On Wed, Jan 30, 2013 at 11:45 AM, Parks, Raymond <[email protected]> wrote:
> I use the one and a half factor authentication mechanism for gmail. I > say 1 and 1/2 because it really isn't two-factor. A cell phone is not > sufficiently unique and protected to actually be "something you have" in > the sense of two-factor authentication. Since gmail and other sites are > aware of my cell-phone I would have to presume an adversary would be aware > of it and, if they didn't target it first, they would target it along with > my on-line identities. > Agreed. I believe its already happened in europe. And also google has "trusted" computers and "Application Specific Codes" all of which weaken its security. > I use a formulaic mechanism that involves the site name (always the same) > and leet-speak filler. The filler varies - sometimes I derive it from an > on-line identity, sometimes I derive it from a vehicle that I used to own, > and frequently it involves non-English words. The primary goal is to have > a password that uses the full ASCII character set and exceeds 15 characters > in length. The biggest problem is that many sites have stupid rules that > prevent me from doing exactly that. Sometimes they have length limits, > sometimes they have character set limits, and sometimes they have limits > they don't tell me (I have to derive what is acceptable through a repeated > process of trial and error - I still don't know what is acceptable on my > mortgage company's web-site). I'm not terribly worried that someone will > derive my formula from a hacked site that stores passwords in poorly > encrypted form - if the site uses poor encryption it's probably one of the > ones that won't let me use my full formula. Thus, an adversary who gets my > password on one of those sites will not be able to derive the full formula. > My eleven character password on LinkedIn was compromised but probably not > cracked - but I changed it to a 16 character password with a differently > derived filler. > Two opinions: - What about typing ease? .. especially on phones? Would you consider LastPass or similar? - What about yubikeys? It seems to be where Google is going next. Thanks .. very useful info, -- Owen
============================================================ FRIAM Applied Complexity Group listserv Meets Fridays 9a-11:30 at cafe at St. John's College to unsubscribe http://redfish.com/mailman/listinfo/friam_redfish.com
