On Oct 25, 2007, at 10:09 PM, Eric Hattemer wrote:
Vince Hoang wrote:
On 10/25/07, Jim Thompson <[EMAIL PROTECTED]> wrote:
If passwords weren't "dead" already, this (or having the botnet
do it
on the CPUs) finished them.
In a world where bank PINs are 4 numeric digits can you suggest
practical
alternatives? Biometrics are not mature enough. Two-factor
authentication
has existed for a long time but is not cost effective for the average
consumer.
The article talks about ntlm and pgp. The answer is not passwords
that
are more complicated, it is passwords that can't be anonymously
downloaded and cracked offsite. It doesn't matter how crappy your
shadow password is if someone can only try an ssh attempt every 2
seconds or so.
You're assuming that they can't get in and read /etc/shadow.
NTLM passwords are freely available to any decent
cracker with a network connection to the windows machine. If your PGP
secrets are important, and you expect someone to get at them, you'd
better have a ridiculously large key.
Or, better, keep the key on a separate device, such as a USB key
or .. a Smart Card. There are USB Smart Card readers that will hold
a SIM-sized smart card.
_______________________________________________
[email protected] mailing list
http://lists.hosef.org/cgi-bin/mailman/listinfo/luau
