Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Date: Tue, 21 Aug 2012 14:16:00 -0500
From: Jeffrey Goldberg <jeffrey@...dmark.org>
To: john-users@...ts.openwall.com
Subject: Re: Arstechnica Password article (feat. Matt Weir)

Disclosure: I work for AgileBits, the makers of 1Password.

On 2012-08-21, at 9:17 AM, Samuele Giovanni Tonon <samu@...uxasylum.net> wrote:

> btw i'm quite interested by all this articles against password reuse while at the same time there are a lot of people asking for single sign on over the web, isn't something contradictory ?

> And what about services like "last pass": aren't we just moving our problems to the "simple one" of the relying entirely our security on one single master password ? it's kind scary .

Password managers and single sign on do have you put all your eggs in one basket, and so can provide a single point of catastrophic failure.

But password reuse gives you multiple single points of catastrophic failure. And most of those points are not only out of your control, but you have no idea of how they are managed. That is a breach at any one of the services that you use becomes a big problem. It is because of this that SSO or password managers are (correctly) considered "safer".

There are also differences among password managers. Some work through a service. LastPass is probably the best example of this. It has a number of advantages. It can support more platforms, since the client is just a browser plug in. Because people authenticate to the service, they can offer multi-factor authentication. A disadvantage is that it also provides a single point of attack.

1Password takes the other approach. User data in on the users' machine. (Though they may use a syncing service). 1Password doesn't connect to a service, but is used to encrypt and decrypt the data stored locally. This has the advantage of removing any dependency on the vendor (us) once you've purchased the software. And it means that there isn't a single point of attack. The attacker has to obtain each users data separately. Disadvantages are that we can't support as many platforms as easily. Because access is through decryption instead of authentication, multi-factor authentication is not an option (though key splitting might me) and it takes more time and care to roll out changes to our data format.

Not everyone likes or agrees with the approach that we have taken, but people looking for password managers also have this choice in which password manager architecture they want.

I don't think that password managers are the long term solution, even though that is the business I'm in. I think that single sign on using public/private keys will ultimately the the solution. But I've been saying that for more than 15 years, so I don't expect that to happen any time soon.

Cheers,

-j



-- 
Jeffrey Goldberg                        http://www.goldmark.org/jeff/

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.