On Tue, 2016-12-13 at 18:52 +0000, Tom Hughes wrote: > On 13/12/16 18:19, Simo Sorce wrote: > > On Tue, 2016-12-13 at 14:36 +0000, Dave Love wrote: > >> Simo Sorce <simo@xxxxxxxxxx> writes: > >> > >>> If you really need to automate it because typing a password is too hard: > >>> cat ~/.mykrbpassword | kinit myusername > >> > >> It needs to be automated principally because the password is not > >> memorable. I assume infrastructure people would rather we don't use the > >> least secure credentials we can. > > > > It is the same password you had to use every day to access services like > > bodhi, pkgdb, fas, etc... > > Yes, the 16 character random one that is known to my browser's password > manager but not to me unless I look it up. So yes I do "use" it all the > time but only in as much as I hit the login button on my browser's > toolbar and it sends it to the web site. > > > Now all those services are kerberized too (via OIDC IDP middleman) so > > you can just kinit once and then access all those services w/o sending > > password around, all in all I think it is a better situation. > > Well yes that is probably another option, but it would still have to be > a weakened password to stand any chance of being memorable. If you are ok storing it in the browser then you can store it elsewhere and pipe it in kinit, I do not see a problem here. > The main goal of long random passwords after all is about a combination > of making them hard to brute force and ensuring that every service has a > unique password to guard against credential reuse attacks when one of > the many services everybody has logins for experiences the inevitable > loss of their poorly secured database. > > I always find it somewhat depressing that the more sophisticated a login > system becomes the worse my security on it seems to get because I wind > up having to use weaker passwords. Banks are the classic example because > they rarely have a straightforward password even as one part of their > authentication but anything that means I have to remember a password > hits the same problem. Don't remember it if it bothers you, why do you use a double standard if the password is not sent via browser but through a CLI ? Simo. -- Simo Sorce * Red Hat, Inc * New York _______________________________________________ devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx
