[cryptography] Password non-similarity?

coderman coderman at gmail.com
Sun Jan 1 02:09:51 EST 2012

On Sat, Dec 31, 2011 at 9:36 AM, ianG <iang at iang.org> wrote:
> ...
> When I was a rough raw teenager doing this, I needed around 2 weeks to pick
> up 5 letters from someone typing like he was electrified.  The other 3 were
> crunched in 4 hours on a vax780.

how many samples? (distinct shoulder surf events)

2 weeks sounds really generous.

> Force-changing the password reduces the exposure to shoulder-surfing.  In
> some corporate environments they also see password changes as a way to
> reduce account sharing, but then users typically fight back with the +1
> technique.

yup. this whole threat is a good example of why single sign on with
multi-factor auth is great. let the password be weak - it is only a
liveness / confirmation check. the real auth is in protected, tamper
evident (maybe resistant) hardware storage.

still sad the 1-wire tech never took off. crypto stick looks good; but
haven't played with one yet... [0]

and RSA SecurID is not, of course. ;)

> It is only in recent times that people have started to rethink, and decided
> the pre-Internet model is unhelpful.

changing context; it's harsh on threat models!

0. Crypto Stick

More information about the cryptography mailing list