User: Password:
Subscribe / Log in / New account

Per-Device Passwords

Per-Device Passwords

Posted Aug 4, 2011 12:37 UTC (Thu) by Comet (subscriber, #11646)
In reply to: Per-Device Passwords by wtogami
Parent article: Password storage on Android devices

Except the "application-specific passwords" are not application or device specific. They never get locked down to be for the application with which they're first used.

So if you create 3 app-specific passwords, you've created three passwords which have access to any of your Google services, bypassing the two-factor auth you may have setup. Sure, Google's auth system will only show you those passwords once, but if they're stolen from a device, game over.

Until Google start locking down those passwords so that they're only valid for accessing the service with which they're first used, they're a gaping hole; their only redeeming attribute is that the passwords have better entropy than most humans will typically choose.

Ideally, the app-specific passwords would have a checkbox, "needs to be a secure signature upon this password", so that a signing-key stored in a TPM could sign the password, nonce and a timestamp, then send all but the password. Publish the algorithm. Then the unchecked passwords are still as exposed, so if you're using a third-party app you have a problem, but anyone writing software with custom support could get something halfway decent.

But by this point you're half-way towards OAUTH and long-term issued credentials anyway. So don't do the custom schemes but accept the need to implement the crazy.

(Log in to post comments)

Per-Device Passwords

Posted Aug 4, 2011 13:36 UTC (Thu) by pj (subscriber, #4506) [Link]

OAUTH + some management seems to be the answer I think would be fine:

1) OAUTH so that no app has my actual password, they have essentially per-app passwords

2) management somewhere (my OAUTH provider?) that will let me de-auth all the passwords associated with my device in case it's lost.

Though honestly, I'd be pretty happy with just 1. first-use-time login and 2. a decent phone lock-screen.

Copyright © 2017, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds