On 05/09/09 07:33, Jerry Leichter wrote:
I had a discussion with a guy at a company that was proposing to create
secure credit cards by embedding a chip in the card and replacing some
number of digits with an LCD display. The card would generate a unique
card number for you when needed. They actu
On 05/09/09 07:33, Jerry Leichter wrote:
On May 8, 2009, at 3:39 PM, Ian G wrote:
The difficulty with client certs is that I need them to also work on my
laptop. And my other laptop. And my phone.
So, how do I get hold of them when I'm on the road?
Good point. The difficulty with my passwords
On May 8, 2009, at 3:39 PM, Ian G wrote:
The difficulty with client certs is that I need them to also work
on my
laptop. And my other laptop. And my phone.
So, how do I get hold of them when I'm on the road?
Good point. The difficulty with my passwords is that I have so many
that are so l
Ben Laurie writes:
>Incidentally, the reason we don't use EKE (and many other useful schemes) is
>not because they don't solve our problems, its because the rights holders
>won't let us use them.
That's not the reason, TLS-SRP isn't that annoyingly encumbered, and even the
totally unencumbered
Steven M. Bellovin wrote:
> We've become prisoners of dogma here. In 1979, Bob Morris and Ken
> Thompson showed that passwords were guessable. In 1979, that was
> really novel. There was a lot of good work done in the next 15 years
> on that problem -- Spaf's empirical observations, Klein's '90
On Sat, 21 Feb 2009 11:33:32 -0800
Ed Gerck wrote:
> I submit that the most important password problem is not that someone
> may find it written somewhere. The most important password problem is
> that people forget it. So, writing it down and taking the easy
> precaution of not keeping next t
On Tue, Feb 24, 2009 at 12:23 PM, Ed Gerck wrote:
[snip]
> What usercode? The point you are missing is that there are 2^35 private
> usercodes and you have no idea which one matches the email address that you
> want to sent your phishing email to.
What you're missing is that it doesn't matter. Th
silky wrote:
On Tue, Feb 24, 2009 at 8:30 AM, Ed Gerck wrote:
[snip]
Thanks for the comment. The BofA SiteKey attack you mention does not work
for the web access scheme I mentioned because the usercode is private and
random with a very large search space, and is always sent after SSL starts
On Tue, Feb 24, 2009 at 8:30 AM, Ed Gerck wrote:
[snip]
> Thanks for the comment. The BofA SiteKey attack you mention does not work
> for the web access scheme I mentioned because the usercode is private and
> random with a very large search space, and is always sent after SSL starts
> (hence, rem
James A. Donald wrote:
No one is going to check for the correct three letter
combination, because it is not part of the work flow, so
they will always forget to do it.
Humans tend to notice patterns. We easily notice mispelngs. Your
experience may be different but we found out in testing that
Ed Gerck wrote:
> (UI in use since 2000, for web access control and
> authorization) After you enter a usercode in the first
> screen, you are presented with a second screen to
> enter your password. The usercode is a mnemonic
> 6-character code such as HB75RC (randomly generated,
> you receive fr
silky wrote:
On Sun, Feb 22, 2009 at 6:33 AM, Ed Gerck wrote:
(UI in use since 2000, for web access control and authorization) After you
enter a usercode in the first screen, you are presented with a second screen
to enter your password. The usercode is a mnemonic 6-character code such as
HB
On Sun, Feb 22, 2009 at 6:33 AM, Ed Gerck wrote:
> List,
>
> In a business, one must write down the passwords and one must have a
> duplicate copy of it, with further backup, where management can access it.
> This is SOP.
>
> This is done not just in case the proverbial truck hits the employee, or
>> On February 21, 2009 14:34, Ed Gerck wrote:
>> In a business, one must write down the passwords and one must have a
>> duplicate copy of it, with further backup, where management can access
>> it. This is SOP.
>>
>> This is done not just in case the proverbial truck hits the employee, or
>>
On Feb 21, 2009, at 10:26 PM, Charlie Kaufman wrote:
Assuming that's true, OTP tokens add costs by introducing new
failure modes (e.g.,
I lost it, I ran it through the washing machine, etc.)
Or even more surprising hazards.
http://home.fnal.gov/~crawdad/CryptoCard.jpg
The token on the lef
On Fri, 20 Feb 2009, Jerry Leichter wrote:
On Feb 19, 2009, at 8:36 AM, Peter Gutmann wrote:
There are a variety of password cost-estimation surveys floating around
that
put the cost of password resets at $100-200 per user per year, depending on
which survey you use (Gartner says so, it mus
s are free!
--Charlie
-Original Message-
From: owner-cryptogra...@metzdowd.com [mailto:owner-cryptogra...@metzdowd.com]
On Behalf Of Peter Gutmann
Sent: Thursday, February 19, 2009 5:36 AM
To: cryptography@metzdowd.com
Subject: The password-reset paradox
There are a variety of password cost-
List,
In a business, one must write down the passwords and one must have a
duplicate copy of it, with further backup, where management can access
it. This is SOP.
This is done not just in case the proverbial truck hits the employee, or
fire strikes the building, or for the disgruntled cases,
On 19/2/09 14:36, Peter Gutmann wrote:
There are a variety of password cost-estimation surveys floating around that
put the cost of password resets at $100-200 per user per year, depending on
which survey you use (Gartner says so, it must be true).
You can get OTP tokens as little as $5. Barely
On Feb 19, 2009, at 7:36 AM, Peter Gutmann wrote:
There are a variety of password cost-estimation surveys floating
around that
put the cost of password resets at $100-200 per user per year,
depending on
which survey you use (Gartner says so, it must be true).
You can get OTP tokens as litt
On Fri, 20 Feb 2009 02:36:17 +1300
pgut...@cs.auckland.ac.nz (Peter Gutmann) wrote:
> There are a variety of password cost-estimation surveys floating
> around that put the cost of password resets at $100-200 per user per
> year, depending on which survey you use (Gartner says so, it must be
> tru
On Feb 19, 2009, at 8:36 AM, Peter Gutmann wrote:
There are a variety of password cost-estimation surveys floating
around that
put the cost of password resets at $100-200 per user per year,
depending on
which survey you use (Gartner says so, it must be true).
You can get OTP tokens as litt
There are a variety of password cost-estimation surveys floating around that
put the cost of password resets at $100-200 per user per year, depending on
which survey you use (Gartner says so, it must be true).
You can get OTP tokens as little as $5. Barely anyone uses them.
Can anyone explain wh
23 matches
Mail list logo