TLDR:
Here is generated summary of the article:
- The author argues that passwords are not a secure way to authenticate users, and that websites should instead issue randomly generated passwords to users.
- The author points out that websites already do this for API keys, which are used to secure high-stakes applications.
- The author argues that this model of password issuance would be more secure than the current system, and would also simplify the login process for users.
- The author also discusses the limitations of TOTP-based two-factor authentication, and argues that it is not as secure as it is often made out to be.
Here are some of the key points from the article:
- Passwords are often weak and easy to guess.
- Users are often not good at choosing secure passwords.
- Websites often do not implement password best practices.
- TOTP-based two-factor authentication is not as secure as it is often made out to be.
- A more secure system would be to issue randomly generated passwords to users.
Passwords are a very simple system that has been used since antiquity, its distribution in the Roman military having been described by Polybius.
Passwords found use in early computing. The Compatible Time-Sharing System (CTSS) developed at MIT in 1961 implemented a
PASSWORDcommand, which only hid the characters to be typed.The notion of hashing passwords was created in the early 1970s by Robert Morris. He also invented the crypt(3) algorithm, which used a 12-bit salt and invoked a modified form of the Data Encryption Standard (DES) algorithm 25 times to reduce risk of pre-computed dictionary attacks.
The ease of implementation is why password-based authentication is used everywhere. But I might argue this is too simple and can be exploited by attackers. Year after year, a new hashing algorithm becomes considered not secure enough.