share it with whatever service you like. If you are smart enough as for keeping the private key out of reach from attackers and curious friends, all your password-related issues are solved. You can even have as many private keys as services, it doesn’t really matter since they are all files stored by your browser.
I understand that this solution may seem a bit obscure for most, but it is only a matter of faulty (if any) implementation on web services. Of course is less portable than something you just remember, but for important services and for concerned people it may just be the proper solution. I’m thinking at corporate or government level, for instance. Even I would love to have such a service so I can just access my GMail account without worrying that someone may have guessed my password. Combine this authentication method with encrypting your hard drive and no more needs to worry.
In the end it is so simple…