From eugen@leitl.org Wed Jun 20 16:10:19 2012 From: Eugen Leitl To: cypherpunks-legacy@lists.cpunks.org Subject: Re: LinkedIn password database compromised Date: Wed, 20 Jun 2012 16:10:19 +0000 Message-ID: <20120620200700.GR17120@leitl.org> MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="===============0552862409392884374==" --===============0552862409392884374== Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: 7bit ----- Forwarded message from Leo Bicknell ----- --===============0552862409392884374==-- From visgean@gmail.com Fri Jun 22 17:06:04 2012 From: Visgean Skeloru To: cypherpunks-legacy@lists.cpunks.org Subject: Re: LinkedIn password database compromised Date: Fri, 22 Jun 2012 17:06:04 +0000 Message-ID: In-Reply-To: <20120620200700.GR17120@leitl.org> MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="===============7996203375625094003==" --===============7996203375625094003== Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable About six months ago I had a previous idea and I have found following: https://www.gnu.org/software/gnutls/ http://enigform.mozdev.org/ https://github.com/firegpg/firegpg/tree/master/content/GpgAuth http://gpgauth.org/ but none of them seems to be user friendly... 2012/6/20 Eugen Leitl > ----- Forwarded message from Leo Bicknell ----- > > From: Leo Bicknell > Date: Wed, 20 Jun 2012 12:43:44 -0700 > To: nanog(a)nanog.org > Subject: Re: LinkedIn password database compromised > Organization: United Federation of Planets > > In a message written on Wed, Jun 20, 2012 at 03:30:58PM -0400, AP NANOG > wrote: > > So the question falls back on how can we make things better? > > Dump passwords. > > The tech community went through this back in oh, 1990-1993 when > folks were sniffing passwords with tcpdump and sysadmins were using > Telnet. SSH was developed, and the problem was effectively solved. > > If you want to give me access to your box, I send you my public > key. In the clear. It doesn't matter if the hacker has it or not. > When I want to log in I authenticate with my private key, and I'm > in. > > The leaks stop immediately. There's almost no value in a database of > public keys, heck if you want one go download a PGP keyring now. I can > use the same "password" (key) for every web site on the planet, web > sites no longer need to enforce dumb rules (one letter, one number, one > character your fingers can't type easily, minimum 273 characters). > > SSL certificates could be used this way today. > > SSH keys could be used this way today. > > PGP keys could be used this way today. > > What's missing? A pretty UI for the users. Apple, Mozilla, W3C, > Microsoft IE developers and so on need to get their butts in gear > and make a pretty UI to create personal key material, send the > public key as part of a sign up form, import a key, and so on. > > There is no way to make passwords "secure". We've spent 20 years > trying, simply to fail in more spectacular ways each time. Death to > traditional passwords, they have no place in a modern world. > > -- > Leo Bicknell - bicknell(a)ufp.org - CCIE 3440 > PGP keys at http://www.ufp.org/~bicknell/ > > > > ----- End forwarded message ----- > -- > Eugen* Leitl leitl http://leitl.org > ______________________________________________________________ > ICBM: 48.07100, 11.36820 http://www.ativel.com http://postbiota.org > 8B29F6BE: 099D 78BA 2FD3 B014 B08A 7779 75B0 2443 8B29 F6BE > --=20 GPG pub key | github/visgean | jabber --===============7996203375625094003==--