On 13/12/16 18:19, Simo Sorce wrote:
On Tue, 2016-12-13 at 14:36 +0000, Dave Love wrote:
Simo Sorce <simo@xxxxxxxxxx> writes:
If you really need to automate it because typing a password is too hard:
cat ~/.mykrbpassword | kinit myusername
It needs to be automated principally because the password is not
memorable. I assume infrastructure people would rather we don't use the
least secure credentials we can.
It is the same password you had to use every day to access services like
bodhi, pkgdb, fas, etc...
Yes, the 16 character random one that is known to my browser's password
manager but not to me unless I look it up. So yes I do "use" it all the
time but only in as much as I hit the login button on my browser's
toolbar and it sends it to the web site.
Now all those services are kerberized too (via OIDC IDP middleman) so
you can just kinit once and then access all those services w/o sending
password around, all in all I think it is a better situation.
Well yes that is probably another option, but it would still have to be
a weakened password to stand any chance of being memorable.
The main goal of long random passwords after all is about a combination
of making them hard to brute force and ensuring that every service has a
unique password to guard against credential reuse attacks when one of
the many services everybody has logins for experiences the inevitable
loss of their poorly secured database.
I always find it somewhat depressing that the more sophisticated a login
system becomes the worse my security on it seems to get because I wind
up having to use weaker passwords. Banks are the classic example because
they rarely have a straightforward password even as one part of their
authentication but anything that means I have to remember a password
hits the same problem.
Tom
--
Tom Hughes (tom@xxxxxxxxxx)
http://compton.nu/
_______________________________________________
devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx
