<div dir="ltr"><div dir="ltr"><div class="gmail_default" style="font-size:small">On Thu, Nov 19, 2020 at 2:56 PM Kent Borg <<a href="mailto:kentborg@borg.org">kentborg@borg.org</a>> wrote:<br></div></div><div class="gmail_quote"><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
<div>
<div>On 11/19/20 2:46 AM, Phillip
Hallam-Baker wrote:<br>
</div>
<blockquote type="cite">
<div dir="ltr">
<div style="font-size:small">Sure, nobody
leaves the front door open on the password file any more. But
breaches occur regularly and the password files leak... <br>
</div>
</div>
</blockquote>
<p>You are optimizing for a very specific case: <br>
</p>
(1) A site uses password hashes, <br>
(2) for passwords that are allowed to be long, <br>
(3) and are honored in their entire length*, <br>
(4) is broken into and they don't tell me,<br>
(5) the breakin doesn't include general admin powers but just
supplies that one file,<br>
(6) the attacker bothers to crack the hash for my password, and<br>
(7) it does any good for the attacker to have that password.<br>
<p>* Even Linux is willing to let you use long passwords where
anything past 8-characters are quietly ignored—if you set things
up wrong. I've twice discovered this where I didn't set it up that
way, a system installation script did.<br>
</p>
If I don't recycle passwords, getting all the way to #7 lets the
attacker impersonate me only on this one iffy site, which the
attacker already has some backdoor access to. By insisting on
unmanageably long passwords for everything, you do avoid this one
narrow circumstance.<br></div></blockquote><div><br></div><div><div class="gmail_default" style="font-size:small">What is a reasonable fee for memorizing a piece of information?</div><div class="gmail_default" style="font-size:small"><br></div><div class="gmail_default" style="font-size:small">$50?</div><div class="gmail_default" style="font-size:small">$100?</div><br></div><div><div class="gmail_default" style="font-size:small">If someone wanted to hire me to remember a piece of information, I would charge them at least $2500. So hell yes, I reuse passwords. I reuse passwords for assets that DO NOT BELONG TO ME unless I am being paid to protect them.</div><div class="gmail_default" style="font-size:small"><br></div><div class="gmail_default" style="font-size:small">I find that the assumptions of technologists tend to be really arrogant at times. When it comes to security, it is not just a mistake to expect the user to make an effort, it is almost always unreasonable. </div><div class="gmail_default" style="font-size:small"><br></div><div class="gmail_default" style="font-size:small">I wrote the HTTP digest authentication spec because I knew there was no way in heck that users would possibly use a different password for every site and that was the best I could do with unencumbered technology until the Diffie Hellman patent expired.</div><div class="gmail_default" style="font-size:small"><br></div><div class="gmail_default" style="font-size:small">You have an unacknowledged cost transfer in your proposal. And that is why it is never going to work. Real users are not going to remember multiple passwords. We have to stop trying to learn them how to do things properly and take responsibility. This is our problem to fix, not theirs.</div><br></div><div> <br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div>
<p>But there are a lot of ways for people to get security wrong, by
the time they let their password data leak you need to assume
things are very broken. <br>
</p>
<p>What makes you think there is any hashing going on at random
site? <br></p></div></blockquote><div><div class="gmail_default" style="font-size:small">As I said, as the user, I have no way of auditing the site. So yes, I assume that some don't even hash.</div></div><div><br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div><p>
</p>
<p>I have a large collection of plain-text passwords that have
publicly leaked, where did I get those? That doesn't smell like
hashing to me. Why do so many sites have password length and
severe password content restrictions? That doesn't smell like
hashing to me.<br></p></div></blockquote><div><div class="gmail_default" style="font-size:small">While the origin of the restrictions is almost certainly stupidity, there is plenty of cargo cult implementation as well. We know that special characters actually weaken most user selected passwords because it effectively reduces them by one character. The obvious way to respond to such stupid is to stick ether 1 or 1! on the end as necessary to meet the idiot requirement. So while I accept the premise...</div></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div>
<p>By telling people that every password has to be unmanageably
long, you are effectively discouraging people from using difficult
passphrases when it really does matter: for encryption.</p></div></blockquote><div><br></div><div class="gmail_default" style="font-size:small">I am saying we need to abolish memorized passwords as a means of site authentication and we have the means to empower the user to do just that.</div><div class="gmail_default" style="font-size:small"><br></div><div class="gmail_default" style="font-size:small">Provide the user with a Web browser on every one of their devices that can fill any form with a username and password pulled from an end-to-end secure vault and they can use a different, strong password for every single site. And they are very likely to do so because this will be the easiest thing for them to do.</div><div class="gmail_default" style="font-size:small"><br></div><div class="gmail_default" style="font-size:small">Additional security can be provided by adding a second factor (biometric, memorized PIN) to access the vault.</div><div class="gmail_default" style="font-size:small"><br></div><div class="gmail_default" style="font-size:small"><br></div><div class="gmail_default" style="font-size:small"></div></div></div>