[p2p-hackers] guidelines for good password policy and maintenance / user centric identity with single passwords (or a small number at most over time)

Michael J Freedman mfreed at cs.nyu.edu
Mon Mar 27 12:19:32 PST 2006


> it is my personal hunch that if users had just one password they
> needed to remember they could remember a good one.  the janus stuff we

This approach is certainly commonly done by people for useability. 
However, the problem is that the best security you get is that of security 
provided by the weakest site (i.e., the weakest link the chain analogy).

As an example, let's say that you use the same password to login to an 
online banking site (which really cares about security) and some 
random-dating site (which stores all unencrypted passwords in a big 
plaintext file on a rootable machine).  An adversary trying to break-in to 
your bank account doesn't need to subvert the security of the bank site: 
He just needs to break into the dating site.  No matter how many bits of 
entropy your password has, you lose.

As a solution developed precisely for this problem, you should check out 
the pwdhash extension for browsers:

   http://crypto.stanford.edu/PwdHash/

Enjoy,
--mike


-----
www.michaelfreedman.org                              www.coralcdn.org





More information about the cypherpunks-legacy mailing list