Re: [Cryptography] Passwords

2013-10-02 Thread Jerry Leichter 
On Oct 1, 2013, at 5:10 PM, Jeffrey Schiller wrote:
 A friend of mine who used to build submarines once told me that the first 
 time the sub is submerged, the folks who built it are on board. :-)
Indeed.  A friend served on nuclear subs; I heard about that practice from him. 
 (The same practice is followed after any significant refit.)  It inspired my 
suggestion.
-- Jerry

___
The cryptography mailing list
cryptography@metzdowd.com
http://www.metzdowd.com/mailman/listinfo/cryptography

[Cryptography] Passwords

2013-10-01 Thread Jerry Leichter 
On Oct 1, 2013, at 4:13 PM, Peter Fairbrother wrote:
 And as to passwords being near end-of-life? Rubbish. Keep the password 
 database secure, give the user a username and only three password attempts, 
 and all your GPUs and ASIC farms are worth nothing.
Yup.

I've (half-)jokingly suggested that any business maintaining a database of 
usernames and passwords must, by law, include within that database, under a set 
of fixed fake user names using exactly the same format and algorithms as is 
used for all other user accounts, such things as (a) the business's bank 
account data, including account numbers and full authentication information; 
(b) similar information about the top executives in the company and everyone on 
the management chain who has any responsibility for the database.  Once that 
information is in the database, the business can protect it or not, as they 
wish.  Let them sink or swim along with their users.

-- Jerry

___
The cryptography mailing list
cryptography@metzdowd.com
http://www.metzdowd.com/mailman/listinfo/cryptography