[nycbug-talk] Reducing password fatigue on OpenBSD (or any BSD)

Eric Radman ericshane at eradman.com
Mon Nov 11 13:34:11 EST 2013


On Mon, Nov 11, 2013 at 12:19:34PM -0500, Raul Cuza wrote:
> On Sat, Nov 9, 2013 at 8:41 PM, Eric Radman <ericshane at eradman.com> wrote:
> >
> > Are there any well-respected practices for keying off of data stored on
> > a USB stick? How might one collapse two of these steps in a reasonably
> > secure way?
> 
> It seems like any automation between the volume decryption and getting
> s*$+ done would leave you vulnerable in some way. It is not like a
> unique code can be generated on the output of one step that can be
> part of the input of the next step.

I agree, but isn't this basically what single sign-on systems do?
 
> What about something like the Yubi key? It means you have to have a
> USB port (which you do not seem to be opposed to) and you don't have
> to type your passphrase(s) over and over. See
> http://geekyschmidt.com/2010/12/27/yubikey-and-my-desire-to-beat-the-feds-to-hspd12-compliance
> for a post about it.

Thanks, this is exactly what I was looking for. <bcallah> also suggested
this on IRC. YubiKey is brilliant because generating one-time keys can
be used as a replacement for passwords OR as an inexpensive way to set
up two-factor authentication.
(http://undeadly.org/cgi?action=article&sid=20130616112437)

Eric



More information about the talk mailing list