[Discuss] External security Re: one vs many static IP addresses

[blu at nedharvey.com (Edward Ned Harvey (blu))]

> From: Discuss [mailto:discuss-bounces+blu=nedharvey.com at blu.org] On
> Behalf Of Rich Braun
> 
> It's 2016 and the whole concept of passwords for user auth is obsolete;
> they're hard to remember, don't get changed enough, and fairly easy to
> break.

*cough* 
There are very real weaknesses to using passwords, sure, but to say it's obsolete means you're living on a different planet.


> If you're relying solely on a memorized pass-phrase to access anything via a
> public IP address, you're not doing it right these days. Does this include
> you?

Seriously, what you just said is impossible. Even if you're using a password manager, or some type of cloud storage (something other than a USB fob) to keep some sort of private key with you at all times, backed up and safe from compromise by a pickpocket or mugger...

You have to login to your password manager with a password.

The right thing to do is memorize one really strong password, and use it to secure all your other randomly generated passwords.

PS. Something I'm working on right now is a cryptographic random sentence generator using small words (2-4 chars). Sentences like:

	ads have down if god fits last
	seas date max as air uses zone
	land tries fair and rock owns sign

These are easily memorizable, and about 40 bits each. Certainly strong enough to use in a password manager to protect against thugs. String a couple of them together and it would be strong enough to thwart sophisticated attacks, and if you string 3 of them together it would be sufficient to thwart a hostile government.