[Beowulf] Re: "hobbyists"es

[Michael Brown]

"Perry E. Metzger" wrote:
> "Robert G. Brown" <rgb at phy.duke.edu> writes:
>>> If they can't use public key auth, give 'em secure ids or something
>>> similar. Works fine or such purposes. Passwords are dead.
>>
>> Yeah, Bill Gates (among others) said something like that back in 2004.
>> I confess to being deeply skeptical.  Really.  The SecureID solution has
>> been around for a long time at this point.  It was a PITA a decade ago.
>> It is a PITA now.  Expensive, too.
>
> It is neither. I use SecureIDs quite regularly and it isn't difficult
> at all -- you just look at the device and type in the digits. What's
> so hard about that?

The biggest problem comes when everybody wants to use them. I already have 
to carry around three SecurID cards, and that number could easily hit a 
dozen even if I only included networks that I log into on a nearly daily 
basis and online banking sites. What is needed is the ability to securely 
share a single physical token between multiple networks.

[...]
>> Then there is logging onto systems I work on -- something that IS
>> possible for me without a password.  The problem there is that many of
>> the systems I'm logging in from are laptops (I have two personally,
>> about to make that three).  The laptops themselves then become a
>> security risk if they are stolen,
>
> That's why they invented encrypted partitions, and why ssh lets you
> encrypt your public key credentials.

In some sense, encrypted keys are more of a security problem than passwords. 
To break a password-based login requires an easily detected online attack. 
Breaking the password on a ssh key file can be done offline, and can have 
orders of magnitude more attempts thrown at it. Both depend on the user 
choosing a sufficiently secure password. You have to make sure that 
difficulty in obtaining the key file makes up for the easier breaking of the 
password.

-- 
Michael Brown
Add michael@ to emboss.co.nz ---+--- My inbox is always open