Reading the Wired writeup on the Twitter password hack, I’m incredulous to read that there was no rate limiting on failed authentication. Given Twitter’s stringent rate limiting for API requests, this seems surprising. Not to mention that online password attacks are practically older than time. Fortunately,
As for addressing the security [...]
On Wednesday (12/17), Collin Jackson will be giving a talk at MIT titled, “Extracting Passwords from JavaScript Password Managers“. I can’t go due to scheduling conflicts but it seems worth considering if you are local and interested in my post about PassPack and Clipperz. I didn’t see any obvious papers from Collin’s website [...]
A friend of mine who is switching jobs has asked how to delete all personal information from the company computer before returning it. Simply deleting files can prevent the casual observer from finding your data, but file deletion typically does not (to make an analogy to paper) shred the file but merely throws away [...]
Clipperz and PassPack are two web services that store your passwords for you, and provide one (or two) click login to those sites whose passwords it keeps. In doing so, these services hopefully encourage you to select strong passwords that you wouldn’t otherwise be able to remember and thus improve your overall security. [...]
You use passwords, possibly dozens of passwords, to authenticate to websites daily. Passwords are a useful authentication tool because they function as a “thing-you-know” (a shared secret between you and the server) and because passwords can be changed (in case of loss, unlike say, your fingerprints).
In a diatribe against OpenID titled, “Goodbye, Passwords. [...]
Public wireless networks can be scary; you never know who might be sniffing your traffic, recording your GMail authentication cookies, or worse. Ideally, all of your net activity should be end-to-end authenticated and encrypted. Fortunately, since this is not always feasible, ssh makes it easy to use an untrusted network by routing your traffic through a trusted end-point. All you need is an ssh [...]
OpenID has been generating a lot of buzz this past month: OpenID is a decentralized authentication mechanism that allows a consuming web-site to verify that “you” can authenticate to a particular identity provider (keyed by a URL). Big names from AOL to SmugMug to WordPress have recently announced that they are being OpenID providers.
Why so many providers? For [...]
The concept of providing operating systems that are secure by default should be second nature to OS vendors. All major operating systems vendors have been affected by exploits that allow remote attackers to take over the computer and have realized that it is a bad thing: much better to reduce the possible avenues of attack as much as possible without relying [...]
