[Beowulf] Re: "hobbyists"es
spambox at emboss.co.nz
Sun Jun 22 00:50:04 PDT 2008
"Perry E. Metzger" wrote:
> "Robert G. Brown" <rgb at phy.duke.edu> writes:
>>> If they can't use public key auth, give 'em secure ids or something
>>> similar. Works fine or such purposes. Passwords are dead.
>> Yeah, Bill Gates (among others) said something like that back in 2004.
>> I confess to being deeply skeptical. Really. The SecureID solution has
>> been around for a long time at this point. It was a PITA a decade ago.
>> It is a PITA now. Expensive, too.
> It is neither. I use SecureIDs quite regularly and it isn't difficult
> at all -- you just look at the device and type in the digits. What's
> so hard about that?
The biggest problem comes when everybody wants to use them. I already have
to carry around three SecurID cards, and that number could easily hit a
dozen even if I only included networks that I log into on a nearly daily
basis and online banking sites. What is needed is the ability to securely
share a single physical token between multiple networks.
>> Then there is logging onto systems I work on -- something that IS
>> possible for me without a password. The problem there is that many of
>> the systems I'm logging in from are laptops (I have two personally,
>> about to make that three). The laptops themselves then become a
>> security risk if they are stolen,
> That's why they invented encrypted partitions, and why ssh lets you
> encrypt your public key credentials.
In some sense, encrypted keys are more of a security problem than passwords.
To break a password-based login requires an easily detected online attack.
Breaking the password on a ssh key file can be done offline, and can have
orders of magnitude more attempts thrown at it. Both depend on the user
choosing a sufficiently secure password. You have to make sure that
difficulty in obtaining the key file makes up for the easier breaking of the
Add michael@ to emboss.co.nz ---+--- My inbox is always open
More information about the Beowulf