On Fri, Jun 08, 2012 at 03:17:25PM -0700, Owen DeLong wrote:
On Jun 8, 2012, at 1:41 PM, Alec Muffett wrote:
PS: when security is hard, people simply don't do it. Blaming the victim of poor engineering that leads people to not be able to perform best practices is not the answer.
Passwords suck, but they are the best that we have at the moment in terms of being cheap and free from infrastructure - see http://goo.gl/3lggk
We've been in a bubble for the past few years, where Moore's law hardware had not quite caught up with the speed of SHA and MD5 password hashing throughput for effective brute force guessing; that bubble is well and truly burst.
Welcome back to 1995 where the advice is to change your passwords frequently, because it has a half-life of usefulness imposed upon it from (a) day to day external exposure and (b) the march of technology - and keep your hashing algorithms up to date, too. See http://goo.gl/iL9EP for suggestions.
Have a nice weekend,
-a
Would it really be that hard to release a coordinated One-Time Password system that consumers could readily use across multiple sites?
Doesn't seem *that* hard; my current employer has done quite a bit of heavy lifiting for you: https://play.google.com/store/apps/details?id=com.google.android.apps.authenticator2&hl=en http://code.google.com/p/google-authenticator/ [yes iOS and blackberry as well] Also, if you just want very lightweight implementation for paper codes, try http://code.google.com/p/otpauth/ -- RSUC / GweepNet / Spunk / FnB / Usenix / SAGE / NewNOG