How important is to have passwords?

10 replies [Last post]
Hans
Offline
Joined: 04/18/2022

[URL]Apple, Google und Microsoft want to kill the password[/URL]. Worrisome news, but are the passwords so important?

Magic Banana

I am a member!

Offline
Joined: 07/24/2010

For those who, like me, refuse to carry a tracking device, the proposal is obviously a no-go.

jxself
Offline
Joined: 09/13/2010

"but are the passwords so important?"

If the alternative is that you need to run proprietary software (bluetooth firmware, etc.) in order to be able to access your email then yes it is important. Hopefully this does not become mandatory but I fear that, with large adoption, passwords become seen as "less secure" somehow and then deprecated later on, and then you can't log in to your account anymore because you didn't buy the latest Android or iPhone with the proprietary junk on it. Proprietary software is obviously never the answer but look the companies that are pushing this.

Avron
Offline
Joined: 08/18/2020

A non-trackable device (no wifi, no bluetooth, no cellular) with screen and camera could be used to scan a request for password expressed as a QR code and encode a response as a QR code, based on password stored in the device and possibly information to authenticate the request. That would be a good replacement for typing passwords, fully under user control and respecting privacy and I have always wondered why this did not already exist with fully free software.

Hans
Offline
Joined: 04/18/2022

Well, there is YubiKey. I dont know if it complies with free software.

jxself
Offline
Joined: 09/13/2010

The devices have nonfree firmware running on them.
https://en.wikipedia.org/wiki/YubiKey#YubiKey_4_closed-sourcing_concerns

Hans
Offline
Joined: 04/18/2022

I've sent Yubico an email with some questions. They replied that:
If a browser that supports the FIDO U2F and/or FIDO2 Webauthn
authentication standards, no additional software needs to be installed in order to make YubiKey work.
They have a bunch of proprietary software like 'Yubico Authenticator' otherwise.

The Firmware on a YubiKey cannot be updated or manipulated at all on any platform due to security reasons.

^^^ If it cannot be updated or manipulated, does it matter if it's proprietary or not?

If I use the thing just to authenticate to mail servers, web shops, banks etc., using only the web browser and no additional proprietary software, does it mean that I'm running non-free software by doing so?

Magic Banana

I am a member!

Offline
Joined: 07/24/2010

It is a debated topic. RMS considers that software that cannot be updated could be considered as a circuit and needs not be free. It is definitely running though.

hate29
Offline
Joined: 04/10/2021

If your device gets lost or stolen? Someone can pretend to be you. Phones are usually locked and need to be opened via biometric or PIN-codes.

Don't get me wrong. I'm concerned about this too. Sooner or later I can't use my bank account without iPhone or Android. And of course new as it needs to be 'secure'.

Avron
Offline
Joined: 08/18/2020

Any password database should have a good passphrase, using diceware method. That should be in addition to device ciphering and locking with a decent password. I found I cannot put more than 16 characters for the device password, this is with Replicant 6.004, so I suppose it is like that for Android 6, not sure longer passwords are allowed on later Android. As far as I am aware, Replicant does not support any device that has biometrics.

Unfortunately, even though the front camera works on my phone with the AOSP camera app and with OpenCamera, all other apps I tried are unable to use the camera to scan QR codes (I tried Conversations and QR & Barcode scanner).

About Yubikey; I checked before and concluded it had some non-free software.

Hans
Offline
Joined: 04/18/2022

Can I turn a usual USB flash drive into a hardware key by using only free software?