On 26 May 2012 06:57, Peter Gutmann <pgut...@cs.auckland.ac.nz> wrote:
> Werner Koch <w...@gnupg.org> writes: > > >Which is not a surprise given that many SSH users believe that ssh > >automagically make their root account save and continue to use their lame > >passwords instead of using PK based authentication. > > That has its own problems with magical thinking: Provided you use PK auth, > you're magically secure, even if the private key is stored in plaintext on > ten > different Internet-connected multiuser machines. I don't know how many > times > I've been asked to change my line-noise password for PK auth, told the > person > requesting the change that this would make them less secure because I need > to > spread my private key across any number of not-very-secure machines, and > they've said that's OK because as long as it uses PKCs it's magically > secure. > > Why on earth would you need to spread your private-key across any number of less secure machines? A £10 usb stick and judicious port-forwarding turns this problem in the worst case to be equivalent security to password and normally quite a bit better.
_______________________________________________ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography