Published at LXer:

How many passwords do you have? Probably more than you can easily remember or comfortably manage on your own. And I’m willing to bet that you dread coming up with new ones when you sign up for something online.Jonathan LeBlanc of PayPal is on a mission is to replace the password with something more secure and easier to use.read more

Read More...

Why not use public key cryptography for authentication ?
http://winscp.net/eng/docs/public_key
http://the.earth.li/~sgtatham/putty/.../Chapter8.html

I don't think there is a "one size fits all" replacement for passwords. No way we could do without them at my place of work, for example, where we us two-factor authentication as it is.

Passwords are simple, easy and great authentication mechanism. Those against may keep a electronic passbook or whatever. It is their problems/headache.

Not a great authentication method, in fact very weak. Challenge response protocols using public key cryptography or symmetric cryptography provide strong authentication.

I'm not sure I understand what "challenge response" is in this context?
Unless you're using a password you're using a data storage device with a public key on it. A key is the only way to lock anything.

https://en.wikipedia.org/wiki/Challe...authentication

A password provides weak unilateral authentication. More complicated protocols provide strong mutual authentication, which helps prevent a number of attacks.

Yeah, there is always a key, often derived from a password and salt. You could also keep the key on a storage device as long as it is secure.

Ah, sorry, I see what you mean. I tend to think of "what I have to remember" as the "password" and while I know there are more secure ways of my supplying it, like my bank asking for certain digits, the "password" is still there and I need to know it.
So, yes, I agree that that kind of mechanism is more secure.
I'm just not sure how that helps the need to remember passwords which, to me, seems to be what everyone finds a problem with.

Pass phrases seem to work pretty well and are easy to remember. You could also keep a USB stick with the key on it with you.

There are also other methods like one time passwords, and biometrics.

Biometrics have their own issues. Fingerprint scanners can often be bypassed using some clever techniques. Other biometrics are harder to fake, but also harder to obtain because you need expensive hardware.

"pass phrase" and "password" are interchangeable -- they're a remembered series of characters.
One-time passwords require some kind of pseudo-random number generator either on the device you're trying to log on with (i.e. an Android app which generates numbers for your bank web site) or a separate token. Both of which mean gaining access to the physical device means gaining access to the protected system -- unless the device is protected by a password...
Or, protected by a biometric which, yes, as long as they're robust enough are at least difficult to forge or steal. They also have the benefit of not requiring a good memory. Certainly where violence isn't likely they seems a pretty good solution and I've even seen a lot of mention of them being "salted" in such a way that it's not possible to work back from the key to recreate the actual biometric data.

Yeah, but a pass phrase is usually much easier to remember than something that must have a number, special character, upper and lower case characters. If it is long it is also usually stronger.

In that respect, yes, they often are. I think the old rules they employ that a number, capital letter and special character are silly but, then again, I also think not allowing them is silly. After all "Mary bought 2 large, white, donuts." must be moderately strong at least, for example.

Even all current public accessible biometry is fakeable.

Keys for symmetric/asymmetric crypto can be derived from passwords. If password uses all ASCII printable characters a 20 character long password produces 128 bit of security. And the most basic, easy and simple way would be passwords only. As they use simple, basic and available keyboards. And get to have the security in mind of the user not in some hardware key which can be stolen.

There was an article from Germany I believe, where in order to steal a biometrically secured car, a thief cut off the owner's finger.

There is also the possibility that if someone wants the password, they'll beat it out of you.

Instead, having your key stolen, isn't such a big deal, especially since you can revoke the key in a good cryptosystem (much like a stolen credit card).

Keys are too easily lost, stolen and (generally) broken (physically) in my opinion. As mentioned we use two-factor authentication at work and, while that may justify the problems associated with smart cards, it means that our smart cards would simply be far to valuable if used alone. Bank tokens similarly would be too valuable to use alone. Think about how credit cards have PINs because if they didn't a piclpocket could easily wipe out your account before you get to the next station, for example.