[colug-432] password survey

[Rob Stampfli]

On Sat, May 24, 2014 at 09:51:23AM -0500, Richard Hornsby wrote:
> The use of a second factor by way of the yubikey raises an interesting question that I’ve wondered about for a while.  I’ve been a fan of and used 1Password for years.  Quite literally I don’t know most of my login passwords, because they are randomly generated strings.  I have been pondering why Agilebits doesn’t support second factor auth.  Whatdayaknow, they have a blog post on the very topic.  I’m not entirely sure yet I agree with the post, but the argument for the increased complexity outweighing the small benefit in this situation is at least compelling.
> 
> http://blog.agilebits.com/2011/09/23/two-factor-or-not-two-factor/

I tend to like, and have been tempted to use, a scheme similar to 1Password,
where one uses strong randomly generated underlying passwords protected by
a master password which is the one they supply on demand.  Indeed, even
most modern browsers support such a scheme, and frankly, if you don't trust
your browser, you should not be accessing sensitive accounts with it anyway.

One problem with this approach, though, is that it breaks some agreements
with those serving up the protected content.  If you read the user
agreement carefully -- the one I blindly clicked "OK" to when I created
the account -- my bank, for instance, forbids storing the password to my
online account "on a computer", and if I do so, I lose all my protections
should some bad guy ever succeed in gaining access to my account.
Enforceable?  Who knows?  Are they cutting their own throats?  Probably.
But they make no distinction for situations where the passwords lie in a
file protected by strong encryption.

So, if you want to use this approach, and I have to concur that it is
technically a viable one which is perhaps superior to entering passwords
directly, read your end-user agreements carefully for sites that are
important to you.  

Rob