Login
User Name:

Password:



Register
Forgot your password?
Vote for Us!
 parse description bug
Today, 9:00 pm
By Remcon
Couple bugs
Dec 12, 2017, 5:42 pm
By Remcon
Bug in disarm( )
Nov 12, 2017, 6:54 pm
By GatewaySysop
Bug in will_fall( )
Oct 23, 2017, 1:35 am
By GatewaySysop
Bug in do_zap( ), do_brandish( )
Oct 18, 2017, 1:52 pm
By GatewaySysop
LOP 1.45
Author: Remcon
Submitted by: Remcon
LOP Heroes Edition
Author: Vladaar
Submitted by: Vladaar
Heroes sound extras
Author: Vladaar
Submitted by: Vladaar
6Dragons 4.3
Author: Vladaar
Submitted by: Vladaar
Memwatch
Author: Johan Lindh
Submitted by: Vladaar
Users Online
CommonCrawl, Remcon, Yandex, DotBot

Members: 1
Guests: 23
Stats
Files
Topics
Posts
Members
Newest Member
477
3,706
19,237
608
LAntorcha
Today's Birthdays
There are no member birthdays today.
Related Links
» SmaugMuds.org » General » General Discussions » Changeover to SHA-256 encrypt...
Forum Rules | Mark all | Recent Posts

Changeover to SHA-256 encryption
< Newer Topic :: Older Topic >

Pages:<< prev 1, 2 next >>
Post is unread #21 Jan 4, 2008, 8:23 pm
Go to the top of the page
Go to the bottom of the page

David Haley
Sorcerer
GroupMembers
Posts903
JoinedJan 29, 2007

Quixadhal said:

It solves the problem (...) Unlike a password, these aren't things that can be tossed about unless you have a photographic memory.

I think we must not have been talking about the same problem. :wink: I wasn't talking about the strength of passwords vs. strength of key pairs. Besides, a password can be made as secure as a key pair (insofar as sending something to a perhaps untrusted MUD server is secure to begin with) by just having a very complicated password...

But I'm not sure why you say that keys can't be tossed about just as easily as passwords. Here, let me paste one:
(several characters)
Well, you get the idea. Perhaps you are speaking about bad passwords like "hello"?

Quixadhal said:

I suppose, although it would still require the end user to run their client inside another client (which would do the authentication and ssh protocol layer). Not something I'd expect to see often.

Well, I'd just tunnel locally as well and not use any dedicated client. But that's basically running in another client, yes.
       
Post is unread #22 Jan 4, 2008, 8:48 pm
Go to the top of the page
Go to the bottom of the page

Quixadhal
Conjurer
GroupMembers
Posts398
JoinedMar 8, 2005

Possibly. I was more thinking of key pairs being more secure because you don't need to remember them, and aren't tempted to write them down, or tell your friends what they are so they can do something "real quick".

For example... here's one of my public keys.

ssh-dss AAAAB3NzaC1kc3MAAACBAMv8Jg081lUXybub4PEZxc5gNFM0G833oK5chIi2BXNEC/J5DrvYwc6Iz6FVVZ3Ijnvc8L+mnAyUJf+PMsz2EblJig4rh+lAcTo6HcAMqA9a/
2+IdZXNWSDTcXdoVCrwPDH+eFme3gCBvPkaN4sUOwWl8sopWk/H6hzE9WfgInjlAAAAFQCRrjfgX5HPhS3Xfrfmpg2oHVqQlwAAAIBm9Erg00kyC5b4WDleXTTzQDKHWmMUXdm/UP
Fgk4XsOGucoOtAiYkD15j/U7Ohpvhl7xj1+60e4vqjarA/RV5PQ4iE2FYF2w09Zxp+NNIjHFOpM4UTjILq5hy6EncVW0zFki1tqqqZ1zvj05k1PwlZz8uTJ0kR1Zj3CMijnq3wbAA
AAIB7baXhglfkWWoeujmQSYPoQLLvkpvJTWK87Xdy+YUAmkjqoOiq25lx9L+fu/QMFRGxy6gVCg3Cq+BdysofcydXeCp4wUTdMrQMBxd+E7jkKtj08Mf/4QmCQvyxNWx6Abe3wnie
XolFddgIhtwk7HjiJf2NzjKE+EG0aq0LD0gvng==


You having that does NOT give you access to my character, but it would allow you to verify that I am me. To log in as me, you'd also need the private key, and to get that you'd need to hack my system or convince me to send you both sides.

I dunno about you, but I would think even people who aren't very security-minded would think twice before going to the effort to export their public AND private keys and then send them via email to someone, as opposed to typing a word or two in chat, or yelling across the room.
       
Post is unread #23 Jan 5, 2008, 3:31 am
Go to the top of the page
Go to the bottom of the page

David Haley
Sorcerer
GroupMembers
Posts903
JoinedJan 29, 2007

Quixadhal said:

I was more thinking of key pairs being more secure because you don't need to remember them, and aren't tempted to write them down, or tell your friends what they are so they can do something "real quick".

Well, something somewhere needs to store at least the private key, so that you can send it during authentication. Granted that could happen automatically by the client, but still... And then, once you have it written down (digitally), you could be tempted to leave it around in various places in much the same way you'd leave your password lying around (digitally). But at least you can protect the private key with a passphrase (and then, you're just pushing the problem back to that level).

Quixadhal said:

I dunno about you, but I would think even people who aren't very security-minded would think twice before going to the effort to export their public AND private keys and then send them via email to someone, as opposed to typing a word or two in chat, or yelling across the room.

Yes, I agree.
       
Pages:<< prev 1, 2 next >>