[Cryptography] Why don't we protect passwords properly?

[Jerry Leichter]

On Dec 22, 2013, at 1:28 AM, ianG wrote:
>> There are people who really should know better: IETF WG members,
> 
> Why do you think they should know any better?  Just curious...
> 
> This is like the old von Mises fallacy of government regulation.  He asked why it is that people think that the government knows more about the market than those in the market?...
Ah, yes, *that* old fallacy.  Based on a complete misunderstanding of people and of regulation.

Regulation defines rules; governments enforce rules.  You don't expect the players in a soccer match to ref the game - or write the rulebook.  There are others who are much better at those things than the players, even though the players are those who know most about actually playing the game.  None of those people maintain the field either.

If the only goal people have is maximizing their income - how do you explain that von Mises, who claimed to understand economics and markets so well, spent his career as a government bureaucrat and a professor?  Do as I say, not as I do?

Indeed, the same issues apply to cryptography.  The best cryptographers aren't necessarily particularly good at developing software.  The best developers often do crappy UI's.  The best cryptographers, developers, and UI designers aren't generally very good at writing solid standards.  The best standards writers aren't very good at the political/marketing game of getting those standards written, accepted, implemented, and actually used.  Yes, there are rare individuals who can play more than one of these roles at a high level, but there's only so much time in a day and time spent filling one of them detracts from time spent filling another.

Hell, even at the level of cryptographers, there's specialization.  Adi Shamir is likely our best cryptanalyst/code breaker, but what new cryptosystems has he developed since RSA?
                                                        -- Jerry