Re: LinkedIn password database compromised

[AP NANOG <nanog () armoredpackets com>]

Exactly!

Passwords = Fail

All we can do is make it as difficult as possible for them to crack it 
until the developers decide to make pretty eye candy.

- Robert Miller
(arch3angel)

On 6/20/12 3:43 PM, Leo Bicknell wrote:
> In a message written on Wed, Jun 20, 2012 at 03:30:58PM -0400, AP NANOG wrote:
> > So the question falls back on how can we make things better?
> Dump passwords.
>
> The tech community went through this back in oh, 1990-1993 when
> folks were sniffing passwords with tcpdump and sysadmins were using
> Telnet.  SSH was developed, and the problem was effectively solved.
>
> If you want to give me access to your box, I send you my public
> key.  In the clear.  It doesn't matter if the hacker has it or not.
> When I want to log in I authenticate with my private key, and I'm
> in.
>
> The leaks stop immediately.  There's almost no value in a database of
> public keys, heck if you want one go download a PGP keyring now.  I can
> use the same "password" (key) for every web site on the planet, web
> sites no longer need to enforce dumb rules (one letter, one number, one
> character your fingers can't type easily, minimum 273 characters).
>
> SSL certificates could be used this way today.
>
> SSH keys could be used this way today.
>
> PGP keys could be used this way today.
>
> What's missing?  A pretty UI for the users.  Apple, Mozilla, W3C,
> Microsoft IE developers and so on need to get their butts in gear
> and make a pretty UI to create personal key material, send the
> public key as part of a sign up form, import a key, and so on.
>
> There is no way to make passwords "secure".  We've spent 20 years
> trying, simply to fail in more spectacular ways each time.  Death to
> traditional passwords, they have no place in a modern world.