Re: Packagers - Flag day 2016 Important changes

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On 13/12/16 18:19, Simo Sorce wrote:
On Tue, 2016-12-13 at 14:36 +0000, Dave Love wrote:
Simo Sorce <simo@xxxxxxxxxx> writes:

If you really need to automate it because typing a password is too hard:
cat ~/.mykrbpassword | kinit myusername

It needs to be automated principally because the password is not
memorable.  I assume infrastructure people would rather we don't use the
least secure credentials we can.

It is the same password you had to use every day to access services like
bodhi, pkgdb, fas, etc...

Yes, the 16 character random one that is known to my browser's password manager but not to me unless I look it up. So yes I do "use" it all the time but only in as much as I hit the login button on my browser's toolbar and it sends it to the web site.

Now all those services are kerberized too (via OIDC IDP middleman) so
you can just kinit once and then access all those services w/o sending
password around, all in all I think it is a better situation.

Well yes that is probably another option, but it would still have to be a weakened password to stand any chance of being memorable.

The main goal of long random passwords after all is about a combination of making them hard to brute force and ensuring that every service has a unique password to guard against credential reuse attacks when one of the many services everybody has logins for experiences the inevitable loss of their poorly secured database.

I always find it somewhat depressing that the more sophisticated a login system becomes the worse my security on it seems to get because I wind up having to use weaker passwords. Banks are the classic example because they rarely have a straightforward password even as one part of their authentication but anything that means I have to remember a password hits the same problem.

Tom

--
Tom Hughes (tom@xxxxxxxxxx)
http://compton.nu/
_______________________________________________
devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx




[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Index of Archives]     [Fedora Announce]     [Fedora Kernel]     [Fedora Testing]     [Fedora Formulas]     [Fedora PHP Devel]     [Kernel Development]     [Fedora Legacy]     [Fedora Maintainers]     [Fedora Desktop]     [PAM]     [Red Hat Development]     [Gimp]     [Yosemite News]
  Powered by Linux