LWN.net Logo

Not logged in

Log in now

Create an account

Subscribe to LWN

Recent Features

LWN.net Weekly Edition for May 16, 2013

A look at the PyPy 2.0 release

PostgreSQL 9.3 beta: Federated databases and more

LWN.net Weekly Edition for May 9, 2013

(Nearly) full tickless operation in 3.10

Printable page
Weekly edition Kernel Security Distributions Contact Us Search
Archives Calendar Subscribe Write for LWN LWN.net FAQ Sponsors

Per-Device Passwords

Per-Device Passwords

Posted Aug 4, 2011 12:37 UTC (Thu) by Comet (subscriber, #11646)
In reply to: Per-Device Passwords by wtogami
Parent article: Password storage on Android devices

Except the "application-specific passwords" are not application or device specific. They never get locked down to be for the application with which they're first used.

So if you create 3 app-specific passwords, you've created three passwords which have access to any of your Google services, bypassing the two-factor auth you may have setup. Sure, Google's auth system will only show you those passwords once, but if they're stolen from a device, game over.

Until Google start locking down those passwords so that they're only valid for accessing the service with which they're first used, they're a gaping hole; their only redeeming attribute is that the passwords have better entropy than most humans will typically choose.

Ideally, the app-specific passwords would have a checkbox, "needs to be a secure signature upon this password", so that a signing-key stored in a TPM could sign the password, nonce and a timestamp, then send all but the password. Publish the algorithm. Then the unchecked passwords are still as exposed, so if you're using a third-party app you have a problem, but anyone writing software with custom support could get something halfway decent.

But by this point you're half-way towards OAUTH and long-term issued credentials anyway. So don't do the custom schemes but accept the need to implement the crazy.

(Log in to post comments)

Per-Device Passwords

Posted Aug 4, 2011 13:36 UTC (Thu) by pj (subscriber, #4506) [Link]

OAUTH + some management seems to be the answer I think would be fine:

1) OAUTH so that no app has my actual password, they have essentially per-app passwords

2) management somewhere (my OAUTH provider?) that will let me de-auth all the passwords associated with my device in case it's lost.

Though honestly, I'd be pretty happy with just 1. first-use-time login and 2. a decent phone lock-screen.

Copyright © 2013, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds