Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

Dear browser makers,

Creating a password is not a job that users are good at.

Remembering passwords is not a job that users are good at.

Solve this problem for your users.

It's not super tricky. Make up a couple of new kind of input types. Say, input type=trade-keys. When you see that on a page, create a private-public key pair and swap it with the server. Take the private key you made and the public key you got and encrypt them using the user's passphrase---the only password a user should have. Store that locally and make a back up to your cloud service in case the user wants to log in with another computer or the user loses their hard drive somehow.

Done.



BrowserID (https://browserid.org/) does exactly that. Once implemented in a browser, it effectively turns authentication into a key exchange with the browser.


As far as I can see, it's not different from all the other solutions. When you logged in to Hacker News you had to notice that there are tons of already working alternatives out there. It's also one factor authentication and requires password. So why not to use OpenID, Google, Facebook? Because it's linked to browser, it's most probably possible to steal your identity. So it's not prefect solution either.


> Solve this problem for your users.

Not only browsers aren't solving the problem, they actively make their users' lives more difficult by obeying autocomplete="off" set by overzealous webmasters. I had to hack firefox to save a password to my yahoo account in it -- crazy.


Opera already does this with Opera Link.

http://my.opera.com/operalink/blog/2011/05/03/security-of-sy...




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: