On Sat, Dec 31, 2011 at 9:36 AM, ianG <[email protected]> wrote: > ... > When I was a rough raw teenager doing this, I needed around 2 weeks to pick > up 5 letters from someone typing like he was electrified. The other 3 were > crunched in 4 hours on a vax780.
how many samples? (distinct shoulder surf events) 2 weeks sounds really generous. > Force-changing the password reduces the exposure to shoulder-surfing. In > some corporate environments they also see password changes as a way to > reduce account sharing, but then users typically fight back with the +1 > technique. yup. this whole threat is a good example of why single sign on with multi-factor auth is great. let the password be weak - it is only a liveness / confirmation check. the real auth is in protected, tamper evident (maybe resistant) hardware storage. still sad the 1-wire tech never took off. crypto stick looks good; but haven't played with one yet... [0] and RSA SecurID is not, of course. ;) > It is only in recent times that people have started to rethink, and decided > the pre-Internet model is unhelpful. changing context; it's harsh on threat models! 0. Crypto Stick http://www.privacyfoundation.de/crypto_stick/crypto_stick_english/ _______________________________________________ cryptography mailing list [email protected] http://lists.randombit.net/mailman/listinfo/cryptography
