[Cryptography] Passwords: Perfect, except for being Flawed
Jon Spriggs
jon at sprig.gs
Wed Feb 18 17:49:58 EST 2015
On 18 February 2015 at 21:55, John Denker <jsd at av8n.com> wrote:
> On 02/17/2015 02:42 PM, Kent Borg wrote:
> > Passwords have serious problems, but they are bit like the problems with
> one-time-pads: cumbersome--but otherwise perfect.
> I would have said it differently: Passwords are deeply
> flawed in principle, but convenient in practice. An OTP
> is almost the opposite: it is perfect in principle, but
> inconvenient in practice -- often fatally so.
> > Our use of passwords, on the other hand, is terrible. But all the
> alternatives to passwords are worse.
> Agreed. A password, like a chainsaw, can be /used/ in
> lots of ways ... some good, some bad. One has to think
> very carefully about how to use it. Many things that
> look like they might be an improvement end up being
> unusable or worse.
>
As a lay-person, but with some degree of interest, does the group have any
particular views in any direction on the Steve "GRC" Gibson system SQRL? It
seems to me (ignoring that it's Steve Gibson who wrote the concept and
implementation) that it's a mostly acceptable alternative to having to
remember large numbers of passwords, of having a password manager, or
requiring dedicated hardware fobs.
That is, you have a single "master" password that unlocks the credential
tool, you have a simple login mechanism (click on, or scan the QR Code),
and zero knowledge of the actual credential on the target device. It's
wrapped up in such a way that transferring the master credential between
devices is simple (again, a scan of a QR code) yet (apparently) difficult
to brute force... and apparently (again, I'm a lay-person in this) is easy
to revoke a credential and replace it with a new one using the same system.
I've seen several pages decrying the system as rubbish and as having copied
other systems, some people bemoaning that it's Steve Gibson who created it
(and, while I don't really care either way about his history, I understand
why some people are bothered by him)... but I can't really see many flaws
in it (aside from it's requirement for using HTTPS as the transport
mechanism in the background).
--
Jon "The Nice Guy" Spriggs
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.metzdowd.com/pipermail/cryptography/attachments/20150218/3a930cde/attachment.html>
More information about the cryptography
mailing list