At 15:35 2017-05-05, Ken Dibble krdibble@stny.rr.com wrote:
[snip]
Read the article. The data does not support the contention that these are important enough vectors to justify the downside that these recommendations have for users.
I did read the article. I do not agree with it.
Anybody who's got a dictionary, by now, also has a brute-force "guessing machine" and a botnet. Yup, they get through the dictionary in a few seconds. Within only a few more minutes, the botnet loops through every possible combination of characters in a 10-character password, and then they move on to 11 characters. The only thing that slows them down at all is a much longer password, and the only really effective defense involves measures on the server side. There is very little that a user can do to a password to make it significantly safer in the modern age, and there is huge amount of aggravation that can be caused to users over passwords that, in the end, has very little benefit.
Not putting a password on a Post-It Note is not a total solution, but it is the equivalent of not putting the house key under the mat. Would you put your house key under the mat? I suspect that answer would be a resounding no.
Just because there is no ultimate solution does not mean we should ignore things that can help.
This isn't just me, or just me and O'Reilly. Now it's me, O'Reilly, and the NIST.
Of course, I know, I'm a low-status person. No matter how right I am. or how often I am right, nobody listens to me until a high-status person repeats what I said.
I am just enjoying the gratification of being proven right.
No, of someone agreeing with you.
There have been proclamations before about solutions to the password problem. I think they are premature.
Look, I know that keeping track of passwords is a bother, but if access to something matters, changing your password occasionally is a good idea for the reason I stated. Pick a password that you can remember. I do not have a solution for the cognitive load of having [too] many passwords.
set silly on Hey, maybe we can have cameras watching for body motions as passwords. Since throwing up one's hands about the password problem is not workable, throwing up one's hands can be the new equivalent of having a password of "PASSWORD". set silly off
Sincerely,
Gene Wirchenko
On Sat, May 6, 2017 at 12:30 PM, Gene Wirchenko genew@telus.net wrote:
set silly on Hey, maybe we can have cameras watching for body motions as passwords. Since throwing up one's hands about the password problem is not workable, throwing up one's hands can be the new equivalent of having a password of "PASSWORD". set silly off
Not so silly. There are password processes that depend on gestures that are under testing. The ability to click and swipe through a series of images is somewhat unique due to biomechanical parameters or personal habits. I've also seen proposed some sort of facial recognition. The sooner we get through remembering a dozen random characters, the better. That's just a waste of time.
I use a password manager that syncs encrypted data over the internet so I have the same set of passwords on different machines of different OSes (Windows, Linux, ChromeOS, Android) and browsers. But none of these make it easy for desktop or console applications; you need to query the manager, prove you're you, copy the password to the clipboard (insecure!) or try to manually type longish random strings. Double-bonus goes to sites that double-check with an SMS or similar. "Something you know (password) and something you have (cellphone)" makes for good two-factor authentication.
On 2017-05-06 15:05, Ted Roche wrote:
Double-bonus goes to sites that double-check with an SMS or similar. "Something you know (password) and something you have (cellphone)" makes for good two-factor authentication.
I was thinking of adding that to my FabNet software. Shouldn't be hard to do. Generate random number to their cell phone and store on their user record for checking on sign-in. Email 7173502758@att.net or whatever setup should be. Just add the disclaimer "standard text and data rates apply" for legal. lol