[p2p-hackers] guidelines for good password policy and maintenance/ user centric identity with single passwords (or a smallnumber at most over time)

[coderman]

On 3/27/06, David Barrett <dbarrett at quinthar.com> wrote:
> ...
> What are your thoughts on using PKI?

fine as long as trust and identity are properly implemented. 
physically hardened tokens are very good (ex: the rsa challenge / pin
based token authenticator via radius)

SPEKE and variants are also highly recommended in my book if you can
use them in a secure context (that is, no rootkits and equivalents to
capture passwords/phrases - a situation where single use passwords /
bingo auth are helpful if secure hardware tokens are not feasible)


> For example, create private keys (with no passwords) and put them in an
> encrypted volume.  Then use one strong password to unlock your encrypted
> volume (and thus, unlock your private keys), and then SSH to everywhere else
> securely.

this works very well, and if you have hardware accelerated encryption
it can be transparent.  you can also pre distribute keys (public and
secret) to the encrypted volumes you mount and run within (via a
secure bootstrap of course...)
[ see http://www.via.com.tw/en/initiatives/padlock/hardware.jsp ]

i think this is a rich field of discovery when considering the user
interface and authentication / session aspects of a secure system.

best regards,