[p2p-hackers] guidelines for good password policy and maintenance / user centric identity with single passwords (or a small number at most over time)

[coderman]

On 3/27/06, Alen Peacock <alenlpeacock at gmail.com> wrote:
> ...
> The overarching theme of the book is that theoretically secure systems
> with usability problems end up being neither secure (because users
> subvert them) nor usable.

very true.


>  Some findings from Chap 7 include the fact
> that a significant number of users did not comply with instructions
> for password generation

it is my personal hunch that if users had just one password they
needed to remember they could remember a good one.  the janus stuff we
are working on uses loop-aes volumes specifically so you can store
passwords in a browser, store capability URL's, keep accounts and
logins in a text file, etc.

[i'd love to know of any studies to this end though.  i have tried
experiments to see just how much entropy i can commit to memory and it
is more than enough for a good interactive authentication.  i think
this is within the ability of most, if they had a desire to do so and
understood the benefit.]

so the goal is to provide a usable system with a single password, and
make it user centric, so that all the other credentials and secrets
associated with other digital identies can benefit from this bootstrap
(and presumably share this more secure bootstrap).