On Wed, 16 Aug 2000, Johannes Geiger wrote:
thank you, Yuri, for pointing out all this. It shows two important things:
First, all the arguments brought forward here have been discussed before.
Could be. I never saw them, since I have not bene on this list for long. My apologies for any redundancy. But judging by the amount of reactions there seems to be an interest for the issue.
Second, the real problem is the password approach itself. Its weaknesses are known for over TWO DECADES now (recommended reading: Robert Morris and Ken Thompson: Password Security: A Case History. In: Communications of the ACM 22(11), 1979, pp. 594-597). Still, nothing has changed.
I'm aware of this. I've read the paper. What worries me most is that, like you say, the majority of people didn't act on it.
So please, if you want to improve things, do not discuss password encryption algorithms, discuss alternatives to the password scheme as a whole!
You may be right. But the alternatives I can think of (mainly various methods of biometry like retina scan, voice recognition, etc.) are not generally available yet, are not foolproof either, and suffer from some (though not all) of the problems that passwords also suffer from (like network sniffers). I am open to any and all suggestions. But seeing that no solution is going to last forever, I'd opt for a temporary solution that is not perfect, over staying with the even worse method we use now. It is true that we will never get things 100% secure, but it seems a fallacy to me to not try and increase our percentage from - say - 40% to 65% if this can be done without to much trouble.
(And remember what Karl Valentin, a german actor, once said (translation): "Everything has been said already, but not by everyone yet." ;-) )
Very wise words! But if we would all draw our conclusions and noone would say anything at all anymore the world would get a just a bit too boring for me :o) Kind regards, Yuri. -------------------------------------------------------------------------- drs. Yuri Robbers phone : +31-71-527-4966 Leiden University fax : +31-71-527-4900 Institute for Theoretical Biology email : robbers@rulsfb.leidenuniv.nl Kaiserstraat 63 2311 GP Leiden PGP 5.0 public key available: the Netherlands Check your favourite hkp server. --------------------------------------------------------------------------