Feeds

back to article Mozilla pushes browser-based alternative to passwords

Mozilla is promoting a browser-based alternative to usernames and passwords for website logins. Browser ID offers a decentralized system for user identification and authentication along the same lines as OpenID. To use BrowserID users first have to create an account with Mozilla. After this users would be able to use the …

COMMENTS

This topic is closed for new posts.
Silver badge
FAIL

Don't change a winning formula

I kinda stopped paying attention after "you only need to register".

Why would you want your data to be kept online somewhere when you could just as easy have it all tucked away on your local PC ?

And before anyone brings up "ease of use"; why don't they simply implement an option which allows us to import and export saved passwords? That way you can easily copy them from your main computer onto your laptop so that you can still easily visit the websites you frequent without having to worry about passwords.

5
0
Silver badge

Because

Some people have more than one device. I use the Firefox's sync feature because it's an easy way to put a bookmark or new password on one pc and automatically see it appear on another pc. The data is encrypted so all Mozilla know is person X has stored some blob of stuff on their server with some datestamp to facilitate synchronizing.

It's much easier than manually exporting bookmarks to some shared location and reimporting them which you could also do if you wanted. There is no UI for doing the same with passwords but you could copy the file from one machine to the other in a similar way. It wouldn't be as easy as sync is though.

1
1
Silver badge
Linux

USB key

I keep my .mozilla dir on a USB key, and just carry it with me. When I plug it in, a udevd script mounts it where necessary. Simple.

0
1
Bronze badge

I still find it more comfortable/safe to have some gpg encrypted files on an ssh-accessible sever and/or export the encrypted files along with keys to my other machines.

0
1

you already can

Firefox Sync already syncs stored passwords between systems. BrowserID is a rather different thing. It doesn't 'store your data online somewhere'.

1
0
Anonymous Coward

LOL

Another idiot that thinks Mozilla invented bookmark syncing...

Opera users were enjoying this for several years before you.

0
2
Gold badge

Passport

Sounds rather similar to the Passport system Microsoft announced which nobody else trusted or wanted.

A central point of failure isn't a good idea, if that database gets hacked then you're screwed.

8
0

it isn't

BrowserID isn't very similar to Passport in design, and does not have a central point of failure. The article's description of it is very inaccurate. See http://identity.mozilla.com/post/7616727542/introducing-browserid-a-better-way-to-sign-in .

1
0
FAIL

Is this the same Passport

that means thiefs are still routinely emptying everyones Xbox Live accounts even today? With Mirosoft seemingly unable to stop them?

0
1
Silver badge
Facepalm

No password, but an email address?

Instead of typing in a password which you keep as a secret, you type in an email address (which you ought to keep secret)? Have I understood this correctly?

0
1
Silver badge
Thumb Down

No

The certificate which identifies the e-mail address is held by the browser and supplied to the Browser ID site when you log in, the Browser ID site verifies the e-mail address and certificate and tells the website that you logged in okay (or not).

2
0
Silver badge

@Dan

SO we only need to hope that the certificate isn't maintained by a company a la DigiNotar.

This really doesn't sound very safe to me.

0
1

held

the certificate is 'held' on your local system only.

1
0
Yag
Joke

Great idea!

I'm looking forward the next step, the Ident-I-Eeze card...

2
0

Sort of like OpenID

but tied to a specific browser and manufacturer? Is there a need?

3
1

no

It's not tied to either, and it differs somewhat from OpenID. See http://identity.mozilla.com/post/7669886219/how-browserid-differs-from-openid .

1
0

Not really seeing the point

Unless you use the same browser at home, at work, on your mobile phone etc. it'll be useless. If you want central password storage things like lastpass work well. There's facebook and twitter authentication, which this is basically competing directly with.

The motivation for accepting a system that's tied to a single browser is what exactly?

0
0

It's not

It's not tied to a single browser. Mozilla never write anything that way, it's just not how they do things. BrowserID would be extremely easy to implement in any client.

1
0

Obligatory xkcd standards post

http://xkcd.com/927/

3
3
Anonymous Coward

or...

why not use public/private keys just like SSH, PuTTY and Pageant. It's trivial (and secure) to give a website your public key, and trivial for the browser (or a plugin running therein) to delegate to Pageant in the same way PuTTY does.

0
0
Bronze badge
FAIL

spam, spam, spam, spam, luv'ly spaaaaam, wonderful spaaaaaam

"To use BrowserID users first have to create an account with Mozilla. After this users would be able to use the technology to enter websites that support BrowserID simply by entering their email address."

Create an account with... Mozilla? Then, I enter a Web site by giving it my... email address?

Ummm.... naaahhh, no thanks.

1
1
FAIL

fail

So, if I use browser ID, it has to be with a compatible website who opts in.

Unlikely that google will go with this, or yahoo.

Or my bank, or my online email account.

Or any of the social networks I visit.

So, having got those most important accounts out the way - ones which would never opt for a browser ID solution with Mozilla, what's left?

No thanks Mozilla, even if all of the above opted into this, the idea of keeping all my passwords with a third party intermediary just seems fraught with danger.

Besides, I use Chrome, as you still persist in churning out a buggy, memory hog of a browser since v4x - and haven't managed to sandbox your tabs yet.

1
3

you don't

You don't 'keep all of your passwords with a third party intermediary'. That isn't how BrowserID works at all. See http://identity.mozilla.com/post/7616727542/introducing-browserid-a-better-way-to-sign-in .

1
0
Bronze badge
Stop

Oh noes, more "decentralized" nonsense

Yes, please let all my passwords be stored in one remote location beyond my control, so they can be hacked, stolen, handed to the NSA, or otherwise lost or compromised at this single point of failure.

Alternatively, I could just save them all in a plain text file, encrypt it, back it up locally, save a copy on a USB thumbdrive, then decrypt it whenever I need reminded of a password.

0
1
Anonymous Coward

Why not support for a dongle?

Why can't we just support a hardware dongle, which would store all my keys, access info, etc., and allow the browser a means to access the dongle to retrieve a session key given the site. That way, *I* control my keys - not Mozilla, not Microsoft, not No Such Agency, not the MAFIAA - ME.

0
0

No support for those...

... that want to register a different email address with each place they register so they can figure out who sold the email address (or was hacked)...

example: my Amazon account is amazonuk.<hexdigits>@<mydomain name here>, my PSN account is PSN.<hexdigits>@<mydomain name here> where digits is a CRC16 of the domain name I'm registering on...

If any of them starts attracting spam, then I have a go at the company that managed to lose my email address...

Presumably one would lose that with BrowserID (as one typically does with OpenID).

0
0

Yes, there is

You can use any amount of different email addresses with BrowserID, though they are of course all different 'identities'.

0
0
Anonymous Coward

Mozilla -

Pound sand, your product sucks ass and I'll never again install anything Mozilla.

Wow that's off my chest, I will never install any Mozilla product on anything ever again.

0
3
FAIL

Terrible report

I can understand the negative comments, because the article describes BrowserID completely and utterly incorrectly.

The neat point of BrowserID is that it *isn't* centralized and does *not* require a sign up with Mozilla. Mozilla is operating the initial verification service because, well, someone has to. But anyone can run one. The system was designed on the idea that email providers will act as verifiers for the addresses they provide.

BrowserID is a pretty elegant design and somewhat different from OpenID, but this article does a piss-poor job of understanding and explaining it. I recommend referring to:

http://identity.mozilla.com/post/7616727542/introducing-browserid-a-better-way-to-sign-in

http://identity.mozilla.com/post/7669886219/how-browserid-differs-from-openid

and the rest of that blog (it's interesting stuff) instead. BrowserID may not succeed, but it's at least an interesting and well-motivated attempt to address a genuine issue. It's not just another silly vendor trying to make a play at the single-sign-in market.

5
0
Silver badge

What about client certificates?

It's part of SSL and can be made to be totally controlled by the user.

1
0
FAIL

No thanks!

This little duck won't be using it.

I'm already in the habit of clearing passwords after sessions, and why would I trust Mozilla anyway?

0
0

Remember your passwords

Erm ... I just remember my passwords. I never save any of them anywhere or on anything. And yes they are good ones. Sorry for being anal retentive :-)

0
0
This topic is closed for new posts.