Move from Token+Passphrase to Passphrase-only login?

dcposch commented 11 years ago

This has a lot of interesting implications.

Pros

It would improve anonymity. Given prompt for User+Passphrase, most people will enter a username that identifies them uniquely by their real name---like "jibbers.mcgee"---or a username that they're accustomed to using on other sites. Either way, their identity is transparent to a central adversary.
It would create a radical login screen. Prompt for Passphrase, button for Enter, nothing else.
It would force users to pick real passphrases. If you choose a normal password, someone else will someday chose the same, and instead of creating an account, they'll just log right into yours.
Cons
That last scenario is not actually a good thing
This might hurt adoption with a wider audience

jaekwon commented 11 years ago

The client could optionally generate a strong passphrase with words from a dictionary, and allow the user to enter a custom passphrase if they know what they're doing.

dcposch commented 11 years ago

That's a great idea. I will pursue that even for the current, token+passphrase login system.

On Fri, Aug 30, 2013 at 1:44 PM, jaekwon notifications@github.com wrote:

The client could optionally generate a strong passphrase with words from a dictionary, and allow the user to enter a custom passphrase if they know what they're doing.

— Reply to this email directly or view it on GitHubhttps://github.com/dcposch/scramble/issues/7#issuecomment-23588093 .

dcposch commented 11 years ago

Not doing passphrase-only login. (Still doing what Jaekwon suggested, creating that as a separate issue.)

dcposch / scramble

Move from Token+Passphrase to Passphrase-only login? #7

Pros

Cons