[cap-talk] Replacing passwords

Stiegler, Marc D marc.d.stiegler at hp.com
Thu Mar 15 10:56:44 PDT 2012


This is a great list of criteria. It subsumes almost all the criteria in my little decision matrix. The 2 items I would want to add to build a really serious matrix would be a set of functionality criteria for rich sharing, and representation, either as a mechanism for prioritization or as an additional criterion, of the number of cyberthieves the threat exposes you to. I cannot help feeling that attacks like phishing, transcontinental in the risk they expose one to, are much, much more important and worrisome than shoulder surfing. I find the asterisk-filled password field, which leaves me clueless about whether I've committed a typing error with my relatively-long passwords, to be a vastly greater usability threat than security strength. Even if there is a dumb little checkbox I can interrupt my workflow even more to click to toggle off the asterisks, the hiding of my own keystrokes encourages shorter passwords to minimize typing error risk. Does that really make us more secure?

--marcs

> -----Original Message-----
> From: cap-talk-bounces at mail.eros-os.org [mailto:cap-talk-
> bounces at mail.eros-os.org] On Behalf Of Ben Laurie
> Sent: Thursday, March 15, 2012 8:54 AM
> To: General discussions concerning capability systems.
> Subject: [cap-talk] Replacing passwords
> 
> People may find this of interest "The quest to replace passwords: a
> framework for comparative evaluation of Web authentication schemes"
> 
> http://www.cl.cam.ac.uk/techreports/UCAM-CL-TR-817.pdf



More information about the cap-talk mailing list