| 1 |
On Wed, 11 Jan 2012 16:07:41 -0500 |
| 2 |
Tanstaafl <tanstaafl@×××××××××××.org> wrote: |
| 3 |
|
| 4 |
> On 2012-01-11 3:56 PM, Alan McKinnon <alan.mckinnon@×××××.com> wrote: |
| 5 |
> > On Wed, 11 Jan 2012 11:04:01 -0500 |
| 6 |
> > Tanstaafl<tanstaafl@×××××××××××.org> wrote: |
| 7 |
> >> http://passwordmaker.org/ |
| 8 |
> >> |
| 9 |
> > |
| 10 |
> > I haven't read the site yet, but just on the basis of your |
| 11 |
> > description, all I'm seeing is a teeny-weeny amount of entropy |
| 12 |
> > leading to passwords that are very easy for computers to compute. |
| 13 |
> > |
| 14 |
> > The algorithm is probably known and there can't be that many unique |
| 15 |
> > attributes to a URL, leading to a very small pool of random data. |
| 16 |
> > |
| 17 |
> > In fact, I see this as a distinct possibility: |
| 18 |
> > http://xkcd.com/936/ |
| 19 |
> > |
| 20 |
> > Feel free to correct me if I'm wrong. |
| 21 |
> |
| 22 |
> You are wrong, but you'll need to read the site to learn why... |
| 23 |
|
| 24 |
The site doesn't say much. It has one page, no internal links (quite a |
| 25 |
few external ones) and a single link to an image. |
| 26 |
|
| 27 |
But still, one can infer some of the methods of operation. There's a |
| 28 |
master password and a few bits of easily guessable[1] entropy in the |
| 29 |
additional data the user can configure. |
| 30 |
|
| 31 |
It has one weakness that reduces it back to the same password being |
| 32 |
re-used. And that is that there is a single master password. An |
| 33 |
attacker would simply need to acquire that using various nefarious |
| 34 |
means (shoulder surfing, social engineering, hosepipe decryption) and |
| 35 |
suddenly you are wide open[2]. |
| 36 |
|
| 37 |
I don't see that it increases cryptographic security by very much (it |
| 38 |
does by a little) but it will increase real-life effective security by |
| 39 |
a lot. It removes most of the threat from shoulder-surfing and |
| 40 |
StickyNoteSyndrome (much like ssh agents do too). In a corporate |
| 41 |
environment[3], that is the major threat we face, the onbe that keeps |
| 42 |
me awake at night, the one ignored by all security auditors and the one |
| 43 |
understood by a mere three people in the company... :-( |
| 44 |
|
| 45 |
[1] Easily guessable by a computer |
| 46 |
[2] I have my paranoia hat on currently |
| 47 |
[3] for example, mine |
| 48 |
|
| 49 |
-- |
| 50 |
Alan McKinnnon |
| 51 |
alan.mckinnon@×××××.com |
Archives