[Cryptography] Security weakness in iCloud keychain
Kent Borg
kentborg at borg.org
Tue May 8 10:23:29 EDT 2018
On 05/07/2018 08:53 PM, Peter Gutmann wrote:
> "Passwords are the worst kind of authentication mechanism, except for
> all the
> others".
>
> Passwords aren't bad because they're inherently bad, they're bad because
> security people have chosen to make them bad.
Hear, hear!
There is a lot of well-justified frustration around authentication, and
passwords are *everywhere*. They are always involved in whatever the
problem is, always seen near the crime, implicated by proximity.
So conventional wisdom is that passwords are bad. Anything that purports
to replace passwords (including password manager software auto-typing
them, effectively turning into a sort of randomly-specced authentication
agent), has an automatic bias in favor of it: Passwords are bad,
alternatives must be better. But the alternatives are all rather bigger
systems, that on further thought have a lot of places to hide really big
problems.
In replacing passwords: First do no harm.
I have hundreds of passwords (everyone does, I am merely rare in that
mine are unique), for wildly disparate systems. Any "this will replace
passwords!" needs replace all that, and make matters better.
-kb
More information about the cryptography
mailing list