May 29, 2008

Weave: An Issue of Humane Security

Given what I explained about Weave in yesterday’s blog post, it’s clear that one of the biggest challenges facing the project, aside from its far-from-trivial implementation, will be its usability. The good thing, as I mentioned in yesterday’s post, is that the project abstracts away any notion of asymmetric cryptography and all the complex concepts it brings to the table. But are there other ways it could be made easier to use?

One of the things I’ve been consistently confused with in my own use of the product, thanks in part to my rather tiny brain, is the fact that using it requires two passwords. Why two are needed is easy to deduce from yesterday’s overview of Weave’s architecture: one is used for logging in to the WebDAV server itself, and the other is used to actually encrypt your private key, and thereby indirectly encrypt all your data. But let’s step into the shoes of an everyday user for a moment—that is, a user who has no idea what the underlying implementation of Weave is, and has no reason to care.

When first starting up Weave and telling it to create a new account, your browser is redirected to services.mozilla.com, where you’re presented with the following form:

So, you fill this out and go through the conventional process of checking your email, clicking the link in it to prove that you’re at the email address you say you’re at, and you’re done. Then you get to step 3 of the Weave wizard:

We’ll ignore the fact that Firefox ought to know your email and password, because you just entered it on services.mozilla.com when you created your account; that’s fixable, and it’s not a comparatively major inconvenience. What you’re really confused about is why you need to pick another password—ok, word, phrase, same difference, you say to the computer expert sitting next to you—to supposedly “protect your data on the server”. Isn’t that what your first password was supposed to do?

The hacker in me knows how to respond; he’d start explaining everything I wrote about in my last blog post. The designer in me would respond differently, though: he’d say you’re completely right, there’s no reason you should have to remember two passwords for accessing your data. And if you forget one of your passwords or mix up which one’s which, it’s not your fault.

So, what I’m wondering right now is if it’s possible to get rid of one of these passwords.

If you have any ideas—if you believe that two passwords are absolutely necessary, or if you agree with Jef Raskin and believe that remembering a username and just one password is already more than what’s necessary, or if you think something else entirely, I’d like to hear it. Because with great security comes great responsibility to make the user interface not painful.

© Atul Varma 2021