On 12/18/2015 03:27 PM, Brian Hankey wrote: > The question we are trying to answer here is how could we all have ultra > strong > passwords i.e. “!3AbDEE9eE45DCea” that are you unique for each and every > website, email, social media, etc. service that we use but without having to > trust any third parties to store them for us protected by single password > (perhaps with 2 factor authentication, hardware key, etc., admittedly), or to
I've been looking into this for a long time and here are two key points: 1) No matter how strong your password is, it will leak if you reuse it, because attackers hack badly secured sites/databases - this is in no way surprising, but it's "new" to non-tech-savvy people. 2) U2F, "Universal 2-Factor", is probably the best solution now - very usable, "kind of" wide-spread (see http://www.dongleauth.info/). Yubikey Neo and Yubikey 4 are the best sample devices that implement this. You plug in the token in USB slot and touch the button (malware cannot physically touch the button - this is very important in the design!). That is your answer - you don't need any third party and challenge-response makes it resistant to replay attack. Internally Yubikey uses secp-256-r1 challenge-response. However, U2F can support all kinds of authenthication, see https://www.yubico.com/2015/01/fido-u2f-ecosystem-coming-alive/ The only shame is that only recent Chrome/Chromium supports it natively in browser area. Firefox supports it as an addon (https://addons.mozilla.org/en-US/firefox/addon/u2f-support-add-on/). There is an implementation in Firefox Nightly, but it's broken. There's actually noone assigned to finish U2F support (information from bugzilla). If there is a substantial flaw in U2F, let's hear it. /me reminds himself to review the U2F protocol in more thorough detail now :-) Ondrej _______________________________________________ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography