[Discuss] single sign-on

Kent Borg kentborg at borg.org
Sun Jul 28 09:45:31 EDT 2013


On 07/27/2013 03:24 AM, Tom Metro wrote:
> That's a consideration, but for now you can also apply the philosophy 
> that you don't need to be able to outrun the bear, you only need to be 
> faster than the other guy also trying to outrun the bear. The default 
> behavior around password hygiene is so poor that anyone using LastPass 
> ends up being a hardened target compared to the vast masses. 

That is why my hypothetical bad guy was hoping Lastpass becomes very 
common, then it will become fertile ground for theft.

Passwords have a life span, where one puts them has inertia, decisions 
made today can stick for years.  For example, I was using my Palm Pilot 
for passwords for well over a decade.  Decisions now need to be safe 
beyond this year.

> So I'm wondering whether your "air-gap" (manually transcribing passwords
> from another device) has necessitated generating passwords that are less
> error prone to human reproduction?

Oh, yes.  I am a big fan of sensible passwords--and counting entropy in 
how the password was created.

For example, "8e53-arrow-spell-genetic" is pretty easy to type and 
remember, yet it has 48-bits of entropy in it.  Not enough entropy for 
en encryption key, but plenty for a password.  Entropy doesn't have to 
be hard to type and impossible to remember.

-kb




More information about the Discuss mailing list