[Cryptography] Low-tech password safe was: Passwords (Smallest feasible work factor today?

Natanael natanael.l at gmail.com
Mon Oct 3 08:28:24 EDT 2022


Den fre 16 sep. 2022 kl 21:42 skrev Ralf Senderek <crypto at senderek.ie>:

>
>
> In order to design the best electronic password safe, IMHO privilege
> separation is an essential ingredient, although not the only one.
>
> Of course there is an attack surface on such a thing as the latest
> report of Linux malware
>
>
> https://arstechnica.com/information-technology/2022/09/new-linux-malware-combines-unusual-stealth-with-a-full-suite-of-capabilities/
>
> shows. Such code that starts as a few bytes executed in memory with no
> trace in the filesystem, gains its full destructive force when a
> privilege separation vulnerability is exploited. We'll see more of
> this in future. But this does not mean we must give up on the attempt
> to secure passwords on the electronic device.
>
> It might as well mean that we need to add an external device to the
> mix to ensure that manual actions on such a device is necessary to
> enable the use of stored passwords. So I'd like to ask people on
> the list who might have experience of using external security devices
> (like for example the yubikey, or similar) to share their experience
> in order to integrate this into the best electronic password safe
> solution.
>
>     --ralf
>

In the last several years in Sweden, the most common solution for
electronic authentication to banks and goverments, BankID, has been using
an app which shows you details about what you're authenticating (if you're
logging in or approving a transaction, which organization you're
authenticating to, who the recipient of a transaction is, the sum, etc).

Some banks have also started switching to security tokens with a built in
camera for when you want to log in without a smartphone app;

https://www.swedbank.se/privat/digitala-tjanster/sakerhetsdosor.html

The top device scans a Qr code and shows you what you're approving. The
message is encrypted so the browser don't know what it says, and the device
has to generate an appropriate one-time response code for you to enter.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://www.metzdowd.com/pipermail/cryptography/attachments/20221003/77ce2603/attachment.htm>


More information about the cryptography mailing list