[Prev][Next][Index][Thread]

RE: Repost of CompuServe Position on Passphrases



At 3:49 PM -0700 7/26/96, Keith Ball wrote:
>Issues:
>Against:
>1) scalability: the user's ability to remember a different password for every
>service and that that simply doesn't scale because a person has a finite
>number of things that he can remember.
>2) symmetric: both sides must know the secret.
>3) dictionary attack possible if use human-simple passphrase (even though can
>reduce this if require multiple words and non-alpha characters, e.g.
>1toad$frog2, and the same format is not required on all passphrases)

I'd like to to the Against:

You can still have password security at the application protocol level.
Nothing in the current protocol prevents this. For instance, right now you
can add SSL under ftp, use SSL's server-only authentication or
diffie-helman anonymous to secure the channel, and then use use FTP's
current password methods to authenticate the client. Same can be done with
HTTP using it's current auth structure, and most every other protocol over
SSL.

It's not elegant, but neither is shoehorning passwords into TLS, and it has
the advantage of working now.

------------------------------------------------------------------------
..Christopher Allen                  Consensus Development Corporation..
..<ChristopherA@consensus.com>                 1563 Solano Avenue #355..
..                                             Berkeley, CA 94707-2116..
..Home of "SSL Plus:                      o510/559-1500  f510/559-1505..
..  Security Integration Suite(tm)" <http://www.consensus.com/SSLPlus>..



References: