once more, with feeling.

Peter Gutmann pgut001 at cs.auckland.ac.nz
Tue Sep 23 02:25:06 EDT 2008


"Leichter, Jerry" <leichter_jerrold at emc.com> writes:

>The sitation today is (a) the decreasing usefulness of passwords - those
>anyone has a chance of remembering are just to guessable in the face of the
>kinds of massive intelligent brute force that's possible today and (b) the
>inherently insecure password entry mechanisms that we've trained people to
>use.

It's actually not that bad, we have some really good password managers that
can take care of this for us, alongside quite a bit of research from HCI
people that examine their effectiveness.  By "password manager" I mean one
that generates a strong password for you and supplies it as required, not the
noddy "managers" built into things like web browsers, look at something like
Roboform for an example of what I mean.  The problem is that I don't know of
any application that natively uses them, there are between half a dozen and a
dozen Firefox plugins and third-party apps (it varies over time) that all
provide enhanced password-handling capabilities but the browser itself still
has the incredibly clunky 1.0 "manager" that it's always had (not specifically
picking on FF here, all the others are just as bad, the difference is that FF
has a pile of functioning plugins and usability research that demonstrate how
to get it right).

The problem isn't with passwords, it's with developers: Passwords are insecure
because developers have chosen to make them insecure.  We have mechanisms to
address a lot of the problems with passwords but no-one ever uses them.  Even
suggesting some of these things is hard ehough, the response to "What about
using security measure X which addresses problem Y" isn't to use measure X but
to find some obscure corner case where X won't work, declare the problem
unsolveable, and keep on doing the same thing that already didn't work the
last 100 times we tried it.

Peter.

---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com



More information about the cryptography mailing list