Boston Linux & UNIX was originally founded in 1994 as part of The Boston Computer Society. We meet on the third Wednesday of each month at the Massachusetts Institute of Technology, in Building E51.

BLU Discuss list archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Discuss] Are passwords even long enough?

On 07/06/16 20:22, Rich Pieri wrote:
> On 7/2/2016 10:30 PM, IngeGNUe wrote:
>> Given that this is the BLU ml, things like "spyware" don't apply to GNU
>> Linux. I don't know anyone more careful than me with regard to password
> You think not? I think you're wrong:

Yes I know I was very strong about it but that is Very rare, especially
if you're not downloading software from untrusted sources.

>> management. My coworkers think I'm crazy when it comes to security. :) I
>> think about all those same things you mentioned.
> If you use a federated identity service like Google or Facebook then by
> definition you reuse passwords across many sites.

I doubt it. I don't do this. (Unless Google Apps are *by definition* a
federated service.)

>> For example, I never reuse passwords and I never use anyone else's
>> computer for logging into things. Especially not on a Winblows computer.
>> I only trust Free software I get straight from distros, although Free
>> software can have vulnerabilities sometimes. Even then, though,
>> everything is carefully planned.
> For certain values of "carefully planned":

Yes but another rare exception...

>> Still, there's always the chance that I could have slipped up at the
>> wrong time and place. In particular, I used to have an Android with
>> Gmail on it. So that was probably it. It was a Nexus too. (Dang!)
> Or any of a plethora of applications which use Google's identity
> provider. Games with on-line components practically require it.
> Also sipdroid if you link a Google Voice account to a PBXes account, but
> at least you can use an application password for sipdroid so you do not
> expose your actual password.

Right, Android - yuck - this is probably the issue. You have to go out
of your way to lock down apps. There are ways to minimize app
permissions, but it's more of a bandaid solution. It's probably better
to not give any app your login info.

>> IMO, I think someday passwords are going to become obsolete.
> Yet again, I think you're wrong. I'll be the first to admit that
> passwords have always been a wrong way to manage user authentication.


> Problem is, nobody's invented and deployed anything better. 2FA and 2SV
> aren't replacements for passwords; they're supplementary passwords
> themselves. They're semi-randomly changing passwords but they're still
> We're stuck with passwords, in any of a number of forms, until someone
> figures out a way to perform user authentication in a way that doesn't
> rely on codes and phrases but does scale out indefinitely.

Well it's all predictions so we'll see how it pans out.

The biggest problem with passwords is that the longer they have to be,
the harder they will be to remember by humans, meaning that we either
have to offload the cognitive labor to software or we get rid of them
altogether. I would argue that both are possible means through which
we'll no longer use passwords, because I doubt humans will expand their
memories before then.

(As far as the 4-digit PIN goes: It seems to me that the reason we have
PINs for ATM cards is because you can easily trash the card and get
another. This works as well as it does because the bank and its customer
has built a trust relationship in the genuineness of the customer's
meatworld identity, backed by laws and such.)

BLU is a member of BostonUserGroups
BLU is a member of BostonUserGroups
We also thank MIT for the use of their facilities.

Valid HTML 4.01! Valid CSS!

Boston Linux & Unix /