So #Heartbleed, perhaps the best software bug ever. I spent much of today checking websites and changing passwords. Fortunately, I use the Firefox password manager to store mine and sync them with the browser on my mobile phone, so I could open it, search for “https://”, and work through the list. I eventually used 30 or so random sequences from random.org, starting with anything that had money attached. It was an advance on my plan, over a decade old, of using the names of Australian cattle stations.
That was fair enough, but I kept running into the same problem – I had to log in, root around in some e-commerce site to find the “change password” link, and then futz around still more to persuade Firefox to save the new password. The champion was probably a ticketabc site where I had to feign interest in a Pharcyde gig to change my password.
The problem that you can’t explicitly edit the passwords is solved with this extension, which also helps with some web sites that don’t flag the password fields properly. PayPal even stops you copying and pasting, to make absolutely sure you can’t use it without passing a typing test.
But this is all kludge. The main problem with passwords is that if they are any good, you can’t remember them. The other main problem with passwords is that if you can think them up, they probably aren’t any good. The other other main problem with them is that the whole life-cycle is so almost.
What I want is this: my Web browser generates a genuinely long and random password whenever I need one, and stores it. It fetches it whenever I want to log in. When I don’t want it any more, it deletes it. If there is some reason to think it’s been compromised, I press a button and the password is revoked and a new one generated.
What I want, then, is a simple standard that allows a Web site (or if you like, anything else using it) to trigger the creation of a password by the password manager, which then stores it for later use, and that provides for the password to later be changed. This must allow for an external device to generate the password if desired, for a master credential, and for the password store to be sync’d between machines if desired. It must also allow for a big REVOKE ALL THE THINGS button that causes all (or a subset) of the stored passwords to be expired and regenerated.
That’s basically an API with five calls:
>login(site, username, password)
>deletePassword(site, username, password)
>revokePassword(site, username, password)
and the fifth is really just a delete followed immediately by a make.
Why the hell hasn’t W3C done anything like this? It seems such a basic and useful project compared to the vast effort poured into the semantic web black hole.
Update: Naadir Jeewa objects.
@yorksranter i mistrust the identity management of 95% of websites that much, that I'd rather risk it
— Naadir Jeewa (@randomvariable) April 11, 2014
I think he is wrong. Not only is OAuth in the sense of “sign in with Facebook”, i.e. the sense in which it gets used, a bad case of pre-Snowden thinking, it’s also true that it works for me about 25% of the time.