Security is Inconvenient.
|
| Author | Content |
|---|---|
| Bob_Robertson Jan 24, 2011 9:02 AM EDT |
Security certainly is inconvenient. And convenience is insecure. My reason for using public key authentication was to be able to turn off passwords, and make things that much harder for a cracker. With this, if someone compromises your desktop system, they get access to all the rest without a password, too. I can understand it, but I have to wonder if a simple password isn't better than no password at all. Everything is a trade-off. |
| gus3 Jan 24, 2011 2:42 PM EDT |
I'd argue that a simple password is worse than none. A simple password gives a false sense of security; no password makes the lack of security very obvious. Kind of like how people without car insurance on average are better drivers. |
| Bob_Robertson Jan 24, 2011 3:43 PM EDT |
Compromise one system or compromise one password. I'd rather that there be a reasonably secure password that gets written down, since anyone who can get in and physically read the post-it note is going to have physical access to the machine and then all bets are off anyway. This may be a good place for pinentry to be utilized by ssh, so that the single-sign-on can be accomplished with a reasonably secure password/phrase without having to enter it many times. I started using PGP when it first hit the 'Net, so I've seen a lot of supposed "security" come and go. |
| jhansonxi Jan 24, 2011 3:46 PM EDT |
A password manager with a strong encryption key makes security easy. All of my accounts use random keys that are stored in KeePassX. |
| Bob_Robertson Jan 24, 2011 3:55 PM EDT |
http://www.keepassx.org/ Let's see if it is linked to passwords in Kwalletmanager, Icewoozle, ssh and gpg... Thanks, JH. |
| jhansonxi Jan 24, 2011 4:02 PM EDT |
It's not but that doesn't bother me. It is still useful for storing the SSH private key passphrase. On Ubuntu, Seahorse is integrated with GPG, network share passwords, and wireless keys. |
| mrider Jan 24, 2011 4:46 PM EDT |
My ssh private key is protected by a 30+ character nonsensical (but not gibberish) pass phrase. I use keychain and ssh-askpass to store the key for me at log in. Anyone with a copy of my private key could log into a large number of systems, but they'd have to crack the pass phrase to do so. And yet I can log into a system with my public key without supplying a huge password each time. I find that to be relatively convenient, and yet it would be fairly non-trivial to brute-force my private key pass phrase... |
| jezuch Feb 01, 2011 5:07 PM EDT |
I recently started formulating my passwords in Lojban. Easier to remember than random gibberish but looks the same, especially if you assume the space-less, accented style (something like "loDJEdiNUZba") ;) |
| jdixon Feb 01, 2011 5:53 PM EDT |
> My ssh private key is protected by a 30+ character nonsensical (but not gibberish) pass phrase. I wonder if anyone has ever actually used the pass phrase supercalifragilisticexpialidocious? |
| Bob_Robertson Feb 01, 2011 5:59 PM EDT |
> I wonder if anyone has ever actually used the pass phrase supercalifragilisticexpialidocious? They will now. |
| tracyanne Feb 01, 2011 6:03 PM EDT |
I won't, I'd have to keep coming back here to find out how to spell it. |
| Bob_Robertson Feb 01, 2011 7:07 PM EDT |
I mean in dictionary attacks. I even had to look up "squirrel" for the SQL database thread because I couldn't spell it. |
| hkwint Feb 02, 2011 12:11 PM EDT |
jd: Hey, how did you know? Now I'll have to reset all my pw's! |
Posting in this forum is limited to members of the group: [ForumMods, SITEADMINS, MEMBERS.]
Becoming a member of LXer is easy and free. Join Us!