Boston Linux & UNIX was originally founded in 1994 as part of The Boston Computer Society. We meet on the third Wednesday of each month, online, via Jitsi Meet.

BLU Discuss list archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Discuss] 19,000 person company passwords stolen via HTTPS

On 10/6/2015 5:12 PM, Edward Ned Harvey (blu) wrote:
> I have no idea what RP was talking about, or if there was a point at
> all, but Anthony, you're right. I know in CBCrypt, there is no basket
> with all the eggs.

Yes, there is. The authenticating server has a piece of information for 
each user which can be used to uniquely identify that user. Encrypting 
these unique pieces of information, these eggs, does not prevent me from 
cracking them open. It slows me down but it won't keep me out.

The point is that this paradigm is broken, backwards. It's /etc/passwd 
in fancy dress. Users and clients should not be authenticating 
themselves to servers and services. Servers and services should be 
authenticating themselves to the users and clients which use them.

-- 
Rich P.
BLU is a member of BostonUserGroups
BLU is a member of BostonUserGroups
We also thank MIT for the use of their facilities.

Valid HTML 4.01! Valid CSS!

Boston Linux & Unix / webmaster@blu.org