Forum OpenACS Q&A: Re: Interesting article on web based password protection

Collapse
Posted by Joel Aufrecht on
This is a classic security vs usability problem. (Note that many apparent security vs usability problems are false tradeoffs; it's very easy to make something less usable without gaining security.)

The problem with challenge/response is an astoundingly low success rate for "normal users." Users generally can't make heads or tails of the challenge-response process, for several reasons I won't go in to. I want to share the following semi-informed opinions:

For most public web sites, where getting broad participation is critical and neither data theft nor impersonation is critical, challenge-response isn't worth it. It provides a modicum of security and causes many possible users either to give up or to ultimately need human intervention to recover a password (again, a point at which many instead silently give up.).

Without rigorous ssl and a configuration making it impossible to submit a password in the clear, challenge/response is almost worthless because everything can just be sniffed.

The modal activity after a random password reset is, I would wager money, to use the new password once and then forget or lose it. Better to just re-send the original password in most cases.

So I guess I'm lobbying for two basic modes - minimal security, where you log in in the clear and can get your password back with a click, and real, where you log in over ssl, your proposed password is vetted against a dictionary, passwords expire, etc. One of these days I'll submit a patch for a new admin setting that cleanly disables challenge-response and hides every vestige of it.