[153592] in North American Network Operators' Group
Password safes &c. (was: Dear Linkedin,)
daemon@ATHENA.MIT.EDU (Andrew Sullivan)
Fri Jun 8 16:49:20 2012
Date: Fri, 8 Jun 2012 16:48:38 -0400
From: Andrew Sullivan <asullivan@dyn.com>
To: nanog@nanog.org
In-Reply-To: <4FD260F2.7000407@mtcc.com>
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
On Fri, Jun 08, 2012 at 01:30:42PM -0700, Michael Thomas wrote:
> PS: when security is hard, people simply don't do it.
I think this is exactly right.
The idea that we are going to train everyone on earth to keep eleventy
billion distinct passwords in their heads -- or in a "password safe"
that is either (1) under someone else's control because it's a web
service or (2) inaccessible half the time because it's on their laptop
and they're using their phone now and OMG -- is preposterous. (This
without mentioning that they also have to remember the username that
goes with it, which is _also_ variable.)
We have an engineering challenge here, and the PKI we have so far
doesn't work. No, I have no magic answers. I'm not that smart.
Michael Thomas is still right about this.
Best,
A
--
Andrew Sullivan
Dyn Labs
asullivan@dyn.com
