[Discuss] Are passwords even long enough?

Rich Pieri richard.pieri at gmail.com
Wed Jul 6 20:22:33 EDT 2016


On 7/2/2016 10:30 PM, IngeGNUe wrote:
> Given that this is the BLU ml, things like "spyware" don't apply to GNU
> Linux. I don't know anyone more careful than me with regard to password

You think not? I think you're wrong:
https://en.wikipedia.org/wiki/Linux_malware

> management. My coworkers think I'm crazy when it comes to security. :) I
> think about all those same things you mentioned.

If you use a federated identity service like Google or Facebook then by
definition you reuse passwords across many sites.

> For example, I never reuse passwords and I never use anyone else's
> computer for logging into things. Especially not on a Winblows computer.
> I only trust Free software I get straight from distros, although Free
> software can have vulnerabilities sometimes. Even then, though,
> everything is carefully planned.

For certain values of "carefully planned":
http://www.howtogeek.com/126995/how-to-disable-the-amazon-search-ads-in-ubuntus-unity-dash/

> Still, there's always the chance that I could have slipped up at the
> wrong time and place. In particular, I used to have an Android with
> Gmail on it. So that was probably it. It was a Nexus too. (Dang!)

Or any of a plethora of applications which use Google's identity
provider. Games with on-line components practically require it.

Also sipdroid if you link a Google Voice account to a PBXes account, but
at least you can use an application password for sipdroid so you do not
expose your actual password.


> IMO, I think someday passwords are going to become obsolete.

Yet again, I think you're wrong. I'll be the first to admit that
passwords have always been a wrong way to manage user authentication.
Problem is, nobody's invented and deployed anything better. 2FA and 2SV
aren't replacements for passwords; they're supplementary passwords
themselves. They're semi-randomly changing passwords but they're still
passwords.

We're stuck with passwords, in any of a number of forms, until someone
figures out a way to perform user authentication in a way that doesn't
rely on codes and phrases but does scale out indefinitely.

-- 
Rich P.



More information about the Discuss mailing list