Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Message-ID: <1345565737.19577.0.camel@k>
Date: Tue, 21 Aug 2012 18:15:37 +0200
From: Per Thorsheim <per@...rsheim.net>
To: john-users@...ts.openwall.com
Subject: Re: Arstechnica Password article (feat. Matt Weir)


On Tue, 2012-08-21 at 18:45 +0400, Solar Designer wrote:
> On Tue, Aug 21, 2012 at 04:17:18PM +0200, Samuele Giovanni Tonon wrote:
> > btw i'm quite interested by all this articles against password reuse 
> > while at the same time there are a lot of people asking for single sign 
> > on over the web, isn't something contradictory ?
> > 
> > And what about services like "last pass": aren't we just moving our 
> > problems to the "simple one" of the relying entirely our security on one 
> > single master password ? it's kind scary .
> 
> There's some difference in terms of attack surface.  When you reuse the
> same password on multiple sites, then if any site is compromised, this
> may result in all of your accounts getting compromised.  (In practice,
> password complexity and how soon the compromise is detected and dealt
> with may play a role, though.)  When you use SSO or a password manager,
> then presumably only when this one entry point is compromised then all
> of your accounts are, but compromises of the individual sites don't
> propagate onto other sites.  (In practice, there may also be attacks
> e.g. on how authentication is implemented on the many sites.)
> 
> That said, both approaches are risky.  Out of these alternatives, if you
> really don't want to and/or can't memorize a large number of passwords,
> using a decent local password manager app on your own computer seems best.
> 
> Alexander



Download attachment "signature.asc" of type "application/pgp-signature" (199 bytes)

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.