Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <20120821144557.GA9552@openwall.com>
Date: Tue, 21 Aug 2012 18:45:57 +0400
From: Solar Designer <solar@...nwall.com>
To: john-users@...ts.openwall.com
Subject: Re: Arstechnica Password article (feat. Matt Weir)

On Tue, Aug 21, 2012 at 04:17:18PM +0200, Samuele Giovanni Tonon wrote:
> btw i'm quite interested by all this articles against password reuse 
> while at the same time there are a lot of people asking for single sign 
> on over the web, isn't something contradictory ?
> 
> And what about services like "last pass": aren't we just moving our 
> problems to the "simple one" of the relying entirely our security on one 
> single master password ? it's kind scary .

There's some difference in terms of attack surface.  When you reuse the
same password on multiple sites, then if any site is compromised, this
may result in all of your accounts getting compromised.  (In practice,
password complexity and how soon the compromise is detected and dealt
with may play a role, though.)  When you use SSO or a password manager,
then presumably only when this one entry point is compromised then all
of your accounts are, but compromises of the individual sites don't
propagate onto other sites.  (In practice, there may also be attacks
e.g. on how authentication is implemented on the many sites.)

That said, both approaches are risky.  Out of these alternatives, if you
really don't want to and/or can't memorize a large number of passwords,
using a decent local password manager app on your own computer seems best.

Alexander

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.