![[personal profile]](https://www.dreamwidth.org/img/silk/identity/user.png){kind=small}
Entry tags:
The mark of a new trend is the growth of spoof sites...
... and therefore, the sign that the whole "Identity 2.0" thing is starting to matter is the appearance of Useless Account. Nothing like a cry of frustration to illustrate that there's a problem...
no subject
Either you have a single password used everywhere - and you are going to be dead if one of those sites is evil or bad and divulges that password.
Or you have 10,000 passwords, and are drowing.
Yes, a password keeper exists, but that's all eggs and baskets now, isn't it? (We've had one co-worker keep all his passwords in his Palm. Then it broke. He couldn't do much work for the next few days until he replaced it.)
no subject
no subject
That becomes worse rather than better if we move to biometric factors, doesn't it? If you use the same password for 100 sites and it gets cracked, you can change passwords. Changing fingerprints or retinal prints is a bit more difficult.
no subject
Although most of us have 9 more fingers, and one spare eye...
no subject
The options would be limited regardless. And of course now I'm picturing some of the high-tech crime shows we get now, and a market for recently-severed fingers...
The future is...wait, wasn't this in Minority Report?
Re: The future is...wait, wasn't this in Minority Report?
Re: The future is...wait, wasn't this in Minority Report?
And yes -- it gets way down into the whole identity-management problem. Identity always was PKD's main subject, so that's not surprising...
no subject
Or you have 10,000 passwords, and are drowing.
There is a middle ground: using a single password for each class of sites - a social-sites password, an e-commerce password, a sign-up-to-read (news, etc) password, and so forth. If one of your credentials is then cracked, the *extent* of the ensuing problems may be greater than if one were drowning in 10,000 passwords, but the *nature* of the troubles will be confined to the type of site in question.
(Not necessarily a good idea for very high-stakes things like financial websites. But for just about everything else, it seems like a reasonable compromise.)
no subject
For instance, CardSpace is really quite elegant, defining an ecosystem of "identity providers" and "identity consumers", and mediating between them. Neither of those sides actually has a password in any meaningful sense: instead, the providers provide secure "cards" that the user can then associate with consuming sites. There are some additional layers of secure communication involved, with the result that no consuming site gets anything that enables them to access any *other* site with your credentials, even if you're using the same card on both.
Which is all lovely, but you have to keep those cards somewhere, and Microsoft wants you to do so in a secure "wallet" on your computer. Hack *that* (or have someone get your Windows password that guards it), and your target is utterly screwed. Microsoft has put a *lot* of effort into making that unhackable, but I'm not going to have faith in it until the hackers have had some time to attack it seriously. And of course, you need to back it up in case your hard drive fails, which means it's all only as secure as the medium you back it up onto.
Etc, etc. It's an improvement in certain respects: in particular, it means that there isn't anything out on the Internet cloud that could easily compromise you. But it replaces that with a pretty intense single-point-of-failure problem, and means that *physical* security of your "e-wallet" becomes deathly important. And it's only as secure as your Windows account, which even in the new Vista regime (which is, to be fair, vastly more secure than older versions of the OS) still isn't very comforting...
no subject
Not only are there the security issues that you specify - there is the entire "availability" issue to consider. Every intermediary you employ, must be functioning flawlessly.
Meh.
no subject