[Cryptography] password fatigue; was: Lastpass

Devin Reade gdr at gno.org
Thu Jun 18 11:21:31 EDT 2015 

--On Wednesday, June 17, 2015 01:32:22 PM +0000 Thierry Moreau 
<thierry.moreau at connotech.com> wrote:

> I see only one direction, which is actually not present in the
> marketplace. You need a separate system with limited functionality,
> features-lean instead of features-rich, on which the end-user performs
> the security-critical applications.

This.  Emphatically.

I follow the "one password, one system" model, so like many people
here I have far too many to memorize and rely on recording random
passwords in a safe place.

I used to use an encrypted password app on a mid-generation PalmOS
device.  I used it up until about a year ago, long after PalmOS was
considered dead for main reason that not only did it not have cellular
capability, but it didn't even have 802.11; you had to sync it with
a USB cable.  Alas, it was showing signs of pending hardware death,
and it had been getting harder and harder to sync it reliably (few
people do regression testing for obsolete software supporting obsolete
hardware).

I would love to see a minimal piece of hardware, no bigger than a
modern phone, with a screen and real keys (think Blackberry), with
no cellular hardware and, if it has 802.11 hardware at all, has a
physical switch to disable it.  An open-spec piece of hardware that
is able to run a verifiable piece of software like OpenBSD.  Something
that could go to fully-off to running in some small number of seconds,
and that didn't lose data when the batteries are exhausted.  (The Palm
device would lose everything if you didn't keep it charged; that was
it's biggest problem.)

The OpenPandora <http://boards.openpandora.org/page/homepage.html>
seems a step in the right direction, except that it's quite a bit
larger (like a Nintendo 3DS rather than a phone).  Good to throw in
a briefcase or backpack, not so much for a pocket.

Ah, if wishes were fishes ...

Note the above assumes a continued model of relatively short passwords
that a user can transcribe from the password keeper to the system in use.
With long random passwords or OTP, being able to transfer data under
user control (like the Yubikey) would be nice, however I don't like
needing to haul around a laptop so that I can read a set of credentials,
should the need arise.

Devin

More information about the cryptography mailing list