[cryptography] Password non-similarity?

coderman coderman at gmail.com
Sun Jan 1 02:09:51 EST 2012


On Sat, Dec 31, 2011 at 9:36 AM, ianG <iang at iang.org> wrote:
> ...
> When I was a rough raw teenager doing this, I needed around 2 weeks to pick
> up 5 letters from someone typing like he was electrified.  The other 3 were
> crunched in 4 hours on a vax780.

how many samples? (distinct shoulder surf events)

2 weeks sounds really generous.



> Force-changing the password reduces the exposure to shoulder-surfing.  In
> some corporate environments they also see password changes as a way to
> reduce account sharing, but then users typically fight back with the +1
> technique.

yup. this whole threat is a good example of why single sign on with
multi-factor auth is great. let the password be weak - it is only a
liveness / confirmation check. the real auth is in protected, tamper
evident (maybe resistant) hardware storage.

still sad the 1-wire tech never took off. crypto stick looks good; but
haven't played with one yet... [0]

and RSA SecurID is not, of course. ;)



> It is only in recent times that people have started to rethink, and decided
> the pre-Internet model is unhelpful.

changing context; it's harsh on threat models!


0. Crypto Stick
  http://www.privacyfoundation.de/crypto_stick/crypto_stick_english/



More information about the cryptography mailing list