[Cryptography] Passwords: Perfect, except for being Flawed
Alec Muffett
alec.muffett at gmail.com
Wed Feb 18 18:00:02 EST 2015
On 17 February 2015 at 21:42, Kent Borg <kentborg at borg.org> wrote:
>
> We should quit trying to craft fragile replacements and instead resign
> ourselves to cleaning up our act: quit reusing password the same passwords
> on different sites, pick good passwords, write them down our passwords, but
> otherwise keep them secret*.
>
Some of us have been preaching this gospel for years. :-)
http://www.computerworlduk.com/blogs/unscrewing-security/password-security-forevermore-3570424/
*The problem with password security is that the disbenefits are exactly the
same as the benefits:*
1.
*passwords are easy to deploy - which means they're used everywhere *
2.
*passwords are easy to manage - which means they're managed haphazardly *
3.
*passwords don't require identity linkage between silos - but people are
generally too lazy to maintain more than one or two identities *
4.
*passwords are scalable - but people are generally too lazy to remember
more than one or two passwords *
5.
*passwords can be varied between silo - but people are generally ... see
above *
6.
*passwords don't expire - but most of them are guessable in a matter of
minutes or hours *
7.
*passwords are 'something you know' - and so anyone who knows your password
is indistinguishable from you *
*And since you don't need to pay to get a new password, nor to maintain an
old one - the password paradigm is forever going to be a roadblock in the
path of those who wish to become rich by issuing certificates or identities
that will permit you to transact on the web - or those who desire central
control of such a resource. This may be a benefit or disbenefit, depending
upon your perspective.*
See also http://dropsafe.crypticide.com/muffett-passwords which also
touches upon the topic of backend hygiene. :-)
-a
--
http://dropsafe.crypticide.com/aboutalecm
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.metzdowd.com/pipermail/cryptography/attachments/20150218/ea85c1fb/attachment.html>
More information about the cryptography
mailing list