Mailinglist Archive: opensuse-security (601 mails)

[Yuri Robbers <yuri@xxxxxxxxxxxxxxxxxxxx>]

On Wed, 16 Aug 2000, Johannes Geiger wrote:

> thank you, Yuri, for pointing out all this. It shows two important things:
> 
> First, all the arguments brought forward here have been discussed before.

Could be. I never saw them, since I have not bene on this list for
long. My apologies for any redundancy. But judging by the amount of
reactions there seems to be an interest for the issue.

> Second, the real problem is the password approach itself. Its weaknesses are
> known for over TWO DECADES now (recommended reading: Robert Morris and Ken
> Thompson: Password Security: A Case History. In: Communications of the ACM
> 22(11), 1979, pp. 594-597). Still, nothing has changed. 

I'm aware of this. I've read the paper. What worries me most is that, like
you say, the majority of people didn't act on it.

> So please, if you want to improve things, do not discuss password encryption
> algorithms, discuss alternatives to the password scheme as a whole! 

You may be right. But the alternatives I can think of (mainly various
methods of biometry like retina scan, voice recognition, etc.) are not
generally available yet, are not foolproof either, and suffer from some
(though not all) of the problems that passwords also suffer from (like
network sniffers). I am open to any and all suggestions. But seeing that
no solution is going to last forever, I'd opt for a temporary solution
that is not perfect, over staying with the even worse method we use now.
It is true that we will never get things 100% secure, but it seems a
fallacy to me to not try and increase our percentage from - say - 40% to
65% if this can be done without to much trouble.

> (And remember what Karl Valentin, a german actor, once said
> (translation): "Everything has been said already, but not by everyone
> yet." ;-) )

Very wise words! But if we would all draw our conclusions and noone would
say anything at all anymore the world would get a just a bit too boring
for me :o)

Kind regards,
Yuri.

--------------------------------------------------------------------------
drs. Yuri Robbers                    phone : +31-71-527-4966              
Leiden University                    fax   : +31-71-527-4900              
Institute for Theoretical Biology    email : robbers@xxxxxxxxxxxxxxxxxxxx 
Kaiserstraat 63                                                           
2311 GP Leiden                       PGP 5.0 public key available:        
the Netherlands                      Check your favourite hkp server.     
--------------------------------------------------------------------------