[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
crypto frobs
On 3/23/20 3:53 PM, Sabri Berisha wrote:
> Hi,
>
> In my experience, yubikeys are not very secure. I know of someone in
> my team who would generate a few hundred tokens during a meeting and
> save the output in a text file. Then they'd have a small python script
> which was triggered by a hotkey on my macbook to push "keyboard"
> input. They did this because the org they were working for would make
> you use yubikey auth for pretty much everything, including updating a
> simple internal Jira ticket.
>
>
One of the things that got lost in the Webauthn stuff is that passwords
per se are not bad. It's passwords being sent over the wire. In
combination with reuse, that is the actual problem. Webauthn supposedly
allows use of passwords to unlock a local credential store, but it is so
heavily focused dongles that it's really hard to figure out for a normal
website that just want to get rid of the burden of remote passwords.
Mike
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.nanog.org/pipermail/nanog/attachments/20200323/4737f31a/attachment.html>
- Follow-Ups:
- crypto frobs
- From: morrowc.lists at gmail.com (Christopher Morrow)
- crypto frobs
- From: bill at herrin.us (William Herrin)