Replying to Avatar simulx

ultimately, it's not safe to put your private key anywhere. it should live on a yubikey or something and never leave unless explicitly exported to another public key (using a cert that verifies the hardware). but browsers and smartphones simply have shitty support for talking to device keychains and hardware devices. and a lot of this failure is caused by the cryptography community with increasingly opaque and bad standards (won't let me do a dh operation, because i might do it wrong)

so we all just paste private keys.

the entire cryptography community got something very basic wrong when X.509 came out

it's the same thing they get wrong when it comes to password security

every time you try to prevent users from using the gun you made to shoot themselves in the foot, you inevitable create a new class of users that just makes their own gun from scratch. which is arguably much more dangerous.

good example: frequent password changes lead to people making easy to remember passwords with minor differences on the end. or writing them down. or sticking them all on a notepad doc on their machine

better solution: require very long passphrases with no special characters. long == hard to break.
Avatar
Allamex 2y ago

Thank you, that was good info. I have no idea how to put it on a ubikey, but maybe I should spend time working on that part of my security setup instead of mobile authenticators. They scare me anyway if I happened to lose my phone.

Reply to this note

Please Login to reply.

Discussion

No replies yet.