nanog mailing list archives
Re: crypto frobs
From: George Michaelson <ggm () algebras org>
Date: Tue, 24 Mar 2020 09:34:28 +1000
I don't see SKEY style OTP lists as inherently bad. "its how you do it" which concerns me, not that it is done. -G On Tue, Mar 24, 2020 at 9:33 AM Christopher Morrow <morrowc.lists () gmail com> wrote:
On Mon, Mar 23, 2020 at 7:00 PM Michael Thomas <mike () mtcc com> wrote:On 3/23/20 3:53 PM, Sabri Berisha wrote: Hi, In my experience, yubikeys are not very secure. I know of someone in my team who would generate a few hundred tokens during a meeting and save the output in a text file. Then they'd have a small python script which was triggered by a hotkey on my macbook to push "keyboard" input. They did this because the org they were working for would make you use yubikey auth for pretty much everything, including updating a simple internal Jira ticket.this is not: "yubikey is bad" as much as: "The user using the yubikey is bad" Admittedly perhaps: "every time new token" sucks, and that's what (I think michael thomas is saying below), but certainly the yubikey could have been used for TOTP instead of HOTP and the user in question would have been out of luck, right? :) Almost all security 'features' are a trade-off between: "get stuff done" and "get stuff done with an extra hop", making the 'extra hop' as simple and natural as possible makes people less likely to do dumb things like: 1) pregen a crapload of tokens, store them on their probably compromised laptop... 2) aim a webcam at their rsa token and watch the change remotely 3) hot-dog and sipping-bird toy to touch the thingy on their yubikey token every X seconds...One of the things that got lost in the Webauthn stuff is that passwords per se are not bad. It's passwords being sent over the wire. In combination with reuse, that is the actual problem. Webauthn supposedly allows use of passwords to unlock a local credential store, but it is so heavily focused dongles that it's really hard to figure out for a normal website that just want to get rid of the burden of remote passwords. Mike
Current thread:
- South Africa On Lockdown - Coronavirus Mark Tinka (Mar 23)
- Re: South Africa On Lockdown - Coronavirus - Update! Mark Tinka (Mar 23)
- Re: South Africa On Lockdown - Coronavirus - Update! Peter Beckman (Mar 23)
- Re: South Africa On Lockdown - Coronavirus - Update! Mark Tinka (Mar 23)
- Re: South Africa On Lockdown - Coronavirus - Update! Alexandre Petrescu (Mar 23)
- Re: South Africa On Lockdown - Coronavirus - Update! Peter Beckman (Mar 23)
- Re: South Africa On Lockdown - Coronavirus - Update! Eric Tykwinski (Mar 23)
- Re: South Africa On Lockdown - Coronavirus - Update! Sabri Berisha (Mar 23)
- crypto frobs Michael Thomas (Mar 23)
- Re: crypto frobs Christopher Morrow (Mar 23)
- Re: crypto frobs George Michaelson (Mar 23)
- Re: crypto frobs Christopher Morrow (Mar 23)
- Re: South Africa On Lockdown - Coronavirus - Update! Peter Beckman (Mar 23)
- Re: crypto frobs William Herrin (Mar 23)
- Re: crypto frobs Warren Kumari (Mar 23)
- Re: crypto frobs William Herrin (Mar 23)
- Re: crypto frobs Michael Loftis (Mar 23)
- Re: crypto frobs Michael Loftis (Mar 23)
- Re: crypto frobs John Covici (Mar 24)
- Re: crypto frobs John Kinsella (Mar 24)
- Re: South Africa On Lockdown - Coronavirus - Update! Mark Tinka (Mar 23)
- Re: crypto frobs Tom Beecher (Mar 24)
- Re: crypto frobs Rob Seastrom (Mar 24)