low-hanging fruit

Posted Feb 23, 2017 15:45 UTC (Thu) by dkg (subscriber, #55359)
In reply to: MD5 by tialaramex
Parent article: The case against password hashers

IMNSHO Low hanging fruit is absolutely the correct focus here, yet these articles have basically sneered at it. Why worry about these less attractive fruit on the low branches, they argue, let us instead assume that everybody on the planet has a jetpack (password vault that's seamlessly and securely backed up somehow yet accessible from all devices) and extensive training

I completely agree with you that low-hanging fruit is the correct focus, but i don't think these articles have sneered at it at all. They're focused on what the user of these sytsems can do, right now, that should help to protect themselves in the long-term. A password manager is useful protection (damage limitation) against phishing, cleartext password dbs, and browser-based attacks, because without it an attack on one password is pretty easy to cascade into an attack on other accounts -- most people will default to using the same password everywhere, still.

If your claim is that stateless password hashers are better than password managers because they don't need backup or sync or much training and they let users stick with the same password everywhere, how do you deal with changing passwords on systems where that's a requirement? how should password hashers deal with remote system password constraints that don't match the password hasher's default output?

If your concern is that password managers aren't good enough yet that they can be securely backed up and accessible across devices, then these articles point toward low-hanging fruit for software developers -- build a better password manager that addresses these concerns!

Any questions about what responsible server operators should do to protect their users would be a great addition to this series, btw -- there's low-hanging fruit there as well.