On Sat, 27 Mar 2021 23:02:58 +0100 Björn Persson <Bjorn@xxxxxxxxxxxxxxxxxxxx> wrote: > Kevin Fenzi wrote: > > I'd like us to add security query/respond pairs. > There's a limited supply of such personal secrets that I can be sure > I'll remember, so I can't do that for too many sites. It also requires > a not too public life. People who publish their entire lives on > Facebook will have trouble coming up with a question that an attacker > can't find the answer to. > > Otherwise I'll make up a nonsensical phrase to enter as the answer, > and store it securely. That turns the "security question" into a > backup passphrase. If you want people to do this, then it's better to > ask them to make up a passphrase. Why change the questions that are asked? Just answer with a nonsensical answer, and store it in the same secure matter on your system as your password. e.g. What is your favorite food? Jamaica. or What was your team's name in high school? 0126672651361 I suppose it could be a passphrase, but this is easier to cut and paste. Remembering personal secrets is a non starter as an authentication method; it favors convenience over security, the equivalent of 'password' or 'Decemberpass' or a sticky note on the monitor. I've used those hardware gadgets that spit out a number that matches a similar hardware device at the site being logged into, but that takes co-ordination and I didn't pay for the device, the company did, so it could be expensive, as well as managing the co-ordination. How about everyone has two logins, and they have to log in with different logins from the same device, using different passwords. They then are considered to be authenticated. That uses the existing infrastructure of password managers to keep passwords secure, and just requires two logins on the site being logged into; should be easy enough. Less secure than a real second factor, but more secure than a single password. I suppose if we consider that too much trouble, just add a second password to the single login everywhere. Even less secure than the two login method, though. _______________________________________________ devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
