[Discuss] single sign-on
Kent Borg
kentborg at borg.org
Sun Jul 28 09:45:31 EDT 2013
On 07/27/2013 03:24 AM, Tom Metro wrote:
> That's a consideration, but for now you can also apply the philosophy
> that you don't need to be able to outrun the bear, you only need to be
> faster than the other guy also trying to outrun the bear. The default
> behavior around password hygiene is so poor that anyone using LastPass
> ends up being a hardened target compared to the vast masses.
That is why my hypothetical bad guy was hoping Lastpass becomes very
common, then it will become fertile ground for theft.
Passwords have a life span, where one puts them has inertia, decisions
made today can stick for years. For example, I was using my Palm Pilot
for passwords for well over a decade. Decisions now need to be safe
beyond this year.
> So I'm wondering whether your "air-gap" (manually transcribing passwords
> from another device) has necessitated generating passwords that are less
> error prone to human reproduction?
Oh, yes. I am a big fan of sensible passwords--and counting entropy in
how the password was created.
For example, "8e53-arrow-spell-genetic" is pretty easy to type and
remember, yet it has 48-bits of entropy in it. Not enough entropy for
en encryption key, but plenty for a password. Entropy doesn't have to
be hard to type and impossible to remember.
-kb
More information about the Discuss
mailing list