1. 3
  1.  

  2. 5

    The executive branch of the US Government got rid of passwords a long time ago as part of Homeland Security Presidential Directive 12 (HSPD-12) of August of 2004. Almost all agencies within the executive branch switched to using Personal Identification and Verification (PIV) smartcards, which have X.509v3 certificates issued by the Federal PKI (FPKI) and RSA private keys. The US Department of Defense was already using Common Access Cards (CAC) which were very similar to the PIV cards, and after NIST standardized PIV as NIST SP 800-73, the DOD updated their CACs to be PIV-compliant.

    WebAuthn/U2F are all newer than the migration to PIV (and they are compatible). I maintain PIV/CAC middleware called CACKey ( https://cackey.rkeene.org ) and I’ve been thinking of adding WebAuthn support.

    The DOJ should be a part of the executive branch of the US Government so they should not be using passwords, and their statistics for HSPD-12 compliance looks pretty good: https://www.justice.gov/archives/us-hspd-12-piv-card-issuance-statistics

    So, why they had passwords is interesting, but it is (in my experience) an anomaly.

    1. 4

      TLDR: Use single sign-on.

      Doesn’t seem like a good article.

      Not.understanding Kerckhoff

      This is exacerbated by the trend to use your email address as your user name, which means that one part of your secure login information is now public, leaving your password as the only line of defense.

      Another weird idea: changing passwords helps the attacker

      it’s no longer necessary to change passwords every 90 days, mainly because that only provides hackers with a fresh supply of old passwords to try when they attack,

      1. 1

        Doesn’t enforcing regular password changes tend to steer people towards simpler passwords that are more easily memorised? Unless they are using a password manager.

        1. 0

          Not.understanding Kerckhoff

          This is exacerbated by the trend to use your email address as your user name, which means that one part of your secure login information is now public, leaving your password as the only line of defense.

          Author probably meant that with login/password auth an attack can be targeted at a certain group of users, given you known their logins (emails). At least that’s how I understand the problem. Also, having read the Wikipedia article on Kerckhoff principle, I don’t think it’s related to the topic. Disclaimer: I am not a cryptographer.

          1. 1

            The idea behind Kerckhoff is that only the key should be considered secret and the rest public so that an analysis can easily determine what the attacker knows and what he must not know.

            It should prevent security by obscurity like having a secret design which can however be reverse engineered.

            I cannot think of any attack that is stopped by lack of knowledge of a username. If you have leaked passwords you probably have the usernames. Remote brute-force should never work anyway. If anybody has an idea, I would love to hear it! I can only think of marginal utility for social engineering types of things…