Security Squid: Difference between revisions
Jump to navigation
Jump to search
No edit summary |
No edit summary |
||
| Line 1: | Line 1: | ||
Security Squid is the name for a hardware-based password manager inspired by [https://www.themooltipass.com/ the mooltipass] hardware security manager, but with a set of different design goals which diverged from the final mooltipass products. It essentially imagines the same core functionality but with a very different set of goals regarding some aspects of security and all of the UX. | Security Squid is the name for a hardware-based password manager inspired by [https://www.themooltipass.com/ the mooltipass] hardware security manager, but with a set of different design goals which diverged from the final mooltipass products. It essentially imagines the same core functionality but with a very different set of goals regarding some aspects of security and all of the UX. | ||
== | ==Brainstorming== | ||
In no particular order, here is a set of things which are important to security squid: | In no particular order, here is a set of things which are important to security squid: | ||
===On Passwords=== | |||
* Passwords are a good mechanism for security compared to other choices! | |||
* Every password should be strong | |||
* Every password should be unique per usecase (e.g. one password per website/host/etc) - this is generally solved through use of a password manager, security squid should be no different! | |||
* Passwords can be shared - note this is a positive and a negative! For users, being able to share a password can be helpful - I don't care if my friend knows my password to some random pizza shop, and I might actively want to share netflix (or similar) passwords. For owners of websites like netflix where users sharing passwords directly impacts revenue, this is a negative | |||
* Passwords separate out who a user is from what a user knows - this also has positives and negatives: for users, it means they can do things like have many concurrent accounts since their identity isn't linked to their account security | |||
* Passwords can be backed up - this is in contrast to something like u2f | |||
* Passwords can be changed cheaply | |||
* Providing a password doesn't involve sharing additional, hard-to-change personal info - I don't want to provide a cell phone number to every website! | |||
===On UX=== | |||
* Every security mechanism is only as good as its UX - very secure things which have a terrible UX will be ignored or bypassed | |||
Revision as of 21:54, 25 December 2022
Security Squid is the name for a hardware-based password manager inspired by the mooltipass hardware security manager, but with a set of different design goals which diverged from the final mooltipass products. It essentially imagines the same core functionality but with a very different set of goals regarding some aspects of security and all of the UX.
Brainstorming
In no particular order, here is a set of things which are important to security squid:
On Passwords
- Passwords are a good mechanism for security compared to other choices!
- Every password should be strong
- Every password should be unique per usecase (e.g. one password per website/host/etc) - this is generally solved through use of a password manager, security squid should be no different!
- Passwords can be shared - note this is a positive and a negative! For users, being able to share a password can be helpful - I don't care if my friend knows my password to some random pizza shop, and I might actively want to share netflix (or similar) passwords. For owners of websites like netflix where users sharing passwords directly impacts revenue, this is a negative
- Passwords separate out who a user is from what a user knows - this also has positives and negatives: for users, it means they can do things like have many concurrent accounts since their identity isn't linked to their account security
- Passwords can be backed up - this is in contrast to something like u2f
- Passwords can be changed cheaply
- Providing a password doesn't involve sharing additional, hard-to-change personal info - I don't want to provide a cell phone number to every website!
On UX
- Every security mechanism is only as good as its UX - very secure things which have a terrible UX will be ignored or bypassed