[Discuss] deadmanish login?

[richard.pieri at gmail.com (Richard Pieri)]

On 2/3/2017 12:43 PM, Dan Ritter wrote:
> a) it has a zero-latency, no penalty for wrong-guesses method of
> trying passwords

In this case security depends almost entirely on intrusion prevention
systems.

> b) it has the hash of the passphrase in front of it and is generating
> matches.

And in this case, after case a has failed, password quality becomes a
relevant factor. At this point a 521-bit ECDSA key, comparable to
AES-256 in terms of key strength, is vastly stronger than anything you
can keep in your head.


On 2/3/2017 1:20 PM, Kent Borg wrote:
> You are confusing (1) a password used as a password, and (2) a
> passphrase used for an encryption key. They are completely different.

Rather, you are assuming that Dan's case b will never happen whereas I'm
assuming that it will. There is no difference at all once case b happens.


I'm not a proponent of SSH keys per se. I'm an opponent of passwords.
They suck. They're a bad habit that the computer industry should have
long since abandoned. I prefer using SSH keys because they suck less
than using passwords and nobody has come up with anything better.

-- 
Rich P.