Password Change Requests

============================================================
FRIAM Applied Complexity Group listserv
Meets Fridays 9a-11:30 at cafe at St. John's College
to unsubscribe http://redfish.com/mailman/listinfo/friam_redfish.com

On 04/18/2014 10:12 AM, Owen Densmore wrote:
> In addition, lots of sites let you login with Google, Facebook, Twitter and
> others.  So if we have a small number of 2-factor providers, the hassle
> would be minimized.

I reject the argument for centralization.  It seems to me a
decentralized approach will be more robust.

> Why would this be useful?  You could use a small set of passwords for
> various 2-factor providers and attach your several hundred logins to them.
>   You could also use much simpler passwords, because password vulnerability
> would no longer completely expose you to the bad guys, unless they steal
> you mobile devices (phone, tablet, etc)

On the one hand, you're arguing for convenience and, on the other,
security.  This is akin to Franklin's accusation: “Those who would give
up essential Liberty, to purchase a little temporary Safety, deserve
neither Liberty nor Safety”.  You're optimizing 2 conflicting
constraints.  That's OK.  But it would be better to be excruciatingly
clear what the two objectives really are.  What are they?

> Google has the notion of "trusted devices" which reduces the
> PIN annoyance on your own devices: laptop, phone, tablet etc.  It also has
> backup passwords for apps/devices which cannot manage the 2-factor login.
>   Its been fine for me for over a year.
>
> Is it time to migrate to 2-factor as much as one can?

My answer to this is absolutely!  But not if it's going to encourage
more sloppiness on the part of most people.  If it encourages people to
put all their faith in Google or Facebook, to centralize on them as a
convenient service, then I'd argue it degrades security.... It would
defeat the very purpose.

I' rather argue that everyone implement and use their own 2-factor auth.

Personally, I don't see what the problem is.  Yeah, 100s of long
non-mnemonic passwords is inconvenient... but so is driving, brushing
your teeth, digging holes in your garden, etc.  Unless your objective is
to become a brain-in-a-vat, you either have to learn to love what you do
or stop doing the things you don't love.  Convenience is the _enemy_.

--
⇒⇐ glen

============================================================
FRIAM Applied Complexity Group listserv
Meets Fridays 9a-11:30 at cafe at St. John's College
to unsubscribe http://redfish.com/mailman/listinfo/friam_redfish.com

On Fri, 2014-04-18 at 10:45 -0700, glen wrote:

> Convenience is the _enemy_.

Convenience has a cost.  Pay it.  If there is to be centralization, use
economies of scale to detect and adapt to fraud rather try to prevent
it.  I agree these schemes to find a trustworthy agent are doomed to
failure.  It just changes the target and the nature of the attack.  As
we have seen, the NSA certainly has the means to correlate a few
devices.  

Marcus



============================================================
FRIAM Applied Complexity Group listserv
Meets Fridays 9a-11:30 at cafe at St. John's College
to unsubscribe http://redfish.com/mailman/listinfo/friam_redfish.com

>> Convenience is the _enemy_.
> Convenience has a cost.  Pay it.
Integrity has a cost, pay it.
>    If there is to be centralization, use
> economies of scale to detect and adapt to fraud rather try to prevent
> it.
Very well stated.   Evolved systems do precisely this (adapt and exploit
economies of scale and other features).

As individuals with "enlightened self interest" it would seem to be in
our interest to understand how these things work and work *with* them
rather than continue to try to brute-force *engineer* these things.

Engineer in the small things (local), evolve in the larger things (global)?
>    I agree these schemes to find a trustworthy agent are doomed to
> failure.  It just changes the target and the nature of the attack.  As
> we have seen, the NSA certainly has the means to correlate a few
> devices.
Yes, like that.

- Steve


============================================================
FRIAM Applied Complexity Group listserv
Meets Fridays 9a-11:30 at cafe at St. John's College
to unsubscribe http://redfish.com/mailman/listinfo/friam_redfish.com

I use 2-factor authentication on those sites that implement it, but I
will not use a login from Google, for example, for anything besides
logging into Google (which I never do anyway). I don't want Google to
know every site I log into. I think it's creepy.

Since I use a password manager (1Password) there is very little cost in
keeping a 20-character password (which I never type anyway) even for
those sites with 2-factor authentication.

—Barry



On 18 Apr 2014, at 11:12, Owen Densmore wrote:

============================================================
FRIAM Applied Complexity Group listserv
Meets Fridays 9a-11:30 at cafe at St. John's College
to unsubscribe http://redfish.com/mailman/listinfo/friam_redfish.com

On Fri, 2014-04-18 at 13:08 -0600, Steve Smith wrote:

> As individuals with "enlightened self interest" it would seem to be in
> our interest to understand how these things work and work *with* them
> rather than continue to try to brute-force *engineer* these things.

In the social context, it is not about engineering the systems.  It's
about perturbing them in big enough ways so that us humans can say,
"Yes, we have have turned that knob, and these were the consequences
which we now incorporated in this somewhat more general mathematical
model."

In contrast to "We imagine that the world involves these important
features, and have built a mathematical model that predicts things about
our imaginary world."

The engineering is not to Make It Right, it is to pose a hypothesis and
test it on ourselves using the force of government(s) to do the
experiment.

Turns out there are a lot of us and more coming all the time.  No real
danger of running out.

Marcus


============================================================
FRIAM Applied Complexity Group listserv
Meets Fridays 9a-11:30 at cafe at St. John's College
to unsubscribe http://redfish.com/mailman/listinfo/friam_redfish.com

On 04/18/2014 12:34 PM, Barry MacKichan wrote:
> Since I use a password manager (1Password) there is very little cost in
> keeping a 20-character password (which I never type anyway) even for
> those sites with 2-factor authentication.

Speaking of which, does anyone here have any opinions about Keepass vs
KeepassX?

http://sourceforge.net/p/keepass/code/HEAD/tree/
https://github.com/keepassx/keepassx

Mono is a hefty commitment.  But I usually end up having to keep it
around for other packages anyway.

--
⇒⇐ glen

============================================================
FRIAM Applied Complexity Group listserv
Meets Fridays 9a-11:30 at cafe at St. John's College
to unsubscribe http://redfish.com/mailman/listinfo/friam_redfish.com

============================================================
FRIAM Applied Complexity Group listserv
Meets Fridays 9a-11:30 at cafe at St. John's College
to unsubscribe http://redfish.com/mailman/listinfo/friam_redfish.com

On Fri, Apr 18, 2014 at 05:34:43PM -0600, Owen Densmore wrote:
Not a problem if the websites in question allow password recovery via
email, which most do.

I was also in a position of having forgotten my lastpass login (or
rather my browser forgetting, since I never usually have to enter the
lastPass). I had a rather cryptic "twice the usual" as my
mnemonic. About 24 hours elapsed before it occurred to me what that
meant. Fortunately, the "usual" had not changed since I had set it :).


--

----------------------------------------------------------------------------
Prof Russell Standish                  Phone 0425 253119 (mobile)
Principal, High Performance Coders
Visiting Professor of Mathematics      [hidden email]
University of New South Wales          http://www.hpcoders.com.au

 Latest project: The Amoeba's Secret
         (http://www.hpcoders.com.au/AmoebasSecret.html)
----------------------------------------------------------------------------

============================================================
FRIAM Applied Complexity Group listserv
Meets Fridays 9a-11:30 at cafe at St. John's College
to unsubscribe http://redfish.com/mailman/listinfo/friam_redfish.com

============================================================
FRIAM Applied Complexity Group listserv
Meets Fridays 9a-11:30 at cafe at St. John's College
to unsubscribe http://redfish.com/mailman/listinfo/friam_redfish.com

I was always worried about that before I started LastPass, so I had already turned off the feature of saving passwords in my browsers, and cleared out already saved ones. That left me with having to remember passwords or writing them down somewhere, or equally bad, storing them in a file somewhere on the computer, or using the same password for many accounts.

What I like about LastPass (and I assume the same applies to 1Password, DashLane, etc.) is that I only have to remember one pass phrase, and I make sure my setup does not store the pass phrase (it’s only in my head). Even LastPass doesn’t have it, as all the encryption/decryption is done locally. What is stored on their servers is my encrypted blob, which gets automatically synchronized to any browser that I have installed, even across machines. Perhaps it’s naive on my part, but I do trust that even if someone gets a hold of my encrypted blob, it is for all practical purposes just an impenetrable blob of random bits as long as nobody gets a hold of my pass phrase, which is stored nowhere but in my head.

I went with LastPass mainly because they were the only company that I found that provided the “sync your encrypted blob to all your devices” for free. There was a way of doing so with 1Password to manually sync using DropBox, but I got lazy and went with the one that provided that feature for free. Of course, in all this, I’m talking about free as in beer, not free as in freedom.

Gary

On Apr 19, 2014, at 4:15 AM, Robert Holmes <[hidden email]> wrote:


============================================================
FRIAM Applied Complexity Group listserv
Meets Fridays 9a-11:30 at cafe at St. John's College
to unsubscribe http://redfish.com/mailman/listinfo/friam_redfish.com

============================================================
FRIAM Applied Complexity Group listserv
Meets Fridays 9a-11:30 at cafe at St. John's College
to unsubscribe http://redfish.com/mailman/listinfo/friam_redfish.com

I'm not grokking something then... I thought Barry's setup was automatic,  which is why he never had to enter his 20 character password?

============================================================
FRIAM Applied Complexity Group listserv
Meets Fridays 9a-11:30 at cafe at St. John's College
to unsubscribe http://redfish.com/mailman/listinfo/friam_redfish.com

============================================================
FRIAM Applied Complexity Group listserv
Meets Fridays 9a-11:30 at cafe at St. John's College
to unsubscribe http://redfish.com/mailman/listinfo/friam_redfish.com

============================================================
FRIAM Applied Complexity Group listserv
Meets Fridays 9a-11:30 at cafe at St. John's College
to unsubscribe http://redfish.com/mailman/listinfo/friam_redfish.com

============================================================
FRIAM Applied Complexity Group listserv
Meets Fridays 9a-11:30 at cafe at St. John's College
to unsubscribe http://redfish.com/mailman/listinfo/friam_redfish.com