[p2p-hackers] guidelines for good password policy and maintenance / user centric identity with single passwords (or a small number at most over time)
Michael J Freedman
mfreed at cs.nyu.edu
Mon Mar 27 12:19:32 PST 2006
> it is my personal hunch that if users had just one password they
> needed to remember they could remember a good one. the janus stuff we
This approach is certainly commonly done by people for useability.
However, the problem is that the best security you get is that of security
provided by the weakest site (i.e., the weakest link the chain analogy).
As an example, let's say that you use the same password to login to an
online banking site (which really cares about security) and some
random-dating site (which stores all unencrypted passwords in a big
plaintext file on a rootable machine). An adversary trying to break-in to
your bank account doesn't need to subvert the security of the bank site:
He just needs to break into the dating site. No matter how many bits of
entropy your password has, you lose.
As a solution developed precisely for this problem, you should check out
the pwdhash extension for browsers:
http://crypto.stanford.edu/PwdHash/
Enjoy,
--mike
-----
www.michaelfreedman.org www.coralcdn.org
More information about the cypherpunks-legacy
mailing list