> From: David Nolan [mailto:vitr...@gmail.com] > > One of the tenants of the pkinit rfc is that it makes the Kerberos initial key > exchange better, not because the key/password isn't exposed to the KDC, > but because the key isn't generated from a password. Any mechanism for > generating a key from a human typed password is only as secure as as the > password, and 20+ years of evidence shows humans (in aggregate) are > horrible at generating secure passwords. Can you explain how/if cbcrypt > solves that problem?
Passwords are also known as "low entropy secrets." It's acknowledged that high entropy secrets are stronger cryptographically, but generally considered beyond human memorization, which means they need to be synced across devices or stored on a device. There are many situations where that's possible, and desirable. There are also, however, many situations where the only secret available to identify the user is the low entropy secret. There is no good reason to expose the low entropy secret. Besides the unnecessary security risk, there are legal implications to exposing the password (Third Party Doctrine). (Tangent: Somebody here argued that there is a good reason to expose the password, which is the desire to use the service that requires password exposure. For clarification, I am saying there is no good reason to design a server or service in such a way that requires users to expose their passwords to you. If you offer a service over HTTPS, but require them to submit their passwords to you, it's like saying "You shouldn't trust anyone with that private sensitive information. But don't worry about me.") Even with good salting and rate limiting, the weakest passwords are easily guessable. For those people, not exposing the password provides zero security, but may provide improved legal rights. For people with moderate passwords, salting and rate limiting are actually effective at thwarting non-targeted scale attacks - like when Ashley Madison bcrypt strings were leaked, only a tiny percentage of the weakest passwords were exposed. It was determined to be cost prohibitive to pursue much more of an attack to crack more passwords. That only changed after the MD5 exposure was discovered, undermining the bcrypt protections. Of course, the rare few people who memorize *actually* strong passwords, can protect themselves for real, as long as the passwords don't get exposed. But with password exposure, even these people have no security, and may have no legal rights to keep their information private. (Legal rights, of course, varying from person to person, place to place, situation to situation). _______________________________________________ Tech mailing list Tech@lists.lopsa.org https://lists.lopsa.org/cgi-bin/mailman/listinfo/tech This list provided by the League of Professional System Administrators http://lopsa.org/
