Dear Linkedin,

Michael Thomas mike at mtcc.com
Fri Jun 8 20:55:46 UTC 2012


On 06/08/2012 01:41 PM, Alec Muffett wrote:
>> PS: when security is hard, people simply don't do it. Blaming the victim
>> of poor engineering that leads people to not be able to perform best
>> practices is not the answer.
> Passwords suck, but they are the best that we have at the moment in terms of being cheap and free from infrastructure - see http://goo.gl/3lggk
>
> We've been in a bubble for the past few years, where Moore's law hardware had not quite caught up with the speed of SHA and MD5 password hashing throughput for effective brute force guessing; that bubble is well and truly burst.
>
> Welcome back to 1995 where the advice is to change your passwords frequently, because it has a half-life of usefulness imposed upon it from (a) day to day external exposure and (b) the march of technology - and keep your hashing algorithms up to date, too.  See http://goo.gl/iL9EP for suggestions.
>

A lot has changed from 1995, and still we're using technology that
is essentially unchanged from the 1960's. For my part, on my app/website
(Phresheez), the app actually auto-generates passwords for the user
so that they don't have to type one in. I do this mainly because people
hate typing on phones, but it has the nice property that if you have
a password exposure event, you do not have the cascading failure
mode that Linkedin has now unleashed. With apps and browsers that
can remember passwords why are we still insisting that users generate
and remember their own bad passwords? That's one reason that I
find the finger wagging tone of that Linkedin post extremely problematic --
they have obviously never even considered thinking beyond the current
bad practice.

Mike






More information about the NANOG mailing list