On Tue, Jul 28, 2015 at 6:32 PM, Warren Young <wyml at etr-usa.com> wrote: > On Jul 28, 2015, at 4:37 PM, Nathan Duehr <denverpilot at me.com> wrote: >> Equating this to “vaccination” is a huge stretch. > > Why? It's not just an imperfect analogy it really doesn't work on closer scrutiny. Malware itself is not a good analog to antigens. Vaccinations provide immunity to only certain kinds of antigens, and only specific ones at that. Challenge-Response, which is what a login password is, is about user authentication it is not at all meant or designed to provide immunity from malware. That we're trying to use it to prevent infections is more like putting ourselves into bubbles; and humans put into bubbles for this reason are called immune compromised. So this push to depend on stronger passwords just exposes how "immune compromised" we are in these dark ages of computer security. There are overwhelmingly worse side effects of password dependency than immunization. The very fact SSH PKA by default is even on the table in some discussions demonstrates the level of crap passwords are at. Software patches, SELinux and AppArmor are closer analogs to certain aspects of human immunity, but even that is an imperfect comparison. And also, a large percent of malware doesn't even depend on brute force password attacks. There are all kinds of other ways to compromise computers, create botnets, that don't depend on passwords at all. So vaccinations have something like 95% efficacy, while passwords alone have nothing close to this effectiveness against malware. -- Chris Murphy