11 Comments


  1. … if you work with people who speak another language …

    Another? Not sure when speaking English (american version) as your first language was a prerequisite for using the internet…

    Reply
  2. Ted Clayton

    @Kevinjohn Gallagher

    No Languages Were Harmed®, in the production of this post.

    Esperanto came onto the scene in 1887.

    Nowadays Esperanto is seen by Esperantists as an alternative to the growing use of English throughout the world, offering a language that is easier to learn than English, and can also help preserve cultural heritage that can be endangered by English.

    That the English language plays the role it plays (for better & worse) is a social dynamic, rising to occasional minor drama, that predates the Internet by a couple centuries.

    Actually … as computer type setting and then outright digital printing literally snatched the great Chinese script & ultimately the language itself from the brink of extinction … the Internet & WordPress (and Linux) make a substantially more than passing contribution to everything-not-English.

    Reply

  3. @Kevinjohn Gallagher – I work with teams from other countries frequently, including from China. Not everyone speaks English as a prerequisite. I’ve often had to explain technical processes via interpreter. Every little bit that can help the content creation process get easier for everyone, I’m all for it.

    Reply

  4. Earlier today, I was just said to myself something along the lines of “Self, I wonder if there’s anyway I could use my RSA keyfob or some other token to login to my blogs?”

    After thinking it through for a while, I figured it wouldn’t work too well because I use too many computers, and I may not always have my keyfob (or phone, in the case of Launchkey) in front of me.

    I didn’t consider the problem with multiple blogs to log into, but that’s a valid concern too.

    At least it’s nice to see that people are thinking about the same things I am.

    Reply

  5. Interesting that you had so many problems – we also installed and reviewed the LaunchKey WordPress Plugin as soon as it was released as part of a series of tests and reviews of the LaunchKey system and did not experience any of the issues when installing it. With the constant attacks against the login processes of all types of websites, but WordPress and Joomla especially, a change to password less login systems is imperative. We have been using it on a couple of WP websites ever since, without any issues at all, so would encourage people to try it themselves.

    We do however agree that the issue of the iPhone app identifying the authentication request as coming from “Launchkey OAuth” rather than the specific site can get confusing and this is something that needs to be sorted out as soon as possible and is something that the developers told us via Twitter will be sorted.

    Reply

  6. @Havenswift Hosting – What can I say? It took an hour to get working. I’ve installed and tested over 10,000 plugins in the last 9 years, and I have a good grasp on how to get them working. It could have been hosting authentication, the app itself, or any number of factors that took forever to get going on Launchkey. Either way, Clef is my new standard for remote device login.

    Reply

  7. @marcuscouch sounds like you had a bad experience with your installation but wanted to ensure your readers had a different perspective from successful testing and implementation across multiple websites. Launchley, Clef and a few other similar systems are addressing a real need to change the way we think about logging into websites which is great, so each should be applauded and supported – which one is used should come down to personal choice as with other functionality covered by multiple plugins. Launchkey does remove the password completely from user accounts that are paired with a phone which removes the ability for the account to be hacked at all. In addition, it also has the optional authentication factors like an in-app combo or PIN lock in addition to geofencing which is the ability to restrict authentication within a specified geographical boundary. These three points make Launchkey better in our view than any other system currently available, but using any system that introduces multi-factor authentication is infinitely better than relying on username and passwords.

    Reply
  8. Ted Clayton

    @Havenswift Hosting said:

    With the constant attacks against the login processes of all types of websites, but WordPress and Joomla especially, a change to password less login systems is imperative.

    We have been using it on a couple of WP websites …”

    The exploits against login processes are mainly a matter of walking through the mall parking lot, glancing into vehicles for folks’ keys hanging in the ignition.

    While there are elaborations of & alternatives to the login facility, and some are likely to be useful in some settings, an across-the-board abandonment of traditional password & username hardly seems an “imperative”. It doesn’t even sound very smart.

    A security measure used “on a couple” Internet sites enjoys what is known as “Security Through Obscurity”. The bad guys are not aware of it (and it’s too uncommon if they are), and thus are not putting any effort into subverting it. With success, and widespread deployment, comes the more-realistic test of its robustness.

    @Havenswift Hosting later asserts:

    … [A]ny system [such as Launchkey] that introduces multi-factor authentication is infinitely better than relying on username and passwords.

    While increased complexity does or can make it harder – initially – to conquer a security device, it also creates more opportunities for manipulation. If the multi-factorial aspect was the answer, Microsoft and Internet Explorer would have been bullet-proof, all along.

    Again, yes, there are pluses & minuses to be found or created, between different approaches or solutions, but “infinitely better”, like imperative, misstates the situation.

    Reply

  9. @Ted Clayton says

    The exploits against login processes are mainly a matter of walking through the mall parking lot, glancing into vehicles for folks’ keys hanging in the ignition.

    Yes of course this is often the case but in many ways these are exactly the sort of people that multi factor protection should help the most. How many people use very simple, easily guessed passwords and then use them on multiple websites. Of course these same people may never do anything different or put any additional protection in place, unless it is forced on them rather than being an opt in as it is on a few sites now. We could of course just tell them to not bother with any sort of password, in fact let’s not even bother with any login protection to admin functionality at all.

    Are you able to say without question that every single password you have ever used on every website is a “strong” password and is unique on every single website ? Even if this is the case (Can anyone ever say this ?) then if you read the recent research and results of hacking conferences, it is clear that even complex sentence type passwords can and are being cracked.

    an across-the-board abandonment of traditional password & username hardly seems an “imperative”. It doesn’t even sound very smart.

    How is it not smart ? Any additional login protection has got to be a good thing. In addition to single website logins being easily cracked due to simple passwords, what about the multitude of hacks into huge websites where millions of user passwords have been publically posted along with associated email addresses and usernames – these same login details are then used to try and hack into a multitude of other websites.

    A security measure used “on a couple” Internet sites enjoys what is known as “Security Through Obscurity”. The bad guys are not aware of it (and it’s too uncommon if they are), and thus are not putting any effort into subverting it. With success, and widespread deployment, comes the more-realistic test

    This plugin is new and we said “we” had used it on a few websites but there have been plenty of other installations but of course it hasnt yet been extensively tested. Of course the more it is used, the more it is targeted, that is the whole history of Windows and one that Android devices are now discovering. Are you advocating not doing anything different because it is new !

    If the multi-factorial aspect was the answer, Microsoft and Internet Explorer would have been bullet-proof, all along.

    Many large organisations are now introducing two factor authentication but regardless of this, IE security has little to do with this, so unclear what your point is here.

    Reply
  10. Ted Clayton

    @Havenswift Hosting replied;

    How is it not smart ?

    First, for the same reason that taking the locks out of cars is not smart: the key-lock, like the login, works as intended. All that is asked, is that we actually use them. Both are quite effective, simple and familiar. The suggested response being promoted here, is to replace the part of the system that is not broken; that is functioning correctly & as-designed.

    Are you advocating not doing anything different because it is new !

    No, no – not at all! Like most of us here, I got a serious genetic thing going on for the new. Bring it on! :)

    No; I’m protesting the “imperative”, and the “infinitely better” angle. I think that your tool, and others responding to the same perceived needs, have potential and will find roles. I just can’t see … demanding that we go ripping the whole steering column outa the car, because some folks leave the key in the lock.

    Let’s talk a few moments about who “these” people are, with the bogus passwords & usernames. The big brute-force bot-net going around these days, glancing for the keys in the ignition …. it focuses on advanced, powerful, professional accounts. It hunts for the accounts of those who really & truly should know better. We aren’t talking about ‘little’ people, the twits that we’ll never get through to.

    Oh, no …. we are in fact talking about the super-elite domain-provider who left their top-level keys dangling from the steering column, necessitating that the New York Times and dozens of other tip-top domains on the planet, had to disable their DNS servers. In recent days. After the 100,000-strong bot-net got our hair all pointy.

    We are talking here about WordPress itself, and even Matt Mullenweg himself, who for years made the username on ALL installations, “admin”. You couldn’t change it to something better. Right now, we have important Network Administrators online with serious responsibilities …. who’s username was automatically set to “admin”, when they first installed the product, years ago.

    Simpler, incremental, proven improvements are immediately at hand. Evolution is preferable to Revolution. The scourge of weak usernames & passwords is easily ameliorated, by including some nice prompts & wizard-action at the Login. We can gently guide people to make better use of the “perfectly good tool”, already at their disposal …. and we should take those steps, before we either blame the tool that is not at fault, or scapegoat all “these” piddly users … who after all, really aren’t the scarier part of the laxity-phenomenon.

    Reply

  11. @Ted Clayton

    Firstly, LaunchKey is not our tool and we have no connection whatsoever to the company that developed this or any other similar type of password less login tool.

    the key-lock, like the login, works as intended. Both are quite effective, simple and familiar. The suggested response being promoted here, is to replace the part of the system that is not broken; that is functioning correctly & as-designed.

    Simple and familiar doesnt mean they cant be improved on as can be seen by the large number of adopters of two factor authentication to add security to password based systems. These are and will continue to become more common and it wont be long before this type of additional security becomes mandatory rather than optional on certain sites. To use your analogy, key-lock system obviously dont work by themselves as almost no car uses a standard old fashioned key – electronic keys backed up by immobilisers are widespread.

    The big brute-force bot-net going around these days, glancing for the keys in the ignition …. it focuses on advanced, powerful, professional accounts. It hunts for the accounts of those who really & truly should know better.

    That simply isnt true – almost all recent bot-net attacks go after any website using the targeted software. We have seen this across numerous WP sites but there are plenty of other reputable large studies showing this.

    The recent DNS issues with certain selected domains such as Twitter and the New York Times were completely different and in fact that experience completely supports the argument that the username / password system isnt robust.

    Melbourne IT, who were the domain name registrar through whom access was achieved, said that one of their reseller’s log-in credentials had been obtained, and that with them, the SEA could enter through the “front door” and carry out the attack.

    “If you’ve got a valid user name and password,” chief executive Theo Hnarakis told ABC (Australia), “the assumption from our systems is that you are the authorised owner and user of that domain name.”

    Of course continuing to use “admin” or any of a number of other common usernames is stupid and even without it being forced on users any longer by WP, it doesnt stop people from using them and whatever prompts are shown to people will not stop this. Another big problem is that very few people use completely randomised strong passwords made up of upper and lower case letters, numbers and special characters and yet we all still believe nobody can ever guess the password. This is mainly down to the large number of websites that people need to login to now – it is physically impossible to remember completely different usernames and passwords for every single site.

    This is where systems like LaunchKey, Clef and others really come into their own. For LaunchKey, you only need to remember one username across any website that uses that same system and no password. Access is then protected by a variety of multi factor authentications.

    If you want to carry on using usernames and passwords, then of course you are free to do so, that is the benefit of the WP plugin system !

    Reply

Leave a Reply