On Mon, Jan 12, 2015 at 7:32 AM, Iain M Conochie <i...@thargoid.co.uk> wrote: > > On 10/01/15 20:31, Brian wrote: >> >> By all means advocate and use ssh keys. But at least provide some >> substantial reason for spurning password login for that particular >> situation. A blanket "don't use passwords" or "keys are better" doesn't cut >> it. > > > There are 3 (current) factors in authentication:
According to some models. > 1. What the user knows Knowledge is a thing which is had. It is potentially easy to duplicate, in smal pieces. The choice of which piece is used is hopefuly not so easily duplicated. This is the first assumed weakness of passwords, that most people are lazy about the choice. > 2. What the user has Typical example is a bank card. Unfortunately, this is easy to duplicate, if one is not careful about where one uses it. (ATM machines where the front panel has been augmented by atackers, and the reader slot has a second reader hiding in front of the real reader provide one example.) Physical keys, like the key to your front door or to the safe deposit box, are another example. > 3. What the user is Try to define that in a way useful to authentication, without invoking either of the above concepts. > These increase in security as you go higher up the number. How do prove that? How do you define security? > So (assuming the > implementation is secure Is "secure" here related to security above? > ) my fingerprint (being something I am) You sure it's not something you have? > is more > secure than a password. Unless someone chops your hand off to steal your BMW. > Also, an ssh-key (being something I have Now there's an interesting assertion. It seems reasonable, if one accepts certain implicit, arbitrary boundaries between the three classes of tokens invoked above. -- seems reasonable -- > ) is more > secure than a password. And, yet, it is no more secure than the user account on the machine in which it is stored. (Noting, not coincidentally, that the computer storage device acts as a memory proxy.) > In each case we have the _implementation_ among other things > to let us down. #1 is up to the > user whereas #2 and #3 are up to the programmer. I can think of a number of ways in which what you appear to be talking about as something you have and something you are are as much under control of the user as under control of the programmer. > Who do you trust ;) I would prefer that we all learn to program. -- Joel Rees The only truly secure computer is the one that you wrote all the OS and application code for. -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/caar43iov07n20efsd2qqbxa_t_-utavabbbxg4fkyrew7c_...@mail.gmail.com