On Fri, Jun 08, 2012 at 01:30:42PM -0700, Michael Thomas wrote:
PS: when security is hard, people simply don't do it.
I think this is exactly right. The idea that we are going to train everyone on earth to keep eleventy billion distinct passwords in their heads -- or in a "password safe" that is either (1) under someone else's control because it's a web service or (2) inaccessible half the time because it's on their laptop and they're using their phone now and OMG -- is preposterous. (This without mentioning that they also have to remember the username that goes with it, which is _also_ variable.) We have an engineering challenge here, and the PKI we have so far doesn't work. No, I have no magic answers. I'm not that smart. Michael Thomas is still right about this. Best, A -- Andrew Sullivan Dyn Labs asullivan@dyn.com