Re: [PLUG] Correct Horse Battery Staple

Rich Freeman via plug on 30 Apr 2022 15:26:59 -0700

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

Re: [PLUG] Correct Horse Battery Staple

From: Rich Freeman via plug <plug@lists.phillylinux.org>
To: "K.S. Bhaskar" <ksbhaskar@gmail.com>
Subject: Re: [PLUG] Correct Horse Battery Staple
Date: Sat, 30 Apr 2022 18:26:42 -0400
Cc: Philadelphia Linux User's Group Discussion List <plug@lists.phillylinux.org>
Reply-to: Rich Freeman <r-plug@thefreemanclan.net>
Sender: "plug" <plug-bounces@lists.phillylinux.org>

On Sat, Apr 30, 2022 at 5:59 PM K.S. Bhaskar via plug
<plug@lists.phillylinux.org> wrote:
>
> Horse battery staple is a terrible idea. If you have to remember five random sequences of four words each, you can, but if you have to remember 20 (most people have logins for at least e-mail, social media, banking, etc.) it's questionable whether you can.

I think it comes down to "compared to what?"

I think that passphrases like this are probably the best way to deal
with random passwords.

The problem is that random passwords are terrible in general.

If your alternative is something like U2F, and you have some way to do
recovery in a secure and reasonable manner, then certainly U2F is
better. However, if your alternative to a passphrase is the name of
your cat with an explanation point and a number tacked on then I would
say the passphrase is better.

My frustration with solutions like U2F is that recovery is almost
always terrible, unless you're talking about something issued by an
employer (and I imagine 99.9% of employers don't do anything nearly
this secure). Most don't have any way to back up their credentials,
and there is no central trusted authority, so if you lose one you have
to do recovery for every single service that was tied to it
separately. Those recovery processes are almost always painful since
with the general move to free or ad-supported services most providers
can't afford to actually have any kind of robust process. Often the
recovery processes are less secure anyway. Also, most providers don't
let you have more than one token associated with your account at one
time, which again makes recovery more painful and also makes access
less convenient, since you can't just keep a stack of them plugged
into every device you own/etc.

I guess the bottom line is that PKI is hard. :)

--
Rich
___________________________________________________________________________
Philadelphia Linux Users Group -- http://www.phillylinux.org
Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce
General Discussion -- http://lists.phillylinux.org/mailman/listinfo/plug

References:
- [PLUG] Correct Horse Battery Staple
  - From: JP Vossen via plug <plug@lists.phillylinux.org>
- Re: [PLUG] Correct Horse Battery Staple
  - From: "K.S. Bhaskar via plug" <plug@lists.phillylinux.org>

Prev by Date: Re: [PLUG] Correct Horse Battery Staple
Next by Date: Re: [PLUG] Correct Horse Battery Staple
Previous by thread: Re: [PLUG] Correct Horse Battery Staple
Next by thread: Re: [PLUG] Correct Horse Battery Staple
Index(es):
- Date
- Thread