back to article Mozilla pushes browser-based alternative to passwords

Mozilla is promoting a browser-based alternative to usernames and passwords for website logins. Browser ID offers a decentralized system for user identification and authentication along the same lines as OpenID. To use BrowserID users first have to create an account with Mozilla. After this users would be able to use the …

COMMENTS

This topic is closed for new posts.
  1. Anonymous Coward
    FAIL

    Don't change a winning formula

    I kinda stopped paying attention after "you only need to register".

    Why would you want your data to be kept online somewhere when you could just as easy have it all tucked away on your local PC ?

    And before anyone brings up "ease of use"; why don't they simply implement an option which allows us to import and export saved passwords? That way you can easily copy them from your main computer onto your laptop so that you can still easily visit the websites you frequent without having to worry about passwords.

    1. DrXym

      Because

      Some people have more than one device. I use the Firefox's sync feature because it's an easy way to put a bookmark or new password on one pc and automatically see it appear on another pc. The data is encrypted so all Mozilla know is person X has stored some blob of stuff on their server with some datestamp to facilitate synchronizing.

      It's much easier than manually exporting bookmarks to some shared location and reimporting them which you could also do if you wanted. There is no UI for doing the same with passwords but you could copy the file from one machine to the other in a similar way. It wouldn't be as easy as sync is though.

      1. Gene Cash Silver badge
        Linux

        USB key

        I keep my .mozilla dir on a USB key, and just carry it with me. When I plug it in, a udevd script mounts it where necessary. Simple.

      2. eulampios

        I still find it more comfortable/safe to have some gpg encrypted files on an ssh-accessible sever and/or export the encrypted files along with keys to my other machines.

      3. Anonymous Coward
        Anonymous Coward

        LOL

        Another idiot that thinks Mozilla invented bookmark syncing...

        Opera users were enjoying this for several years before you.

    2. AdamWill

      you already can

      Firefox Sync already syncs stored passwords between systems. BrowserID is a rather different thing. It doesn't 'store your data online somewhere'.

  2. Giles Jones Gold badge

    Passport

    Sounds rather similar to the Passport system Microsoft announced which nobody else trusted or wanted.

    A central point of failure isn't a good idea, if that database gets hacked then you're screwed.

    1. AdamWill

      it isn't

      BrowserID isn't very similar to Passport in design, and does not have a central point of failure. The article's description of it is very inaccurate. See http://identity.mozilla.com/post/7616727542/introducing-browserid-a-better-way-to-sign-in .

    2. Anonymous Coward
      FAIL

      Is this the same Passport

      that means thiefs are still routinely emptying everyones Xbox Live accounts even today? With Mirosoft seemingly unable to stop them?

  3. frank ly
    Facepalm

    No password, but an email address?

    Instead of typing in a password which you keep as a secret, you type in an email address (which you ought to keep secret)? Have I understood this correctly?

    1. Dan 55 Silver badge
      Thumb Down

      No

      The certificate which identifies the e-mail address is held by the browser and supplied to the Browser ID site when you log in, the Browser ID site verifies the e-mail address and certificate and tells the website that you logged in okay (or not).

      1. Anonymous Coward
        Anonymous Coward

        @Dan

        SO we only need to hope that the certificate isn't maintained by a company a la DigiNotar.

        This really doesn't sound very safe to me.

        1. AdamWill

          held

          the certificate is 'held' on your local system only.

  4. Yag
    Joke

    Great idea!

    I'm looking forward the next step, the Ident-I-Eeze card...

  5. Aaron Em

    Sort of like OpenID

    but tied to a specific browser and manufacturer? Is there a need?

    1. AdamWill

      no

      It's not tied to either, and it differs somewhat from OpenID. See http://identity.mozilla.com/post/7669886219/how-browserid-differs-from-openid .

  6. TonyHoyle

    Not really seeing the point

    Unless you use the same browser at home, at work, on your mobile phone etc. it'll be useless. If you want central password storage things like lastpass work well. There's facebook and twitter authentication, which this is basically competing directly with.

    The motivation for accepting a system that's tied to a single browser is what exactly?

    1. AdamWill

      It's not

      It's not tied to a single browser. Mozilla never write anything that way, it's just not how they do things. BrowserID would be extremely easy to implement in any client.

  7. Studley

    Obligatory xkcd standards post

    http://xkcd.com/927/

  8. Anonymous Coward
    Anonymous Coward

    or...

    why not use public/private keys just like SSH, PuTTY and Pageant. It's trivial (and secure) to give a website your public key, and trivial for the browser (or a plugin running therein) to delegate to Pageant in the same way PuTTY does.

  9. Mike Flugennock
    FAIL

    spam, spam, spam, spam, luv'ly spaaaaam, wonderful spaaaaaam

    "To use BrowserID users first have to create an account with Mozilla. After this users would be able to use the technology to enter websites that support BrowserID simply by entering their email address."

    Create an account with... Mozilla? Then, I enter a Web site by giving it my... email address?

    Ummm.... naaahhh, no thanks.

  10. Anonymous Coward
    FAIL

    fail

    So, if I use browser ID, it has to be with a compatible website who opts in.

    Unlikely that google will go with this, or yahoo.

    Or my bank, or my online email account.

    Or any of the social networks I visit.

    So, having got those most important accounts out the way - ones which would never opt for a browser ID solution with Mozilla, what's left?

    No thanks Mozilla, even if all of the above opted into this, the idea of keeping all my passwords with a third party intermediary just seems fraught with danger.

    Besides, I use Chrome, as you still persist in churning out a buggy, memory hog of a browser since v4x - and haven't managed to sandbox your tabs yet.

    1. AdamWill

      you don't

      You don't 'keep all of your passwords with a third party intermediary'. That isn't how BrowserID works at all. See http://identity.mozilla.com/post/7616727542/introducing-browserid-a-better-way-to-sign-in .

  11. Homer 1
    Stop

    Oh noes, more "decentralized" nonsense

    Yes, please let all my passwords be stored in one remote location beyond my control, so they can be hacked, stolen, handed to the NSA, or otherwise lost or compromised at this single point of failure.

    Alternatively, I could just save them all in a plain text file, encrypt it, back it up locally, save a copy on a USB thumbdrive, then decrypt it whenever I need reminded of a password.

  12. Anonymous Coward
    Anonymous Coward

    Why not support for a dongle?

    Why can't we just support a hardware dongle, which would store all my keys, access info, etc., and allow the browser a means to access the dongle to retrieve a session key given the site. That way, *I* control my keys - not Mozilla, not Microsoft, not No Such Agency, not the MAFIAA - ME.

  13. Oor Nonny-Muss

    No support for those...

    ... that want to register a different email address with each place they register so they can figure out who sold the email address (or was hacked)...

    example: my Amazon account is amazonuk.<hexdigits>@<mydomain name here>, my PSN account is PSN.<hexdigits>@<mydomain name here> where digits is a CRC16 of the domain name I'm registering on...

    If any of them starts attracting spam, then I have a go at the company that managed to lose my email address...

    Presumably one would lose that with BrowserID (as one typically does with OpenID).

    1. AdamWill

      Yes, there is

      You can use any amount of different email addresses with BrowserID, though they are of course all different 'identities'.

  14. Anonymous Coward
    Anonymous Coward

    Mozilla -

    Pound sand, your product sucks ass and I'll never again install anything Mozilla.

    Wow that's off my chest, I will never install any Mozilla product on anything ever again.

  15. AdamWill
    FAIL

    Terrible report

    I can understand the negative comments, because the article describes BrowserID completely and utterly incorrectly.

    The neat point of BrowserID is that it *isn't* centralized and does *not* require a sign up with Mozilla. Mozilla is operating the initial verification service because, well, someone has to. But anyone can run one. The system was designed on the idea that email providers will act as verifiers for the addresses they provide.

    BrowserID is a pretty elegant design and somewhat different from OpenID, but this article does a piss-poor job of understanding and explaining it. I recommend referring to:

    http://identity.mozilla.com/post/7616727542/introducing-browserid-a-better-way-to-sign-in

    http://identity.mozilla.com/post/7669886219/how-browserid-differs-from-openid

    and the rest of that blog (it's interesting stuff) instead. BrowserID may not succeed, but it's at least an interesting and well-motivated attempt to address a genuine issue. It's not just another silly vendor trying to make a play at the single-sign-in market.

  16. Christian Berger

    What about client certificates?

    It's part of SSL and can be made to be totally controlled by the user.

  17. Graham Wilson
    FAIL

    No thanks!

    This little duck won't be using it.

    I'm already in the habit of clearing passwords after sessions, and why would I trust Mozilla anyway?

  18. Fatty Eglon

    Remember your passwords

    Erm ... I just remember my passwords. I never save any of them anywhere or on anything. And yes they are good ones. Sorry for being anal retentive :-)

This topic is closed for new posts.