Date: Tue, 21 Aug 2012 18:15:37 +0200 From: Per Thorsheim <per@...rsheim.net> To: john-users@...ts.openwall.com Subject: Re: Arstechnica Password article (feat. Matt Weir) On Tue, 2012-08-21 at 18:45 +0400, Solar Designer wrote: > On Tue, Aug 21, 2012 at 04:17:18PM +0200, Samuele Giovanni Tonon wrote: > > btw i'm quite interested by all this articles against password reuse > > while at the same time there are a lot of people asking for single sign > > on over the web, isn't something contradictory ? > > > > And what about services like "last pass": aren't we just moving our > > problems to the "simple one" of the relying entirely our security on one > > single master password ? it's kind scary . > > There's some difference in terms of attack surface. When you reuse the > same password on multiple sites, then if any site is compromised, this > may result in all of your accounts getting compromised. (In practice, > password complexity and how soon the compromise is detected and dealt > with may play a role, though.) When you use SSO or a password manager, > then presumably only when this one entry point is compromised then all > of your accounts are, but compromises of the individual sites don't > propagate onto other sites. (In practice, there may also be attacks > e.g. on how authentication is implemented on the many sites.) > > That said, both approaches are risky. Out of these alternatives, if you > really don't want to and/or can't memorize a large number of passwords, > using a decent local password manager app on your own computer seems best. > > Alexander Download attachment "signature.asc" of type "application/pgp-signature" (199 bytes)
Powered by blists - more mailing lists
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.