[Cryptography] Passwords are dying - get over it
Bill Cox
waywardgeek at gmail.com
Mon Dec 23 10:10:07 EST 2013
I also take that approach. As Jefferson once said, when you do a thing,
imagine the whole world is watching and act accordingly.
It bothers me that I get more security from carrying a metal key to a
physical lock than I can get online. Maybe I'll put a key file on my phone
and try to be a bit more secure with my TrueCrypt password safe. I
certainly can't count on just their key stretching.
How would you recommend protecting your ssh private key? Here's a great
tutorial on adding key stretching to your ssh private key, which by default
has none:
http://martin.kleppmann.com/2013/05/24/improving-security-of-ssh-private-keys.html
The bad news: even the 0.1% of us who bother to add key stretching to our
ssh private key's only get 2048 rounds of AES-256, which wont even slow
down an ASIC based cracker. All this does is provide security against
hackers with graphics cards, and not much security at that. Frankly, this
protection is so dismal, I give up. Whoever is influencing TrueCrypt and
OpenSSL into hard-coding 2048 worthless rounds of key stretching designed
to be efficient on ASICs wins.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.metzdowd.com/pipermail/cryptography/attachments/20131223/28bbcf3d/attachment.html>
More information about the cryptography
mailing list