 |
Home
| Calendar
| Mail Lists
| List Archives
| Desktop SIG
| Hardware Hacking SIG
Wiki | Flickr | PicasaWeb | Video | Maps & Directions | Installfests | Keysignings Linux Cafe | Meeting Notes | Linux Links | Bling | About BLU |
|
Home
| Calendar
| Mail Lists
| List Archives
| Desktop SIG
| Hardware Hacking SIG
Wiki | Flickr | PicasaWeb | Video | Maps & Directions | Installfests | Keysignings Linux Cafe | Meeting Notes | Linux Links | Bling | About BLU |
Kent Borg wrote: > Even more important because the fact that people are already logged into > their gmail accounts means they are logged into all their Google stuff, > and that is becoming a major contender for a single sign-on system. Yes. I advocate using multiple Google accounts to isolate services, but Android certainly makes that difficult. One day the "throw away" login you used for unimportant email turns into a login that can now be used to purchase apps, movies, and who knows what else. >> LastPass is probably the best option for that audience. > > Oh, jeeze, were I a cyber crook I would *so* hope that Lastpass would > become really successful, because then I really could get my spyware to > start stealing some good stuff. ...get millions of people > trusting Lastpass and standardizing on it as their > all-eggs-in-one-basket solution... That's a consideration, but for now you can also apply the philosophy that you don't need to be able to outrun the bear, you only need to be faster than the other guy also trying to outrun the bear. The default behavior around password hygiene is so poor that anyone using LastPass ends up being a hardened target compared to the vast masses. > So. How cautious should I be? Am I willing to deal with some > cumbersome effort when I need my Hertz rent-a-car account password? > Well, if it means I might not have my life really really badly mangled > by a raiding of my password basket? You bet I think it is worth it. > > -kb, the Kent who feels like a crank running around telling everyone > they should be frightened. We should all strive to crank up the inconvenience factor on password management until we hit our own discomfort threshold or the point of diminishing returns. For most users, they could improve their situation with minimal change in inconvenience, just by being made aware of better options and techniques. LastPass or paper is a reasonable solution for certain audiences. > The price of managing a manual air-gap for one's cyber security > doesn't seem unreasonable... So I'm wondering whether your "air-gap" (manually transcribing passwords from another device) has necessitated generating passwords that are less error prone to human reproduction? For example, minimizing the use of symbols, avoiding characters like "i" and "L" that easily get confused with other letters and numbers, and grouping characters into small clusters separated by spaces? (Google's randomly generated application passwords follow some of these rules.) If so, you've reduced entropy, which you'll have to make up for with increased length, which for many sites may not be possible. Probably of little practical consequence, but something I'd expect someone using an "air-gap" to be concerned about. -Tom -- Tom Metro Venture Logic, Newton, MA, USA "Enterprise solutions through open source." Professional Profile: http://tmetro.venturelogic.com/
 |
|
| BLU is a member of BostonUserGroups | |
| We also thank MIT for the use of their facilities. | |
