A couple of articles caught my attention, both concerning the Holy Grail of Internet commerce and enterprise computing, single-sign on:

So Many Passwords, So Little Memory
High-stakes venture

OneSign 2.6 costs $15,999 to $24,995 for a box to manage user’s passwords. It is not a magic universal box that automagically supports all applications, support must be provided for each one. (And why do businesses continue to be suckers and pay per-user licenses on servers? It makes sense as a support contract, but not for licensing.) Ping Identity wants $13 million to develop a similar product for e-commerce. $13 million?? That’s some kind of gold-plated code. Let’s look at some of the existing password-management tools.

1. A notebook and pen. Write down your passwords and keep the list in a safe place. Even Bruce Schneier says this is a good idea.

2. Use your Web browser’s password manager, and I sure don’t mean the malware welcome mat that is Internet Explorer. Mozilla runs on many platforms and has a perfectly good password manager. It can easily be configured to remember your logins, or to selectively not remember some. The whole works is proctected by a master password. Konqueror also has an excellent password manager, for you KDE users. Both of them are easy to use, and encrypt the stored logins.

3. Homegrown solutions using F/OSS software. The OneSign is based on SuSE Linux.

I have several shopping and bill-paying accounts setup online, individually. I use Konqueror to manage the logins. Each vendor is its own point of failure- if foo.com gets cracked and customer data exposed, it’s only one account. There is no trail leading to my other accounts.

The smell of large money is in the air over this; the vulture capitalists are circling. I know it’s idealistic and naive, but wouldn’t it be refreshing to see these kinds of resources put into something that puts control in the user’s hands. I like the notion of a USB key- easy to lock up or carry with you, and your backup is a paper list safely squirreled away somewhere. Trust a third party vendor’s central repository with my stuff? I don’t think so.

What kind of tools exist for users to securely and conveniently manage their own passwords? Why should anyone trust a commercial vendor to do this?

The wrong people are making decisions about allowing more and more legal intrusions into citizen’s private lives: technically illiterate people who view computers as magical, infallible genies. Data collection and mining are trivially easy. All kinds of people- law enforcement, marketingdroids, and professional data collectors have the kind of access to details about your life and activities that should horrify you. They sell and re-sell this data without you ever seeing a dime, or having any idea of the scope of their activities.

When law enforcement gets its sticky little hands on your personal data, the consequences are potentially catastrophic. There is more than money and loss of privacy at stake- your personal liberty and rights as a citizen can be taken away in a heartbeat. There are no controls on all of this data collection and sharing. You have no way to see what is being said about you, no say over who gets to use it, and no way to check for or correct errors.

I’m sure you’ve heard the tired old “if you have nothing to hide, you have nothing to fear.” Baloney. With no checks or controls, we have plenty to fear. I prefer the opposite view: “You better have a darn good reason to poke into my affairs. By default they are off limits.” This is also known as the Fourth Amendment.

Some folks compare this to living in a small town, where everyone knows everyone’s business. It’s not even close to being like this. In a small town, like where I live, it is true that folks know more about you than you’re probably comfortable with. But there are checks and balances- if someone tells Aunt Bea that I’m a no-good tobacco-chewin’ nose-pickin’ horse thief, Aunt Bea knows better.

You know who to believe, who is not credible. If someone decides you really suck and launches a campaign of lies, you can find out who it is and do something about it. Your personal reputation is everything, because it is based on direct knowledge and experience.

Not so with an collection of data used and abused by uncaring strangers. Even worse than policy maker’s willingness to pry ever deeper into our lives is their unquestioned belief in the infallibility of technology. The computer says so, so it is true. How do you argue with a computer? Aunt Bea listens to reason and her own good sense. Computers don’t have these abilities.