[Cryptography] Security weakness in iCloud keychain

[Peter Gutmann]

Bill Frantz <frantz at pwpconsult.com> writes:

>Here we have what is generally considered a really bad authentication
>mechanism

"Passwords are the worst kind of authentication mechanism, except for all the
 others".

Passwords aren't bad because they're inherently bad, they're bad because
security people have chosen to make them bad.  Everyone knows that they're no
good, so we won't put any effort into doing things properly.  Fifty-odd years
ago the state of the art in login security was that you connected to your
target system and handed over the password in cleartext.  Today, nearly half a
century later, the state of the art in login security is that you connect to
your target system and hand over the password in cleartext, but since it's
inside an SSH or TLS tunnel you get to pretend it's better.

All it would take as an initial step to make things vastly harder for the bad
guys is to exchange the hand-over-the-password step with any kind of password-
based challenge-response auth, circa late 1970s.  Then we could build from
there.

See also "A Research Agenda Acknowledging the Persistence of Passwords":

https://www.microsoft.com/en-us/research/publication/a-research-agenda-acknowledging-the-persistence-of-passwords/

Peter.