[SOT] {FWD} [Dailydave] Don't use vowels in passwords! (fwd)

Tue Nov 12 14:45:26 PST 2013

On 11/14/13 00:09, sharon wrote:
> below :)
> On 11/12/2013 11:48 PM, Guido Witmond wrote:
>> The world needs to forget passwords as remote identification and move on
>> to client certificates. Preferably, a separate client certificate for
>> each site. It takes only a small browser plug in to make it easy.
>>
>> Regards, Guido.

> hi, off-list.

> ive read a bit about your ideas for auth. its interesting.
> but im not clear on one thing -
> if were happy with keeping secrets locally, and even letting a browser
> plug-in read/write them,
> why not just generate a pgp key pair, with one good password,
> and use that to keep an encrypted file with lots of randomly generated,
> strong passwords?
> that encrypted file can be easily synced across devices, with any
> regular service, a its encrypted.
> (or synced manually, privately)
> and the key pair, should be better protected, manually synced, or for
> non-paranoid people, with the same service, since thats protected with a
> good password too.
> of course, echo "good password"| gpg -d "password file"|grep "service
> name" could be done with a browser plugin as well.
> how is that inferior to client certificates? or the the code you wrote
> to make it happen?

> thanks.
> feel free to reply publicly if you think someone else might also benefit
> from it.

What you've designed is a classic password manager application, like
Lastpass, Keepas. It's a good design for when the site requires a password.

However, as every website has their own rules for password, lengths,
allowed characters, it makes it a bit of hit and miss whether a certain
generated password will be accepted. It would lead to having a list of
sites and recipes of what is allowed. It doens't scale.

Besides, most sites also require an email address, so anonymity is lost.

Client certificates are already implemented in most web servers. It's a
one-line setting to accept a certain certificate authority for a site.
If that is the Ca of the site owner themselves, it's even easier.

The price to pay (for end users) is to have a computer that cannot
easily be subverted by malware. Notice that's the same requirement for
password managers.

I've written about my ideas on client certificates on my site:
http://eccentric-authentication.org/

Feel free to ask if anything is not clear

Regards, Guido.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 897 bytes
Desc: OpenPGP digital signature
URL: <https://lists.cpunks.org/pipermail/cypherpunks/attachments/20131112/33f04f40/attachment-0002.sig>