[Discuss] deadmanish login?
Richard Pieri
richard.pieri at gmail.com
Fri Feb 3 13:42:52 EST 2017
On 2/3/2017 12:43 PM, Dan Ritter wrote:
> a) it has a zero-latency, no penalty for wrong-guesses method of
> trying passwords
In this case security depends almost entirely on intrusion prevention
systems.
> b) it has the hash of the passphrase in front of it and is generating
> matches.
And in this case, after case a has failed, password quality becomes a
relevant factor. At this point a 521-bit ECDSA key, comparable to
AES-256 in terms of key strength, is vastly stronger than anything you
can keep in your head.
On 2/3/2017 1:20 PM, Kent Borg wrote:
> You are confusing (1) a password used as a password, and (2) a
> passphrase used for an encryption key. They are completely different.
Rather, you are assuming that Dan's case b will never happen whereas I'm
assuming that it will. There is no difference at all once case b happens.
I'm not a proponent of SSH keys per se. I'm an opponent of passwords.
They suck. They're a bad habit that the computer industry should have
long since abandoned. I prefer using SSH keys because they suck less
than using passwords and nobody has come up with anything better.
--
Rich P.
More information about the Discuss
mailing list