Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Tue, 21 Aug 2012 18:28:26 +0200
From: Per Thorsheim <>
Subject: Re: Arstechnica Password article (feat. Matt Weir)

On Tue, 2012-08-21 at 18:45 +0400, Solar Designer wrote:
> On Tue, Aug 21, 2012 at 04:17:18PM +0200, Samuele Giovanni Tonon wrote:
> > btw i'm quite interested by all this articles against password reuse 
> > while at the same time there are a lot of people asking for single sign 
> > on over the web, isn't something contradictory ?
> > 
> > And what about services like "last pass": aren't we just moving our 
> > problems to the "simple one" of the relying entirely our security on one 
> > single master password ? it's kind scary .
> There's some difference in terms of attack surface.  When you reuse the
> same password on multiple sites, then if any site is compromised, this
> may result in all of your accounts getting compromised.  (In practice,
> password complexity and how soon the compromise is detected and dealt
> with may play a role, though.)  When you use SSO or a password manager,
> then presumably only when this one entry point is compromised then all
> of your accounts are, but compromises of the individual sites don't
> propagate onto other sites.  (In practice, there may also be attacks
> e.g. on how authentication is implemented on the many sites.)
> That said, both approaches are risky.  Out of these alternatives, if you
> really don't want to and/or can't memorize a large number of passwords,
> using a decent local password manager app on your own computer seems best.
> Alexander

(sorry about the e-mail with nothing but quotes from me. Bad fingers,

Anyway, what happened to the old pen & paper?

Approx 2 weeks ago a 16 year old girl disappeared here in Norway (Oslo),
her smartphone and a few other things were found. Kidnapping is assumed,
no luck so far. I was interviewed in Norwegian media about various parts
of this case, but I got quoted "everywhere" for something pretty simple:

Tell your kids/teenagers to write down their user names & passwords for
various sites on a piece of paper. Put that into a sealed envelope. On
the outside it can read "My user names & passwords. For emergency use
only". (Norwegian police had trouble getting access to her Facebook
account, among other services).

My response here was to the police telling people to share their
(facebook) passwords with somebody they trust. I for one can imagine at
least some teenagers not buying that argument, especially if we're
talking about parents.

Last but not least; I'm just repeating something (write down your
passwords) that Bruce Schneier and Jesper Johanssen (ex-Microsoft) said
years ago.


As for the Ars Technica article, just to toss around several subjects
here, Matt Weir pointed Dan Goodin in my direction a looong time ago
(many months). I've helped Dan with background info, links and names of
people to talk to. Don't you worry, I've mentioned JtR, Solar Designer
and many many more that didn't make it into the article. That's really
up to Dan to decide, and anyhow I think the article turned out really

As for Passwords^12 I've got several more proposals during the last
couple of days, but there's still time to submit to the CFP. We're
hoping to open up for registrations first or second week of september.
Since we're doing 3 days including coffee/snacks/lunch and tight
budgets, we will probably charge NOK 1000,- (approx USD 180-200) for
each participant (everything is expensive in Norway, even coffee).

Best regards,
Per Thorsheim

Download attachment "signature.asc" of type "application/pgp-signature" (199 bytes)

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.