Login
User Name:

Password:



Register

Forgot your password?
Changes list / Addchange
Author: Khonsu
Submitted by: Khonsu
6Dragons mp3 sound pack
Author: Vladaar
Submitted by: Vladaar
AFKMud 2.2.3
Author: AFKMud Team
Submitted by: Samson
SWFOTEFUSS 1.5
Author: Various
Submitted by: Samson
SWRFUSS 1.4
Author: Various
Submitted by: Samson
Users Online
AhrefsBot, Google, DotBot

Members: 0
Guests: 30
Stats
Files
Topics
Posts
Members
Newest Member
488
3,788
19,631
595
Khonsu

Today's Birthdays
There are no member birthdays today.
» SmaugMuds » General » General Discussions » Changeover to SHA-256 encrypt...
Forum Rules | Mark all | Recent Posts

Changeover to SHA-256 encryption
< Newer Topic :: Older Topic >

Pages:<< prev 1, 2 next >>
Post is unread #21 Jan 4, 2008 10:23 pm   
Go to the top of the page
Go to the bottom of the page

David Haley
Sorcerer
GroupMembers
Posts903
JoinedJan 29, 2007

 
Quixadhal said:

It solves the problem (...) Unlike a password, these aren't things that can be tossed about unless you have a photographic memory.

I think we must not have been talking about the same problem. :wink: I wasn't talking about the strength of passwords vs. strength of key pairs. Besides, a password can be made as secure as a key pair (insofar as sending something to a perhaps untrusted MUD server is secure to begin with) by just having a very complicated password...

But I'm not sure why you say that keys can't be tossed about just as easily as passwords. Here, let me paste one:
(several characters)
Well, you get the idea. Perhaps you are speaking about bad passwords like "hello"?

Quixadhal said:

I suppose, although it would still require the end user to run their client inside another client (which would do the authentication and ssh protocol layer). Not something I'd expect to see often.

Well, I'd just tunnel locally as well and not use any dedicated client. But that's basically running in another client, yes.

Post is unread #22 Jan 4, 2008 10:48 pm   
Go to the top of the page
Go to the bottom of the page

Quixadhal
Conjurer
GroupMembers
Posts398
JoinedMar 8, 2005

 
Possibly. I was more thinking of key pairs being more secure because you don't need to remember them, and aren't tempted to write them down, or tell your friends what they are so they can do something "real quick".

For example... here's one of my public keys.

ssh-dss AAAAB3NzaC1kc3MAAACBAMv8Jg081lUXybub4PEZxc5gNFM0G833oK5chIi2BXNEC/J5DrvYwc6Iz6FVVZ3Ijnvc8L+mnAyUJf+PMsz2EblJig4rh+lAcTo6HcAMqA9a/
2+IdZXNWSDTcXdoVCrwPDH+eFme3gCBvPkaN4sUOwWl8sopWk/H6hzE9WfgInjlAAAAFQCRrjfgX5HPhS3Xfrfmpg2oHVqQlwAAAIBm9Erg00kyC5b4WDleXTTzQDKHWmMUXdm/UP
Fgk4XsOGucoOtAiYkD15j/U7Ohpvhl7xj1+60e4vqjarA/RV5PQ4iE2FYF2w09Zxp+NNIjHFOpM4UTjILq5hy6EncVW0zFki1tqqqZ1zvj05k1PwlZz8uTJ0kR1Zj3CMijnq3wbAA
AAIB7baXhglfkWWoeujmQSYPoQLLvkpvJTWK87Xdy+YUAmkjqoOiq25lx9L+fu/QMFRGxy6gVCg3Cq+BdysofcydXeCp4wUTdMrQMBxd+E7jkKtj08Mf/4QmCQvyxNWx6Abe3wnie
XolFddgIhtwk7HjiJf2NzjKE+EG0aq0LD0gvng==


You having that does NOT give you access to my character, but it would allow you to verify that I am me. To log in as me, you'd also need the private key, and to get that you'd need to hack my system or convince me to send you both sides.

I dunno about you, but I would think even people who aren't very security-minded would think twice before going to the effort to export their public AND private keys and then send them via email to someone, as opposed to typing a word or two in chat, or yelling across the room.

Post is unread #23 Jan 5, 2008 5:31 am   
Go to the top of the page
Go to the bottom of the page

David Haley
Sorcerer
GroupMembers
Posts903
JoinedJan 29, 2007

 
Quixadhal said:

I was more thinking of key pairs being more secure because you don't need to remember them, and aren't tempted to write them down, or tell your friends what they are so they can do something "real quick".

Well, something somewhere needs to store at least the private key, so that you can send it during authentication. Granted that could happen automatically by the client, but still... And then, once you have it written down (digitally), you could be tempted to leave it around in various places in much the same way you'd leave your password lying around (digitally). But at least you can protect the private key with a passphrase (and then, you're just pushing the problem back to that level).

Quixadhal said:

I dunno about you, but I would think even people who aren't very security-minded would think twice before going to the effort to export their public AND private keys and then send them via email to someone, as opposed to typing a word or two in chat, or yelling across the room.

Yes, I agree.

Pages:<< prev 1, 2 next >>