[Cryptography] Passwords are dying - get over it

[Kent Borg]

On 12/23/2013 01:53 AM, Bill Cox wrote:
> Sounds good, but what's the alternative?  It scares me to have a key 
> ring decrypt all my passwords at once, and just hang around in memory. 
>  The closed-source password safes are a non-starter, IMO.  I agree the 
> password situation sucks.  I'm not very familiar with alternatives. 
>  What do you suggest?

People love to say passwords are dead, but any alternate proposals they 
might suggest always seem worse to me.

Google seems to have the biggest head of steam by trying to become the 
single sign-in for everything else, and then, because they are so 
important they can force you to carry a Bsafe fob, or something like 
that.  Actually, they probably won't go for a fob...

Instead Google is working hard to know everything about me, and that is 
key to their security solution: they will know I am legit when I log in 
because they will know it is me because they have been following me.  Or 
something like that, they don't exactly know how it will work, but they 
are getting good at recognizing login patterns and being confident I am 
me based how and where I login.


I can cache in my head the passwords I use frequently. And when I need a 
more obscure one, I look it up, in the records I keep of all my 
passwords.  Exactly how to keep those records and how to maintain any 
endpoint security is the hard part about my approach and not something 
that is easy to recommend to others.

A pencil and a little paper notebook that should be carefully protected, 
obfuscate the contents in some simple way--that is the best I can 
suggest for civilians.  (And don't bring the whole notebook when 
traveling internationally, maybe leave it with someone trusted whom you 
can phone.)

-kb