LinkedIn password database compromised
AP NANOG
nanog at armoredpackets.com
Wed Jun 20 21:30:39 UTC 2012
Exactly!
Passwords = Fail
All we can do is make it as difficult as possible for them to crack it
until the developers decide to make pretty eye candy.
- Robert Miller
(arch3angel)
On 6/20/12 3:43 PM, Leo Bicknell wrote:
> In a message written on Wed, Jun 20, 2012 at 03:30:58PM -0400, AP NANOG wrote:
>> So the question falls back on how can we make things better?
> Dump passwords.
>
> The tech community went through this back in oh, 1990-1993 when
> folks were sniffing passwords with tcpdump and sysadmins were using
> Telnet. SSH was developed, and the problem was effectively solved.
>
> If you want to give me access to your box, I send you my public
> key. In the clear. It doesn't matter if the hacker has it or not.
> When I want to log in I authenticate with my private key, and I'm
> in.
>
> The leaks stop immediately. There's almost no value in a database of
> public keys, heck if you want one go download a PGP keyring now. I can
> use the same "password" (key) for every web site on the planet, web
> sites no longer need to enforce dumb rules (one letter, one number, one
> character your fingers can't type easily, minimum 273 characters).
>
> SSL certificates could be used this way today.
>
> SSH keys could be used this way today.
>
> PGP keys could be used this way today.
>
> What's missing? A pretty UI for the users. Apple, Mozilla, W3C,
> Microsoft IE developers and so on need to get their butts in gear
> and make a pretty UI to create personal key material, send the
> public key as part of a sign up form, import a key, and so on.
>
> There is no way to make passwords "secure". We've spent 20 years
> trying, simply to fail in more spectacular ways each time. Death to
> traditional passwords, they have no place in a modern world.
>
More information about the NANOG
mailing list