Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Tue, 21 Aug 2012 18:15:37 +0200
From: Per Thorsheim <>
Subject: Re: Arstechnica Password article (feat. Matt Weir)

On Tue, 2012-08-21 at 18:45 +0400, Solar Designer wrote:
> On Tue, Aug 21, 2012 at 04:17:18PM +0200, Samuele Giovanni Tonon wrote:
> > btw i'm quite interested by all this articles against password reuse 
> > while at the same time there are a lot of people asking for single sign 
> > on over the web, isn't something contradictory ?
> > 
> > And what about services like "last pass": aren't we just moving our 
> > problems to the "simple one" of the relying entirely our security on one 
> > single master password ? it's kind scary .
> There's some difference in terms of attack surface.  When you reuse the
> same password on multiple sites, then if any site is compromised, this
> may result in all of your accounts getting compromised.  (In practice,
> password complexity and how soon the compromise is detected and dealt
> with may play a role, though.)  When you use SSO or a password manager,
> then presumably only when this one entry point is compromised then all
> of your accounts are, but compromises of the individual sites don't
> propagate onto other sites.  (In practice, there may also be attacks
> e.g. on how authentication is implemented on the many sites.)
> That said, both approaches are risky.  Out of these alternatives, if you
> really don't want to and/or can't memorize a large number of passwords,
> using a decent local password manager app on your own computer seems best.
> Alexander

Download attachment "signature.asc" of type "application/pgp-signature" (199 bytes)

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.