Re: Dear Linkedin,

[Joe Provo <nanog-post () rsuc gweep net>]

On Fri, Jun 08, 2012 at 03:17:25PM -0700, Owen DeLong wrote:
> On Jun 8, 2012, at 1:41 PM, Alec Muffett wrote:
>
> > > PS: when security is hard, people simply don't do it. Blaming the victim
> > > of poor engineering that leads people to not be able to perform best
> > > practices is not the answer.
> >
> > Passwords suck, but they are the best that we have at the moment in terms of being cheap and free from 
> > infrastructure - see http://goo.gl/3lggk
> >
> > We've been in a bubble for the past few years, where Moore's law hardware had not quite caught up with the speed of 
> > SHA and MD5 password hashing throughput for effective brute force guessing; that bubble is well and truly burst.
> >
> > Welcome back to 1995 where the advice is to change your passwords frequently, because it has a half-life of 
> > usefulness imposed upon it from (a) day to day external exposure and (b) the march of technology - and keep your 
> > hashing algorithms up to date, too.  See http://goo.gl/iL9EP for suggestions.
> >
> > Have a nice weekend,
> >
> >     -a
>
> Would it really be that hard to release a coordinated One-Time
> Password system that consumers could readily use across multiple
> sites?

Doesn't seem *that* hard; my current employer has done quite a bit of heavy
lifiting for you:

https://play.google.com/store/apps/details?id=com.google.android.apps.authenticator2&hl=en
http://code.google.com/p/google-authenticator/
[yes iOS and blackberry as well]

Also, if you just want very lightweight implementation for paper codes, try
http://code.google.com/p/otpauth/

-- 
         RSUC / GweepNet / Spunk / FnB / Usenix / SAGE / NewNOG