nanog mailing list archives
Re: LinkedIn password database compromised
From: AP NANOG <nanog () armoredpackets com>
Date: Wed, 20 Jun 2012 17:30:39 -0400
Exactly! Passwords = FailAll we can do is make it as difficult as possible for them to crack it until the developers decide to make pretty eye candy.
- Robert Miller (arch3angel) On 6/20/12 3:43 PM, Leo Bicknell wrote:
In a message written on Wed, Jun 20, 2012 at 03:30:58PM -0400, AP NANOG wrote:So the question falls back on how can we make things better?Dump passwords. The tech community went through this back in oh, 1990-1993 when folks were sniffing passwords with tcpdump and sysadmins were using Telnet. SSH was developed, and the problem was effectively solved. If you want to give me access to your box, I send you my public key. In the clear. It doesn't matter if the hacker has it or not. When I want to log in I authenticate with my private key, and I'm in. The leaks stop immediately. There's almost no value in a database of public keys, heck if you want one go download a PGP keyring now. I can use the same "password" (key) for every web site on the planet, web sites no longer need to enforce dumb rules (one letter, one number, one character your fingers can't type easily, minimum 273 characters). SSL certificates could be used this way today. SSH keys could be used this way today. PGP keys could be used this way today. What's missing? A pretty UI for the users. Apple, Mozilla, W3C, Microsoft IE developers and so on need to get their butts in gear and make a pretty UI to create personal key material, send the public key as part of a sign up form, import a key, and so on. There is no way to make passwords "secure". We've spent 20 years trying, simply to fail in more spectacular ways each time. Death to traditional passwords, they have no place in a modern world.
Current thread:
- Re: LinkedIn password database compromised, (continued)
- Re: LinkedIn password database compromised valdis . kletnieks (Jun 20)
- Re: LinkedIn password database compromised Leo Bicknell (Jun 20)
- Re: LinkedIn password database compromised Randy Bush (Jun 20)
- Re: LinkedIn password database compromised Leo Bicknell (Jun 20)
- Re: LinkedIn password database compromised Randy Bush (Jun 20)
- Re: LinkedIn password database compromised Tei (Jun 21)
- Re: LinkedIn password database compromised Tony Finch (Jun 21)
- Re: LinkedIn password database compromised Rich Kulawiec (Jun 21)
- RE: LinkedIn password database compromised Keith Medcalf (Jun 23)
- Re: LinkedIn password database compromised Michael Thomas (Jun 23)
- Re: LinkedIn password database compromised AP NANOG (Jun 20)
- How to fix authentication (was LinkedIn) Jay Ashworth (Jun 20)
- Re: How to fix authentication (was LinkedIn) Kyle Creyts (Jun 20)
- Re: How to fix authentication (was LinkedIn) valdis . kletnieks (Jun 20)
- Re: How to fix authentication (was LinkedIn) Kyle Creyts (Jun 20)
- RE: How to fix authentication (was LinkedIn) Drew Weaver (Jun 20)
- Re: How to fix authentication (was LinkedIn) Aaron C. de Bruyn (Jun 20)
- Re: How to fix authentication (was LinkedIn) Alexander Harrowell (Jun 21)
- Re: How to fix authentication (was LinkedIn) AP NANOG (Jun 21)
- Re: How to fix authentication (was LinkedIn) Ben Jencks (Jun 21)
- Re: How to fix authentication (was LinkedIn) Randy Bush (Jun 21)