[Cryptography] Order of username and password entry
Jerry Leichter
leichter at lrw.com
Mon Apr 5 19:27:17 EDT 2021
> One suggestion is to keep a space in the password, this would prevent it reaching the other end in username, you can consider a loss of 1 character followed by space, at worst, you will lose one char of your password.
I'm not sure what systems do that. None I log into regularly stop at the space. Why should they?
> Two thoughts,
> 1. passwords are generally insecure, so enforce MFA, 2FA, SSO where possible.
MFA/2FA just add another factor - and a troublesome one at that. The most broadly adopted standard is to use text messages - which we now know are very insecure. There is simply no even-close-to-universally-accepted alternative. And you still need the password, and still need to keep it secure - it's one of your factors!
SSO just means you have one really high-value username/password to enter somewhere, and outside of business contexts means you have to place your *complete* trust in Apple, Facebook, or Google - not that any of them provide universally accepted alternatives either.
We're still a long way from eliminating passwords and the problem of how to make them as effective as possible remains.
Personally, I don't think we'll eliminate passwords until we have a solution that solves what I call the "bathrobe problem": You get up early, get on the computer while still in your bathrobe - and have to log in to various sites. Your key fob? Your cell phone? Back in the bedroom. You don't want to disturb your sleeping spouse to get it....
> 2. Use a passphrase (with space) as a password, this can prevent an accidental copy paste from reaching the other end.
Eh? If, indeed, it doesn't "reach the other end" - how is it useful as a passphrase?
-- Jerry
More information about the cryptography
mailing list