I’m currently taking a course on Internet History at Coursera. We are currently discussing the very basics of encryption, and the instructor had an interesting idea. He was talking about the fact that it seems like for every web site we have to create a user name and password. Most users get to the point where they don’t create a unique password for every web site, they use a common one. On top of that, it seems like every week there’s some web site that we’re using that has their password file hacked. The result is we don’t just compromise our account on one web site, but on several. Gawker was an excellent example of this, but there have been several.
Clearly two factor authentication is one solution to this problem, and Google, in their wisdom, has set up a reasonably easy to use two factor authentication API. However, the instructor posed an alternative solution, that is quite elegant.
Whenever you go to log into the web site, you put in your user name, and a unique link is sent to your email address. You go to your email, open up the link, and you’re logged in. No passwords stored on a million servers, no worrying about keeping different passwords, it’s all done through a unique link system.
Now this does depend upon your email being secure, however, remember, most web sites have a “reset password” option that you can use where it emails you a link to reset your password, so if your email has been compromised, an intruder can reset your password on the web site you have an account on anyway, so we haven’t really reduced security much. There is an additional layer of annoyance, but it is an interesting approach to the question of passwords and security.
Source: Nessus and SecurityCenter