[colug-432] password survey

Richard Hornsby richardjhornsby at gmail.com
Sat May 24 10:51:23 EDT 2014




On May 24, 2014, at 06:31 , Scott McCarty <scott.mccarty at gmail.com> wrote:

> ...
> As a final note, on speed and security. I am not sure what the group's opinion is on Lastpass, but I have developed a very effective personal security system based on last pass and Yubikey. This has literally changed my life ;-)
> 
> http://crunchtools.com/last-pass-with-yubikey


The use of a second factor by way of the yubikey raises an interesting question that I’ve wondered about for a while.  I’ve been a fan of and used 1Password for years.  Quite literally I don’t know most of my login passwords, because they are randomly generated strings.  I have been pondering why Agilebits doesn’t support second factor auth.  Whatdayaknow, they have a blog post on the very topic.  I’m not entirely sure yet I agree with the post, but the argument for the increased complexity outweighing the small benefit in this situation is at least compelling.

http://blog.agilebits.com/2011/09/23/two-factor-or-not-two-factor/






> Sent from my Verizon Wireless 4G LTE smartphone
> 
> 
> -------- Original message --------
> From: Rob Funk
> Date:05/23/2014 7:38 PM (GMT-05:00)
> To: Central OH Linux User Group - 432xx
> Subject: Re: [colug-432] password survey
> 
> On Friday, May 23, 2014 09:57:39 AM Rob Funk wrote:
> > Scott McCarty wrote:
> > > Personally, I do not consider hashing of any kind secure because it
> > > is plausible to crack some of the passwords. Worse, it's a moving
> > > target with ASICs and video cards cracking faster, and faster. I am
> > > not trying to preach, but prefer keys, and session encryption for
> > > anything production. By very nature, keys are two factor and revocable.
> 
> One more thing on this one: With keys, the server software needs access to 
> the key, which means that anyone who can crack that software gets the key 
> and therefore all the plaintext passwords. With hashes, the server software 
> only gets access to individual plaintext passwords long enough to hash them, 
> so there's no way to lose everything in one fell swoop.
> 
> 
> > The problem with using symmetric encryption for passwords is that each
> > account now has two ways of getting in: knowing/cracking the password,
> > and knowing/cracking the encryption key. And unlike with hashing, if
> > that encryption key is stolen then everyone's passwords are exposed.
> > Generally it's not considered a good idea for anyone to get access to
> > plaintext passwords. (Authentication protocols that involve passing
> > the hashed password across the wire complicate things though, since
> > the protocol does need access to the plaintext password.)
> 
> -- 
> Rob Funk
> http://funknet.net/rfunk
> 
> _______________________________________________
> colug-432 mailing list
> colug-432 at colug.net
> http://lists.colug.net/mailman/listinfo/colug-432
> _______________________________________________
> colug-432 mailing list
> colug-432 at colug.net
> http://lists.colug.net/mailman/listinfo/colug-432

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.colug.net/pipermail/colug-432/attachments/20140524/f7e98c68/attachment.html 


More information about the colug-432 mailing list