1 |
On Wed, 11 Jan 2012 16:07:41 -0500 |
2 |
Tanstaafl <tanstaafl@×××××××××××.org> wrote: |
3 |
|
4 |
> On 2012-01-11 3:56 PM, Alan McKinnon <alan.mckinnon@×××××.com> wrote: |
5 |
> > On Wed, 11 Jan 2012 11:04:01 -0500 |
6 |
> > Tanstaafl<tanstaafl@×××××××××××.org> wrote: |
7 |
> >> http://passwordmaker.org/ |
8 |
> >> |
9 |
> > |
10 |
> > I haven't read the site yet, but just on the basis of your |
11 |
> > description, all I'm seeing is a teeny-weeny amount of entropy |
12 |
> > leading to passwords that are very easy for computers to compute. |
13 |
> > |
14 |
> > The algorithm is probably known and there can't be that many unique |
15 |
> > attributes to a URL, leading to a very small pool of random data. |
16 |
> > |
17 |
> > In fact, I see this as a distinct possibility: |
18 |
> > http://xkcd.com/936/ |
19 |
> > |
20 |
> > Feel free to correct me if I'm wrong. |
21 |
> |
22 |
> You are wrong, but you'll need to read the site to learn why... |
23 |
|
24 |
The site doesn't say much. It has one page, no internal links (quite a |
25 |
few external ones) and a single link to an image. |
26 |
|
27 |
But still, one can infer some of the methods of operation. There's a |
28 |
master password and a few bits of easily guessable[1] entropy in the |
29 |
additional data the user can configure. |
30 |
|
31 |
It has one weakness that reduces it back to the same password being |
32 |
re-used. And that is that there is a single master password. An |
33 |
attacker would simply need to acquire that using various nefarious |
34 |
means (shoulder surfing, social engineering, hosepipe decryption) and |
35 |
suddenly you are wide open[2]. |
36 |
|
37 |
I don't see that it increases cryptographic security by very much (it |
38 |
does by a little) but it will increase real-life effective security by |
39 |
a lot. It removes most of the threat from shoulder-surfing and |
40 |
StickyNoteSyndrome (much like ssh agents do too). In a corporate |
41 |
environment[3], that is the major threat we face, the onbe that keeps |
42 |
me awake at night, the one ignored by all security auditors and the one |
43 |
understood by a mere three people in the company... :-( |
44 |
|
45 |
[1] Easily guessable by a computer |
46 |
[2] I have my paranoia hat on currently |
47 |
[3] for example, mine |
48 |
|
49 |
-- |
50 |
Alan McKinnnon |
51 |
alan.mckinnon@×××××.com |