[cap-talk] struggling to learn what techniques supplant passwords

Marc Stiegler marc.d.stiegler at hp.com
Thu Nov 3 10:45:59 PDT 2011

As an observation about different ways of thinking about things, needing
a usb dongle to unlock your laptop could be thought of as 2-factor
authorization: you need both the laptop and the dongle to access the
data on the box.


On Thu, 2011-11-03 at 07:06 -0700, Jonathan S. Shapiro wrote:
> On Wed, Nov 2, 2011 at 4:18 PM, Marc Stiegler <marc.d.stiegler at hp.com>
> wrote:
>         Having given you the key, however, the car does not need to
>         authenticate you at time of access. The car accepts your
>         authorization
>         and cares not about your identity.
> Which is a great example of why the "capabilities as keys" analogy
> isn't perfect. A car key is something you have. A capability is not. A
> capability is something that your computer has (or equivalently: some
> storage device) that it holds on your behalf. And in the vast majority
> of cases, "possession of the laptop" is not a sufficient test of
> authority to wield in the eyes of the user. Most users have credit
> card and address information on their computers due to browser
> autocompletion.
> It actually is possible to remember one, or possibly two, reasonably
> secure passwords, but the approach doesn't scale. That being said, I
> really like the bitlocker technology, and I really wish I could get
> some form of it on all of my mobile devices. Using a password to
> access the machine in that case is far from perfect, but it can't be
> "rooted" cost-effectively, and when three wrong passwords erases the
> machine I feel a whole lot better about the prospect of losing a
> laptop or taking one through customs.
> But part of the reason that works is that I'm aware of the difference
> between high-value and low-value targets, and I use my two "good"
> passwords accordingly. Most users don't know enough to do that. So one
> of the things that I really like about bitlocker is that it can be set
> up to require a cryptographic key stored on a USB device. Still uses a
> password, but as long as the USB device isn't stored in the laptop
> case, the data on the laptop is pretty hard to get by physical theft.
> Thankfully, penetration of Windows is still supported to maintain
> backwards compatibility. :-)
> Jonathan

More information about the cap-talk mailing list