Comments on "Reality Gap: Passwords" - Faerye Net

Re: Strip and Smart Cards

2003-09-22T14:29:00+00:00

The French (and most of the rest of Europe) use smart cards extensively. A couple of the norse countries have national id cards that are smart cards. I really like the idea of pervasive smart-card authentication. It just makes more sense than the myriad of different mechanisms in use at present. Passwords are far too cumbersome for the average joe.

The concern of course, is privacy. It’s easier to collect info on a person if electronic ID is connected to everything they do. Something like this would make TIA a really easy thing to do, not that it’s so hard now. But I feel that we could overcome the privacy concerns with appropriate legislation and that the benefits would be enough to outweigh the potential detriments.

Re: Strip and Smart Cards

2003-09-19T12:29:59+00:00

Ah. Fleas*.

*This is the literal translation for the French word for microchip. I do not make this up!

Re: Strip and Smart Cards

2003-09-19T12:28:44+00:00

A smart card is a card (credit card-sized or smaller) with an embedded secure cyptoprocessor. The SIM card in your cell phone is a smart card, as are some newer credit cards and ATM cards. Basically, it’s a super-secure high-tech key.

Re: Mary had a little lamb...

2003-09-19T11:36:24+00:00

I think when it comes down to it, one or both of the following are true:

1. Boss does not have the capacity to remember passwords.
2. Boss thinks or feels that remembering passwords is “beneath him” or otherwise ridiculous.

Re: Remembering passwords

2003-09-19T11:32:28+00:00

Well, for most things there’s a work-around. Websites have the ever-popular reset or e-mail password, if it’s your own box, I understand rooting it is fairly easy when you have physical access…

Re: Strip and Smart Cards

2003-09-19T11:30:57+00:00

Smart cards. What is this?

Re: Strip and Smart Cards

2003-09-19T11:30:48+00:00

I can certainly see how a program like Strip would be very convenient, and I can even concede that it looks very secure, but the problem I have with that is that no matter how well-encrypted all that information is, there’s still just one point of failure: the password used to gain access to Strip itself.

It’s like a nice big armored vault that you put all your eggs in, with a huge iron door protecting the only entrance, but with only a single little deadbolt keeping all that iron in place. It’s real secure until someone finds the deadbolt key.

Strip and Smart Cards

2003-09-19T09:13:11+00:00

I have tons of passwords. I write them all down. I feel that it’s more important to use different passwords in different places than to avoid recording one’s passwords. However, one must take pains to keep recorded passwords secure. So I use Strip. It’s nice, it works well, it employs solid algorithms, it’s free and its portable. Plus, it solves the related problems of which username I used at a given site, which is as big a problem for me as passwords.

This sort of thing is a big problem, particularly for small businesses. Large companies have full-time IT staff and well-designed authentication structures such than there are a number of IT support people who can reset the passwords of various users. Thus, as long one of the IT guys remembers his password, life goes on. But small businesses don’t have IT staff, and they usually don’t have lots of tech-savvy users either.

This is why I think smart card authentication is important. Biometrics are too easy to fake. Smart cards are pretty hard to break into in the first place, and you have to steal the physical card first.

I don’t know if Apple has a smart card authentication solution. I know NT can be made to work with them. In the Unix world, there’s some really cool stuff that uses them, like Sun Ray thin clients. There’s also a various linux projects that are working on this sort of thing. Some of them work with OS X, and some sound quite mature.

Mary had a little lamb...

2003-09-19T00:33:07+00:00

Although not as systematic as Wonko, I do have a somewhat similar approach to passwords. And I, too, have great trouble remembering which password I used for what, but try to keep things simple by using different classes of passwords matching whatever security level is required. And I try to keep passwords meaningful – at least to me. Things like “AN/ALQ-162”. Look it up, and it’ll make sense when I tell you that I was in the Air Force.

When it has to be safe, though, I like to remember sentences instead of just meaningless alphanumeric sequences. A sentence like “When it comes to Hard Work, Everyone must pull Their own Weight” becomes the password “WictHWE1htpToW8”. This makes it a lot easier to remember long passwords – perhaps you should try that on your boss?

Remembering passwords

2003-09-18T16:56:38+00:00

I have no trouble at all remembering long, complex, alphanumeric passwords with mixed case and special characters, but I have a huge problem remembering which password I’ve used where.

To make things easier on myself, I’ve started using a three-tier system. Each tier contains three passwords, and the complexity of the passwords rises with each tier, so that the bottom tier is secure but relatively simple, whereas the top tier tends to be 15+ characters long and extremely convoluted. Needless to say, the tier 1 passwords are used for websites and throwaway things that I don’t care much about, tier 2 passwords for email and other moderate security concerns, and tier 3 passwords for high risk things like bank accounts and root logins.

Now all I have to remember is which tier I used, which is pretty easy to figure out. If I forget which password I used for Faerye.net, all I need to do is try my three tier 1 passwords until one works. Most login forms allow at least three tries before locking you out, so that’s no problem.

Oh yeah, and none of my passwords are ever written down anywhere. If I ever forget them, I’m screwed, but at least my data is safe.