Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

> The security community really needs to get a grip and start designing systems that are compatible with the extremely low-tech-interest population if we even have a hope of securing systems. If I knew what the solution was I'd be rich.

Most of that population seems to do fine managing house keys, car keys, locker keys, etc.



You sure about that? I inherited what feels like 1,000 keys when my in-laws passed away. Who the hell knows what any of them are for, and they sure as hell didn't.


...and from this you're concluding that keys are a broken technology?

It doesn't seem realistic to expect to build a tool that nobody misuses.


> Most of that population seems to do fine managing house keys, car keys, locker keys, etc.

I’m gonna have to disagree with you there.

People are constantly losing their keys prolly about as much as people reuse the same password for multiple services.


I can't imagine that anything less than subdermal implants will be reliable, for some people.

If the implant fails, you can just go back to the government office / mega corp, show your DNA, and get a new one.

On further reflection, person a) has an evil twin who steals their identity, and person b) doesn't trust the government / mega corp. Back to the drawing board.


> People are constantly losing their keys prolly about as much as people reuse the same password for multiple services.

But when they lose their keys, they have a pretty clear mental model of the security risk and how to mitigate it.


What happens when you lose your passkey?


Exactly.


Because they don’t really have any other choice. You get a key with the lock. Even if they all happen to be the same blank, it’s substantial work and expense to get them all keyed alike for most people.

Maybe that’s our solution right there—when you register for a service instead of relying on users to select a secure, unique password we should generate a “correct horse battery staple” and only support rerolls, not setting arbitrary passwords. Guaranteed some minimum level of safety and complexity and no reuse.


> Because they don’t really have any other choice. You get a key with the lock. Even if they all happen to be the same blank, it’s substantial work and expense to get them all keyed alike for most people.

You have lots of other choices. You could use combination locks, time locks, biometric security measures, paired keys, etc. The simple key-based lock seems to be particularly simple and accessible to consumers.


There is nothing to remember except to bring the damn keys. Once they're in your pocket, you're done.


Yeah, except physical devices get lost, stolen or damaged. So there needs to be some accounts recovery procedure/alternative auth mechanisms.


...and there are, and they're remarkably similar to what you do with Yubikeys: you have extra keys, and when you lose one, you uses the other to get in, and then you invalidate the old keys (although in the physical world, this means getting a new lock and a new set of keys, instead of just getting one new key and removing the lost key as a valid key).


Except you'd have to invalidate a yubikey on countless websites.


I mean, if you're using a key to get in to countless physical things, then you have the same problem.


Do you have countless homes?


I do not.

None of the locks for my home are on a network where you can broadcast key updates either.

I also tend not to have one key that can access my house, my car, my safety deposit box, my safe, my bike, my locker, etc.


True but online accounts are usually in the dozens for most people so thats definitely more of a burden. Also, its a mental load while physical keys carry the "password" physically.


Which is the magic of UAF: you have one key that opens all the computing doors.


I have hundreds in my password manager.


99 percent of people dont use password managers




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: