* Posts by smartipants

1 post • joined 11 Mar 2017

'Password rules are bullsh*t!' Stackoverflow Jeff's rage overflows


It's 2017 - use FIDO U2F

The Googler did say STRONG second factor. SMS is not strong, and has also been completely dissed by NIST, not only because it can be intercepted but also because it is often received on the same device as you are logging in from, and can often be viewed without unlocking.

Use FIDO U2F. Unlike the older hardware tokens (RSA etc.) a U2F security key doesn't have a shared secret, as it uses asymmetric encryption (ie public/private keys). Thus enrolling a key can be done just by the user and doesn't need an IT admin to set you up first, and/or it doesn't need the service provider to send a pre-registered one to you - you can just buy one. More importantly, one token can be safely used on multiple web sites/services, without any sharing or privacy issues (each service generates a unique handle and derived key pair).

Google, Facebook, Dropbox and Github already support U2F, so that's a good enough reason to get one, and they cost less than a tenner on Amazon. That's for a USB version, while Bluetooth and NFC is coming soon for mobiles..

Look up the specs at the FIDO Alliance. It's well peer reviewed, widely supported by big industry players and there is a good white paper looking into the security/privacy issues too.

Biting the hand that feeds IT © 1998–2019