Password safes &c. (was: Dear Linkedin,)

[Andrew Sullivan <asullivan () dyn com>]

On Fri, Jun 08, 2012 at 01:30:42PM -0700, Michael Thomas wrote:
> PS: when security is hard, people simply don't do it.

I think this is exactly right.  

The idea that we are going to train everyone on earth to keep eleventy
billion distinct passwords in their heads -- or in a "password safe"
that is either (1) under someone else's control because it's a web
service or (2) inaccessible half the time because it's on their laptop
and they're using their phone now and OMG -- is preposterous.  (This
without mentioning that they also have to remember the username that
goes with it, which is _also_ variable.) 

We have an engineering challenge here, and the PKI we have so far
doesn't work.  No, I have no magic answers.  I'm not that smart.
Michael Thomas is still right about this.

Best,

A

-- 
Andrew Sullivan
Dyn Labs
asullivan () dyn com