[SOT] {FWD} [Dailydave] Don't use vowels in passwords! (fwd)
Cathal Garvey
cathalgarvey at cathalgarvey.me
Tue Nov 12 14:16:02 PST 2013
> With an average of 5 important sites and 50 less important site per
> person, it requires people to *remember* 55 totally different 20
> character passwords.
If you could be assured of client-side salted-JS-hashing of the password
prior to submitting it to the server, then you could in principal use
the same password everywhere.
This used to be the norm, but SSL made it easier first to store plains,
and for (as the security concerns of break-ins became apparent) to
store server-generated hashes. Yet many, perhaps most, services don't
do their job correctly on the server-side. If it were still done
client-side, a savvy user could make sure hashing were done correctly,
and salted appropriately.
> The world needs to forget passwords as remote identification and move
> on to client certificates. Preferably, a separate client certificate
> for each site. It takes only a small browser plug in to make it easy.
Ideally yes we'd all use unique certs for everything, but then we'd be
tied to our particular browsers.
You could make this work with a well-implemented browser sync agent,
but what about users of pathetic platforms that don't support
trustworthy browsers (iPhone, Nokia)?
-Cathal
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: not available
URL: <http://lists.cpunks.org/pipermail/cypherpunks/attachments/20131112/9082834c/attachment-0001.sig>
More information about the cypherpunks
mailing list