 |
Home
| Calendar
| Mail Lists
| List Archives
| Desktop SIG
| Hardware Hacking SIG
Wiki | Flickr | PicasaWeb | Video | Maps & Directions | Installfests | Keysignings Linux Cafe | Meeting Notes | Linux Links | Bling | About BLU |
|
Home
| Calendar
| Mail Lists
| List Archives
| Desktop SIG
| Hardware Hacking SIG
Wiki | Flickr | PicasaWeb | Video | Maps & Directions | Installfests | Keysignings Linux Cafe | Meeting Notes | Linux Links | Bling | About BLU |
On Mon, Nov 21, 2005 at 01:28:21PM -0500, Rich Braun wrote: > Alright, I'll bite. Conventional wisdom on single-factor authentication has > been brought up at least twice in this thread: > > 1) Use a different password for each account. > 2) Wherever possible, use an encrypted key instead of plain text password. > > This strikes me as completely impractical for anyone who uses the web or has > multiple logins anywhere. These are different problems: anything web-based should be assumed to be relatively insecure anyway. Nevertheless, there's a decent approach that handles both: use a system. Here's a good system: use song lyrics from a relatively obscure band -- not the Beatles, not your all-time-favorite band that you obsessively promote to everyone you meet, but a band that you like and remember the lyrics for many of their songs. Let's say a significant line in the song is "I often thought how proud I'd be in a boat like Gideon Brown". Take the initials: IothpIbiablGB that's a great password there, and you have a built-in mnemonic. But wait, there's more. Pick one of these solely for low-security accounts. Then append or prepend the name of the service to it: gmailIothpIbiablGB or IothpIbiablGBhotmail Voila! instant high-quality password for a low-security account. The key to maintaining the security is to rotate the whole set every so often, or if you ever suspect that one of a set of passwords is compromised, treat the whole set as in need of replacement. And use a different song for each high-security account, please. -dsr- > > I'm *constantly* forgetting which password I used on which system, so I either > lock up the account by trying too many different passwords, or I revert to a > cheat-sheet that I've written down or stored in a text file in some > hopefully-obscure place. > > Cheat-sheets are a terrible approach. Hardware dongles that keep track of > passwords are only useful on the systems that have the needed software on > them. > > The only meaningful long-term solution to this problems will ultimately be > some sort of government- or industry-mandated central registry of > authentication information. Bill Gates would love you to use his, he first > proposed this concept at a talk he gave right here in Boston at a > BCS-sponsored event. And the FBI would love you to use a biometric method, > which would prevent you from ever revoking an identity key. > > Until some well-connected powerful rich guy imposes a grand-unified master > authentication database on all of us, what are we to do? I'm at a complete > loss as to any practical method that works across multiple computers, > including the ones I walk up to at a friend's house or Internet cafe or > wherever. > > Yes, I am challenging those of you who suggest these conventional PW > management rules: they DON'T WORK for me. Do you have some secrets on > successful use? > > -rich > > _______________________________________________ > Discuss mailing list > Discuss at blu.org > http://olduvai.blu.org/mailman/listinfo/discuss -- Separation of church and state protects religion. (from itself, as well as from other religions.)
 |
|
| BLU is a member of BostonUserGroups | |
| We also thank MIT for the use of their facilities. | |
