Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Date: Mon, 4 Jul 2016 14:45:38 +0200
From: "e@...tmx.net" <e@...tmx.net>
To: passwords@...ts.openwall.com
Subject: Re: 2-Factor vs Authentication

On 07/04/2016 02:25 PM, Ark Arkenoi wrote:
> Yes, exactly: it was meant to massively reduce false positives, while keeping false negatives acceptably low.

false-negatives are never acceptably low, because they tend to occur in 
very critical moments.
for example, with SMS second factor you lose access to your account when 
travelling -- suddenly the password you carry in your VERY OWN HEAD is 
no longer proof of this head identity -- this is fucking INSULTING.

Your interaction with your virtual representation became dependent on
fucking many random factors: your phone battery, your provider 
availability, your physical location.

Not mentioning that the assumed attack cost against SS7 is only 
applicable to random strangers -- for the mobile phone operator this 
cost is ZERO.
your SMS second factor is compromised by literally many thousands people!

therefore, your initially assumed cost/benefit ratio is far from being 
obvious. for me, it seems too costly, too damaging and barely beneficial 
at all.




>
> BTW sms was much less reliable back those days and inter-operator issues happened all the time.
>
> Sent from my BlackBerry 10 smartphone.
>   Original Message
> From: e@...tmx.net
> Sent: Monday, July 4, 2016 14:34
> To: passwords@...ts.openwall.com
> Reply To: passwords@...ts.openwall.com
> Subject: Re: [passwords] 2-Factor vs Authentication
>
> On 07/03/2016 07:11 PM, ArkanoiD wrote:
>
>> The common consensus was ....
>> SMS+password being better than password alone, thus adding extra layer
>> won't hurt.
>
> This is a tremendously extraordinary statement in need of a huge proof.
>
> terms "extra layer" and "better" point to merely a cloud of human feelings.
>
> I can accept the premise for this statement:
> adding SMS to password reduces false-positive auth outcomes.
> (no matter how much and how needed)
>
> But it also increase false-negative auth outcomes!!!
> AND THIS REALLY HURTS.
> and I speculate sometimes it hurts the security too.
>
>
> and after all, as you now witnessing, when a logically inconsistent
> bullshit becomes accepted as a part of an info system, it tends to
> overthrow the logic of the host system and turn it into crap entirely.
> Same goes to the password policies.
>

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.