On Fri, Jun 08, 2012 at 03:17:25PM -0700, Owen DeLong wrote: > > On Jun 8, 2012, at 1:41 PM, Alec Muffett wrote: > > >> PS: when security is hard, people simply don't do it. Blaming the victim > >> of poor engineering that leads people to not be able to perform best > >> practices is not the answer. > > > > Passwords suck, but they are the best that we have at the moment in terms > > of being cheap and free from infrastructure - see http://goo.gl/3lggk > > > > We've been in a bubble for the past few years, where Moore's law hardware > > had not quite caught up with the speed of SHA and MD5 password hashing > > throughput for effective brute force guessing; that bubble is well and > > truly burst. > > > > Welcome back to 1995 where the advice is to change your passwords > > frequently, because it has a half-life of usefulness imposed upon it from > > (a) day to day external exposure and (b) the march of technology - and keep > > your hashing algorithms up to date, too. See http://goo.gl/iL9EP for > > suggestions. > > > > Have a nice weekend, > > > > -a > > > > Would it really be that hard to release a coordinated One-Time > Password system that consumers could readily use across multiple > sites?
Doesn't seem *that* hard; my current employer has done quite a bit of heavy lifiting for you: https://play.google.com/store/apps/details?id=com.google.android.apps.authenticator2&hl=en http://code.google.com/p/google-authenticator/ [yes iOS and blackberry as well] Also, if you just want very lightweight implementation for paper codes, try http://code.google.com/p/otpauth/ -- RSUC / GweepNet / Spunk / FnB / Usenix / SAGE / NewNOG