Wednesday, September 04, 2013

Why do we still use passwords?

I like puzzling over really dumb things that lots of people have to do, because it amuses me. And one of the stupidest things we all still have to do is use passwords, but why?

Early on, back when there were debates over whether or not "personal computers" were even worth having, as the web began to emerge, it was simpler to use passwords for access to sites. And the username and password way of operating took over.

But it's a dumb way to do things long-term.

People forget the darn things. Or re-use them endlessly. Or get infuriated when they have to come up with new ones on a schedule. And, oh yeah, computers are fiendishly good at cracking them.

But what to do? What else to do?

Why not use keys?

People don't use a username and password to start their cars, right?

Would you use a username and password to get into your house?

I wouldn't. I like keys just fine.

So how do you use keys instead of passwords?

The simplest is a dongle type device that plugs into a USB port with a unique and cycling identifier that runs through a key service. The key service tells people that you are you.

So, for instance, say Mozilla or Google were to provide a key service--or some other organization if you don't trust either of them--then they'd be the ones to tell a website who you are.

They just need to be sure you--are you.

So they would just need a way for you to tell them, which is what that device that plugs into your USB port would do.

And you can keep it, where?

How about on your key-chain?

(That's where a lot of people like to keep their keys. I think it's a decent place. Very familiar.)

How do you cycle it?

How about using the time of device connection?

That's a simple idea I gave away years ago after I failed to get a US patent on the concept which infuriated me, and earned my contempt of the USPTO from then on.

I think the USPTO is stupid. (Maybe I'm using words like "stupid" too much these days but the password thing is way past stupid into endlessly annoying.)

So, like, there's an algorithm that shifts a code on your "key" whenever you connect it to the key service.

The way it works is your key keeps up with how long you're connected because it has a timer and the service keeps up with that connection time too.

So your key calculates its new code after you disconnect and the service does as well. They both know how long you were connected, so each has the critical information. That time of connection is a number which can be pushed through shared formulas to generate a code. So you can endlessly generate codes, replacing a static password, or one that changes every 30 days.

With this idea, you send--by using your key--a new code with each connection.

Here notice that both your device and the key service have a useful bit of information which as far as I know is mostly just thrown away all the time on the web.

They BOTH independently have the time of connection.

It's called SHARED INFORMATION and my idea leverages such information. Simple.

If someone copies your key, and tries to be you, they start generating new codes, and then when you try to be you, the service starts howling as your codes are wrong. You can't both be you at the same time. So, you know you've been hacked. They know you've been hacked.

That simple technique is unbreachable, as long as you eventually use your key again.

If they just take your key then it's just like other situations if people just take your key. If you never use your key again, and they copy it, then it's also like if they just took your key. So technically the technique ensures only one key user is allowed with it impossible for duplicates to co-exist without detection.

I can prove that through logic because I'm really smart.

Our current system is really STUPID.

Do you think I used the word "stupid" enough in this post? I don't. I'd like to use it a bit more but I'm trying to be polite.

Our world is so much worse off because there are people who think they are highly intelligent who insist on ignoring ideas that can make our lives easier while requiring we do STUPID things like use usernames and passwords.

Ok, I feel better now, got one more in there.

So why is my idea a key while username and password is not?

Because your physical keys are unique to you. Yes, others MAY copy them, but it's not like you will not find out. Or probably will find out if you're smart about it, and oh yeah, I digress...they need your physical key to copy it!

Physical keys are awesome things which people should appreciate more, so we can move those key principles to the web.

When you think it, then it is possible it can be done.

If you can't think it, then how can it be made real?

With my idea someone wishing to steal your key needs your physical key to copy it--as the codes it generates shift all the time--and even with it, they may find it hard to hack the freaking thing and copy it. But even if they do, if you get it back, and use it, their copy is now worthless.

So it's actually better than a normal key.

If they just copy a current code from your key as it flies across the web, then they got NOTHING.

Oh yeah, and why give ideas away for free?

Because I don't like the USPTO and I STILL don't like them despite recent legislation.

What we lose is innovation as big corporations have the power to push their ideas through, while others can just keep using usernames and passwords indefinitely because in my opinion big corporations rarely push the best innovation.

(But they do have big legal departments so tread carefully in saying nasty things about them!)

Our world is changed by blocked innovations where people lose more than they often realize because they have no clue how much better things could be.

And that is just sad.

James Harris
Post a Comment