I get that security on the internet is important, but creating and having to remember so many passwords is very cumbersome process. There are ways to have software generate passwords and then store them in a “secure” location, but I don’t really care for this approach. In my view, there is no such that are something truly secure on the internet. With enough motivation and skill, security can be defeated–or so I believe. Is there a method that is less cumbersome and more secure? I don’t have a good answer for this, but I want to address this problem in this thread.
To kick things off, here are some thoughts off the top of my head:
- I like the idea of having a physical key to insert in your device to gain access to an account. But losing and then replacing the key would seem like a big issue. Additionally, having an individual key for each accounts could get unwieldy. One possible solution: a few keys for certain broader categories of accounts–e.g., one key for entertainment sites, one for financial sites, etc. (Note: I’m not sure how physical keys like this work. If the key creates some digital signal, then I would think this signal could be replicated. If so, that would weaken the appeal of a physical key for me.)
- Another type of key: Instead of a physical key-like object, this “key” would be a small external device, say the size of a pager or even a thumbdrive, that would randomly generate passwords and then store the passwords. Plug in the device into the phone or computer and it will act like a key to unlock the device. To make it more secure, maybe the the site can sent a code to the “key” and the key would either use that to get into an account or reveal the code for the user to type in.
- Using some unique object, information, etc. one has in one’s possession as a key. For example, I have some painting or art that my children made in school. I think the problem is that the site would have to have a record of this, and someone could get that information. Also, having an unique thing for every account would be the same problem as a physical key.
- What about this: create accounts (plural) based on a password+a physical key+a specific device. All three things become a key that gives access to all the accounts you’ve set up. It’s only one “key” but a specific (unique) device and a unique physical key should make this acceptable. (This assumes that a hacker can find a way to mimic the signature of the physical device and “copy” the physical key.)
Average working people in America have to know eight distinct passwords just to do their daily jobs — or that’s what it was a few years ago. Maybe it’s more or fewer now.
Some of what you suggest is already in place. Digital encryption with a USB key was a geeky rage 20 years ago — and forms of it are still in use now, by pretty much all of us. I don’t know exactly how crypto keys work, but I know that when you lose yours, there’s almost no way to get back into your stuff.
My phone unlocks by looking at my face, and many of the apps, including my medical records app, my credit union app, and my post office account, work the same way. An earlier version of my phone recognized my thumbprint for unlocking. My iPad still unlocks by recognizing my fingerprint.
Your suggestions basically come up against the two big factors any of these systems have to balance: ease of use and security. And based on your suggestions, I think a password manager is really the best solution. Then someone would have to get into your laptop first, and then figure out the password for the password manager — that’s two levels of security, like a burglar alarm on your front door and a wall safe for your belongings within the house.
What’s your discomfort with a password manager? I know people responsible for entire college campus website security who use password managers.
Re: USB keys
Is that the same as “crypto keys?” I mean, if so, if there is literally only one key, that is a huge drawback.
How do these keys actually work? I like the idea of a physical key, but I’m guessing the “key” has a (encrypted?) digital code or signature that a computer or site recognizes, which to me makes very different from a traditional lock and key, which is bounded by physical space. If a USB key utilizes some digital signature, couldn’t someone or something, anywhere, recreate that signature (making a copy of the key)?
What I have in mind is a lock and key situation that is similar more traditional lock and keys.
Re: Facial and finger print “keys”
Couldn’t someone get or create your face and fingerprint and then use it to unlock things? If so, I don’t care for this.
Wait, someone can only get into a the password manager, through your laptop? Are you sure? Because that would make it more appealing. I thought password managers stored passwords online.