<html><head><meta http-equiv="Content-Type" content="text/html charset=windows-1252"></head><body style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space;"><div><br></div><div><br></div><br><div><div>On May 24, 2014, at 06:31 , Scott McCarty <<a href="mailto:scott.mccarty@gmail.com">scott.mccarty@gmail.com</a>> wrote:</div><br class="Apple-interchange-newline"><blockquote type="cite"><meta http-equiv="Content-Type" content="text/html; charset=UTF-8"><div><div>...</div><div>As a final note, on speed and security. I am not sure what the group's opinion is on Lastpass, but I have developed a very effective personal security system based on last pass and Yubikey. This has literally changed my life ;-)</div><div><br></div><div><a href="http://crunchtools.com/last-pass-with-yubikey">http://crunchtools.com/last-pass-with-yubikey</a></div></div></blockquote><div><br></div><div><br></div>The use of a second factor by way of the yubikey raises an interesting question that I’ve wondered about for a while. I’ve been a fan of and used 1Password for years. Quite literally I don’t know most of my login passwords, because they are randomly generated strings. I have been pondering why Agilebits doesn’t support second factor auth. Whatdayaknow, they have a blog post on the very topic. I’m not entirely sure yet I agree with the post, but the argument for the increased complexity outweighing the small benefit in this situation is at least compelling.</div><div><br></div><div><a href="http://blog.agilebits.com/2011/09/23/two-factor-or-not-two-factor/">http://blog.agilebits.com/2011/09/23/two-factor-or-not-two-factor/</a></div><div><br></div><div><br><div><br></div><div><br></div><div><br></div><br><blockquote type="cite"><div><div><div style="font-size:8px;color:#575757">Sent from my Verizon Wireless 4G LTE smartphone</div></div><br><br><div>-------- Original message --------</div><div>From: Rob Funk <rfunk@funknet.net> </rfunk@funknet.net></div><div>Date:05/23/2014 7:38 PM (GMT-05:00) </div><div>To: Central OH Linux User Group - 432xx <colug-432@colug.net> </colug-432@colug.net></div><div>Subject: Re: [colug-432] password survey </div><div><br></div>On Friday, May 23, 2014 09:57:39 AM Rob Funk wrote:<br>> Scott McCarty wrote:<br>> > Personally, I do not consider hashing of any kind secure because it<br>> > is plausible to crack some of the passwords. Worse, it's a moving<br>> > target with ASICs and video cards cracking faster, and faster. I am<br>> > not trying to preach, but prefer keys, and session encryption for<br>> > anything production. By very nature, keys are two factor and revocable.<br><br>One more thing on this one: With keys, the server software needs access to <br>the key, which means that anyone who can crack that software gets the key <br>and therefore all the plaintext passwords. With hashes, the server software <br>only gets access to individual plaintext passwords long enough to hash them, <br>so there's no way to lose everything in one fell swoop.<br><br><br>> The problem with using symmetric encryption for passwords is that each<br>> account now has two ways of getting in: knowing/cracking the password,<br>> and knowing/cracking the encryption key. And unlike with hashing, if<br>> that encryption key is stolen then everyone's passwords are exposed.<br>> Generally it's not considered a good idea for anyone to get access to<br>> plaintext passwords. (Authentication protocols that involve passing<br>> the hashed password across the wire complicate things though, since<br>> the protocol does need access to the plaintext password.)<br><br>-- <br>Rob Funk<br><a href="http://funknet.net/rfunk">http://funknet.net/rfunk</a><br><br>_______________________________________________<br>colug-432 mailing list<br>colug-432@colug.net<br>http://lists.colug.net/mailman/listinfo/colug-432<br></div>_______________________________________________<br>colug-432 mailing list<br><a href="mailto:colug-432@colug.net">colug-432@colug.net</a><br>http://lists.colug.net/mailman/listinfo/colug-432<br></blockquote></div><br></body></html>