[147425] in cryptography@c2.net mail archive
[Cryptography] Passwords
daemon@ATHENA.MIT.EDU (Jerry Leichter)
Tue Oct 1 17:07:09 2013
X-Original-To: cryptography@metzdowd.com
From: Jerry Leichter <leichter@lrw.com>
In-Reply-To: <524B2CCD.5000608@zen.co.uk>
Date: Tue, 1 Oct 2013 17:04:52 -0400
To: Peter Fairbrother <zenadsl6186@zen.co.uk>
Cc: Cryptography Mailing List <cryptography@metzdowd.com>
Errors-To: cryptography-bounces+crypto.discuss=bloom-picayune.mit.edu@metzdowd.com
On Oct 1, 2013, at 4:13 PM, Peter Fairbrother wrote:
> And as to passwords being near end-of-life? Rubbish. Keep the password database secure, give the user a username and only three password attempts, and all your GPUs and ASIC farms are worth nothing.
Yup.
I've (half-)jokingly suggested that any business maintaining a database of usernames and passwords must, by law, include within that database, under a set of fixed fake user names using exactly the same format and algorithms as is used for all other user accounts, such things as (a) the business's bank account data, including account numbers and full authentication information; (b) similar information about the top executives in the company and everyone on the management chain who has any responsibility for the database. Once that information is in the database, the business can protect it or not, as they wish. Let them sink or swim along with their users.
-- Jerry
_______________________________________________
The cryptography mailing list
cryptography@metzdowd.com
http://www.metzdowd.com/mailman/listinfo/cryptography
