The Chief Product Officer at Yubico thinks "long passwords" offer little security. 2ee75ee4e4b359576257fc7d3bfc5ec75d358f10e17caf9e668e09cc032af36d That is the SHA256 of the 76-character passphrase to my master backups, plus '!'. Pwn me. I'm waiting.https://twitter.com/appenz/status/1238121735142031360 …
-
I never said that, and I think it's unfair to mischaracterize our discussion. What I said is that average entropy of user passwords today is somewhere around 40-50 bits. Wrapping with those passwords is ineffective against modern attacks.
You said that afterwards :-) The fact is, properly long passwords *do* provide significant cryptographic security, which is why key wrapping is still a good idea.
-
-
It's also true that key wrapping would've made that bug that you guys had with not checking PINs *at all* on the OpenPGP applet impossible, because no PIN = no key.
Thanks. Twitter will use this to make your timeline better. UndoUndo
-
-
-
To be entirely fair, I never said at any point that I think long passwords offer little security. I said that I don't know how effective key wrapping is, and I think there is some consensus in the community that for the average user it is not very effective.
-
Sure, but do you only build products for the "average user"? And, again, is there any reason *not* to do even basic key wrapping?
- Show replies
New conversation -
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.