Passwords Can Rot

Passwords are a very standard method of authenticating users. Password authentication is subject to loss or disclosure as well as loads of different types of attacks. See you in hell password based authentication, it’s 2009 and better methods have been known for years. What’s the hold up to using certificates for positive authentication and identification?

Many of today’s Internet services are offered over SSL or TLS secured connections. Using these methods the server side (HTTPS, SMTPS, IMAPS, etc) can request a certificate from the client for authentication. Simply give a client a certificate and there it is. If the certificate is lost or otherwise disclosed simply add to CRL and issue a new certificate.

Heres’s an example of securing a web-application on Apache with mod_ssl, our local certificate authority and a few simple configuration options. This same method can apply to many web-services such as on-line banking, web-based email. Most email clients support SSL/TLS for SMTP, POP3 and IMAP services allowing certificate usage as well.

There is a minor data and service management overhead but it makes the Internet a safer place.