[cryptography] Password non-similarity?
coderman at gmail.com
Sun Jan 1 02:09:51 EST 2012
On Sat, Dec 31, 2011 at 9:36 AM, ianG <iang at iang.org> wrote:
> When I was a rough raw teenager doing this, I needed around 2 weeks to pick
> up 5 letters from someone typing like he was electrified. The other 3 were
> crunched in 4 hours on a vax780.
how many samples? (distinct shoulder surf events)
2 weeks sounds really generous.
> Force-changing the password reduces the exposure to shoulder-surfing. In
> some corporate environments they also see password changes as a way to
> reduce account sharing, but then users typically fight back with the +1
yup. this whole threat is a good example of why single sign on with
multi-factor auth is great. let the password be weak - it is only a
liveness / confirmation check. the real auth is in protected, tamper
evident (maybe resistant) hardware storage.
still sad the 1-wire tech never took off. crypto stick looks good; but
haven't played with one yet... 
and RSA SecurID is not, of course. ;)
> It is only in recent times that people have started to rethink, and decided
> the pre-Internet model is unhelpful.
changing context; it's harsh on threat models!
0. Crypto Stick
More information about the cryptography