Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Message-ID: <CAEw2jfzWp6SiKQ_xDu0uRpa5hYLRXJc8gswDmJ+0C5qEBon0Jw@mail.gmail.com>
Date: Tue, 21 Aug 2012 16:42:15 +0200
From: Patrick Mylund Nielsen <cryptography@...rickmylund.com>
To: john-users@...ts.openwall.com
Subject: Re: Arstechnica Password article (feat. Matt Weir)

You also can't really ask normal users to remember more than one secure
password, and expect that they not re-use it. (Just getting them to pick
one secure password is a challenge in itself; the xkcd troubador comic
aptly notes that security people have shot themselves in the foot by doling
out the wrong advice for years. Good luck getting them to write down secure
and unique passwords after that...)

For 95% of users, IMO, the only short-term hope is to make password
managers so seamless/easy to use that using randomly generated and
auto-filled passwords is preferable to typing them in manually. I think
Google Chrome does this fairly well, but it could be much more aggressive.
Even having to download and learn to use another application, or an
extension like LastPass, is a roadblock for many users. Of course, then you
just have to hope that the customer support department of whatever service
provider manages your password blob or email account doesn't let anyone
bypass two-factor auth or reset the account password...

Long-term, maybe biometrics will become more ubiquitous, secure, and
supported. Very skeptical it will be soon, though. Most mainstream devices,
e.g. fingerprint readers, are still pretty much a joke, and few actually
have them.

On Tue, Aug 21, 2012 at 4:27 PM, Simon Marechal <bartavelle@...il.com>wrote:

> On 21/08/2012 16:17, Samuele Giovanni Tonon wrote:
> > And what about services like "last pass": aren't we just moving our
> > problems to the "simple one" of the relying entirely our security on one
> > single master password ? it's kind scary .
>
> Most people are already relying their entire security on one single
> master password : that of their main e-mail account. This is because of
> the password recovery options.
>

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.