Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Message-ID: <20160704122549.4943952.641.4375@eltex.net>
Date: Mon, 04 Jul 2016 15:25:49 +0300
From: Ark Arkenoi <ark@...ex.net>
To: "e@...tmx.net" <passwords@...ts.openwall.com>, passwords@...ts.openwall.com
Subject: Re: 2-Factor vs Authentication

Yes, exactly: it was meant to massively reduce false positives, while keeping false negatives acceptably low.

BTW sms was much less reliable back those days and inter-operator issues happened all the time.

Sent from my BlackBerry 10 smartphone.
  Original Message  
From: e@...tmx.net
Sent: Monday, July 4, 2016 14:34
To: passwords@...ts.openwall.com
Reply To: passwords@...ts.openwall.com
Subject: Re: [passwords] 2-Factor vs Authentication

On 07/03/2016 07:11 PM, ArkanoiD wrote:

> The common consensus was ....
> SMS+password being better than password alone, thus adding extra layer
> won't hurt.

This is a tremendously extraordinary statement in need of a huge proof.

terms "extra layer" and "better" point to merely a cloud of human feelings.

I can accept the premise for this statement:
adding SMS to password reduces false-positive auth outcomes.
(no matter how much and how needed)

But it also increase false-negative auth outcomes!!!
AND THIS REALLY HURTS.
and I speculate sometimes it hurts the security too.


and after all, as you now witnessing, when a logically inconsistent 
bullshit becomes accepted as a part of an info system, it tends to 
overthrow the logic of the host system and turn it into crap entirely.
Same goes to the password policies.

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.