The first time i connect to a server, the public key is remembered on my machine. It’s a shame that browsers have trained most of us to ignore the warnings, because they’re the only thing making SSL useful.Īnyway, in the case of SSH: the server has its own public key, which it broadcasts to me as part of the login process. They’re the only warning you get that someone might have hijacked the connection to your bank or whatever. You know those SSL certificate warnings? You know how you always ignore them? Yeah, you shouldn’t do that. Server A doesn’t need to have my private key on it to connect somewhere else in my name. Something like Firesheep simply cannot work you can’t sniff my passphrase out of the air if it’s not there to begin with.Įven if i connect to server A, and then hop from there to server B, i can defer all the key-checking back to my desktop. It’s not sent to the server to be double-checked, like virtually all passwords on the Web are. This is the extent of the effort it takes. koiru is the name of the veekun IRC/etc server. Logins are instant and seamless i log in and out of stuff all day long.Įevee ~ $ ssh koiru. The private key is unlocked for the rest of the session, and it’s used automatically when i connect to any server that has the corresponding public key. I type the passphrase in once, when i boot up my machine. They’re very easy to remember, yet i can’t imagine how you’d even approach trying to crack them. And, indeed, my passphrase(s) tend to be phrases, 50+ characters long, decorated with punctuation in some way that makes sense to me. It’s called a passphrase, not a password. While my key is still protected by a password, the experience is radically different in a few critical ways. It has a pretty picture using paint mixing.) The actual mechanism for how this usually works is pretty cool, if you want to read about it. (Okay, that’s still a bit oversimplified. I give out my public key the server picks some big random number and encrypts it if i can tell the server what random number it picked, then it knows i have the private key and must be who i say i am. The public key can be used to lock boxes in such a way that only my private key can unlock them again. When i do my hacker thing and connect to a server from a terminal/console/black box with letters in it, it uses public-key cryptography to prove who i am. Hurr durr what else can we do Eevee? Passwords are ALL WE HAVE I have the choice of either making my passwords so memorable and reused that i’m at a grave security risk, or of making them so secure that i need a computer program to store them for me. I know there are fancy-pants password managers like LastPass (nice SSL there, dudes), but let’s think about this for a moment. I’ll get to that at the end, because it deserves its own rant.Ĭopy-pasting passwords is pretty lame, admittedly. Who are, thus, forcing me to use a less secure password that i would otherwise. Now i’m just fucked i have to either invent a password manually (guaranteeing i won’t remember it) or reuse a fallback password (which also contains punctuation, so sometimes that isn’t good enough either).īut it gets better: the services with restrictive password policies are, without fail, big companies with direct access to my dollars. Sometimes, the generated password doesn’t fit the password policy some idiot in a suit came up with. If i actually used gmail i would probably have to kill myself. This happens virtually any time i try to look at public Google Groups postings, for reasons i cannot fathom, which has made error-googling into a far more aggravating experience. I think there’s an h in it somewhere? So when Google asks me to verify my password–which seems like once every 18 hours–I have to either go generate it again and copy/paste, or log out and back in again. So my passwords look like 'fC`29ap5w78r3IJ, or Ab3HE4 2Iv5hJk\K, or Those are actual examples i just generated. “If only these chumps had been generating different random passwords for every service!” “Ho ho!” we all chuckled to ourselves after the Gawker leak, and the subsequent breakins to various other things that used the same passwords. I do this because it’s what you’re supposed to do it’s what security nerds (including myself for the purposes of this post) tell everyone else to do. I generate a different password for every service, based on a convoluted master password and the name of the thing. Most people can just mechanically type out password3 in every password box, smirking to themselves at how clever they are, because who would ever guess 3 instead of 1? Most people use the same password everywhere.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |