On Oct 1, 2013, at 4:13 PM, Peter Fairbrother wrote:
And as to passwords being near end-of-life? Rubbish. Keep the password
database secure, give the user a username and only three password attempts,
and all your GPUs and ASIC farms are worth nothing.
Yup.
I've (half-)jokingly suggested that any business maintaining a database of
usernames and passwords must, by law, include within that database, under a set
of fixed fake user names using exactly the same format and algorithms as is
used for all other user accounts, such things as (a) the business's bank
account data, including account numbers and full authentication information;
(b) similar information about the top executives in the company and everyone on
the management chain who has any responsibility for the database. Once that
information is in the database, the business can protect it or not, as they
wish. Let them sink or swim along with their users.
-- Jerry
___
The cryptography mailing list
cryptography@metzdowd.com
http://www.metzdowd.com/mailman/listinfo/cryptography