Re: [Fed-Talk] Password issues
Re: [Fed-Talk] Password issues
- Subject: Re: [Fed-Talk] Password issues
- From: Jeffrey Walton <email@hidden>
- Date: Wed, 22 Aug 2012 13:14:12 -0400
On Wed, Aug 22, 2012 at 10:03 AM, William Cerniuk <email@hidden> wrote:
>
> It really becomes hard on folks that are denizens of the Internet rather than casual visitors.
>
> This is where the OpenID approach comes to the rescue. OpenID is a real single sign on system that works. Is a godsend. And best of all, transparent to the user. Almost everyone here has an OpenID and probably has used it for single sign on without knowing it.
>
Thanks for not saying Open Auth. OAuth 1.0 is broken (session
fixation), and OAuth 2.0 is soon to be broken
(http://www.h-online.com/security/news/item/OAuth-2-0-editor-resigns-and-takes-name-off-spec-1654984.html).
Jeff
> On Aug 21, 2012, at 12:59 PM, Todd Heberlein <email@hidden> wrote:
>
>> Great (and lengthy) Ars Technica article on the weakness of passwords.
>>
>> Why passwords have never been weaker—and crackers have never been stronger
>> http://arstechnica.com/security/2012/08/passwords-under-assault/
>>
>>
>> A summary of why passwords have become so much weaker in the past few years include:
>>
>> (1) Technical advances such as GPUs and rainbow tables
>>
>> (2) Crowd and bot-net sourcing of password cracking
>>
>> (3) Password reuse (ask the guy at HBGary Federal about this one!)
>>
>> (4) Entropy analysis on large corpuses of passwords.
>>
>> That last one I found interesting because this is something I've wondered about for years since doing a little linguistic analysis. In short, forcing a user to choose longer passwords but letting them choose the password doesn't help so much because we humans have a limited repertoire of tricks we use.
>>
>> The large corpus of passwords collected over the last few years have let crackers essentially crack the way we think. Another way of looking at it: the attackers are attacking the random number generator of our brains -- and it's a pretty sucky random number generator.
>>
>> A couple of recommendations:
>>
>> (A) Don't reuse passwords at multiple services.
>>
>> (B) Use something like 1Password to manage large, randomly generated passwords.
>>
>> (C) Have your organizational security administrators constantly download the latest hashes posted to public sites like pastebin.com looking for your organization's hashes in the list.
>>
>> (I don't remember any mention of 2-factor authentication)
>>
>>
>> I'm seriously thinking about starting to use 1Password.
>>
>> Todd
>>
>>
>> _______________________________________________
>> Do not post admin requests to the list. They will be ignored.
>> Fed-talk mailing list (email@hidden)
>> Help/Unsubscribe/Update your Subscription:
>>
>> This email sent to email@hidden
>
>
> _______________________________________________
> Do not post admin requests to the list. They will be ignored.
> Fed-talk mailing list (email@hidden)
> Help/Unsubscribe/Update your Subscription:
>
> This email sent to email@hidden
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Fed-talk mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden