Public-key cryptography should replace text passwords

The recent leaking of almost 10 million passwords from LinkedIn, eHarmony and is unsettling to say the least, but it has left me wondering…why are we still using text-based passwords?

We already use public-key crypto to secure and authenticate our interactions with websites via SSL. It seems straightforward to have all computers, cellphones, etc. generate a public and private key per user, and then any website they wish to authenticate to can store the user’s public-key. This process is the same used to allow password-less logins to remote servers via SSH, and sites like GitHub and BitBucket already use this technique to authenticate their users for source version control. Proof of identity can be achieved via side-channel confirmation, using SMS confirmation codes, like many sites (including Facebook and Gmail) already do.

This would have some awesome benefits:

  1. People only need to remember passwords to their devices (computers, smartphones, etc.), which is a lot easier to remember.
  2. Users’s accounts at other websites would no longer be vulnerable when a website they use is hacked. There aren’t any passwords to steal! The only thing that could be compromised is their public-key, which is useless to hackers.
  3. Users wouldn’t need to create dozens of passwords to mitigate the risk of any one of their accounts being hacked.
  4. Hackers interested in getting at a person’s data would have to steal or hack an individual’s device in order to copy their private-key.
I am by no means a security expert, so maybe I’m missing something and I’d love to hear counter-arguments. But there is no such thing as perfect security, and I think that given the proper support from device manufacturers (Apple already does a great job with their keychain built into the OS), this could be a breeze to end-users and it would make everyone’s data a lot safer. Coupled with the ability to remote-wipe and track devices (like the Find My iPhone service), this seems like a no-brainer solution to a long-standing problem.

Leave a Reply

Your email address will not be published. Required fields are marked *