Hello Yuri, hello list! Am Wed, Aug 16, 2000 at 05:16:42PM +0200 schrieb Yuri Robbers:
First, all the arguments brought forward here have been discussed before.
Could be. I never saw them, since I have not bene on this list for long. My apologies for any redundancy. But judging by the amount of reactions there seems to be an interest for the issue.
Sorry, Yuri, for me not beeing clear: I absolutely do not blame you for any redundancy. On the contrary: I think your previous mail is a good summary of the state of the global discussion. I only wanted to supplement your statement with the hint to the others that the discussion started in this list had already taken place elsewhere and that there is no point in repeating it here in this list.
Second, the real problem is the password approach itself. Its weaknesses are known for over TWO DECADES now (recommended reading: Robert Morris and Ken Thompson: Password Security: A Case History. In: Communications of the ACM 22(11), 1979, pp. 594-597). Still, nothing has changed.
I'm aware of this. I've read the paper. What worries me most is that, like you say, the majority of people didn't act on it.
As above, I have not meant this as hint to you, Yuri, but to those who apparently have not been aware of it.
But seeing that no solution is going to last forever, I'd opt for a temporary solution that is not perfect, over staying with the even worse method we use now. It is true that we will never get things 100% secure, but it seems a fallacy to me to not try and increase our percentage from - say - 40% to 65% if this can be done without to much trouble.
Of course I agree with you in this point as well. But we all should be aware of the fact that the measures one should take to reach those 65% are all well known since 20 years now, but we are still at 40%. So all, get informed! There is a lot of information out there about longer, hard-to-guess passwords, one-time-password-schemes, better encryption algorithms and all those things. But most important: Take a look at the alternatives to the password-scheme: smartcards, cryptographic protocols, biometry, and so on. So again, Yuri, sorry for beeing unclear, I did not mean to criticize you. Best regards Johannes Geiger ----------------------------------------------------------------- Dipl.-Inform. Johannes Geiger geiger@informatik.tu-muenchen.de Technische Universität München http://wwwspies.in.tum.de/~geiger Fakultät für Informatik Tel.: 089/289-25723 Fax: -22037 D-80290 München Raum 3544, Eingang XI (Ecke Luisen-/Theresienstraße), 3. Stock -----------------------------------------------------------------