Fwd: about accounts file

Ethan Blanton elb at pidgin.im
Sun Aug 25 17:33:13 EDT 2013


Tres Finocchiaro spake unto us the following wisdom:
> And similarly, if your argument, that all passwords must be difficult to
> type and must be near impossible to read over the shoulder or else they are
> REALLY BAD, which in turn makes the user STUPID seems naive and ignorant to
> any basic  practical, efficient, easy to remember methods of memorization.

I didn't call anyone stupid.  Pay attention.  Your argument here is
still wrong and bogus.

> The password:
> 
> "Eth at ngoesoutofh1swaytocr3ategreatpasswords!"

You're not going to be able to memorize this in just a second or two
looking over someone's shoulder, either.  It's hard to parse English
sentences without spacing, your brain is going to replace the changed
letters automatically, etc. -- so you're going to have to spend a
second to memorize and get it right to use it later.  Now, you're
correct that the base64 of *that* is much harder to memorize, but ...
who cares?  What are you protecting against?  Now you're just throwing
straw men up.

I'm going to leave off your whole rant about doing passwords "right"
or "wrong".  I don't care how you choose your password.  If it's a
good password, it's going to be hard for a third party to memorize in
a glimpse.  It's also going to be hard to memorize in base64, but all
you've done is tricked naive users into thinking their accounts.xml is
"safe" and letting Mallory stare at it as long as he wants.

You're on the losing end of this argument.  The right solution to this
problem is a password manager, not bogus obfuscation.  We're LONG
overdue for a password manager, but bickering about base64 on the
mailing list isn't going to make that happen.

Ethan



More information about the Support mailing list