1 |
On Wed, 11 Jan 2012 17:05:28 -0500 |
2 |
Tanstaafl <tanstaafl@×××××××××××.org> wrote: |
3 |
|
4 |
> On 2012-01-11 4:51 PM, Alan McKinnon <alan.mckinnon@×××××.com> wrote: |
5 |
> > The site doesn't say much. It has one page, no internal links |
6 |
> > (quite a few external ones) and a single link to an image. |
7 |
> |
8 |
> Weird... the wiki tree is gone... there are a *ton* of pages there, |
9 |
> I'll have to poke the maintainers... maybe they were updating |
10 |
> mediawiki and broke something... |
11 |
> |
12 |
> > But still, one can infer some of the methods of operation. There's a |
13 |
> > master password and a few bits of easily guessable[1] entropy in the |
14 |
> > additional data the user can configure. |
15 |
> > |
16 |
> > It has one weakness that reduces it back to the same password being |
17 |
> > re-used. And that is that there is a single master password. |
18 |
> |
19 |
> Like I said, you can use more than one. The trick is remembering |
20 |
> which one you used with which accounts. I use different Master |
21 |
> Passwords for different Account Groups. |
22 |
> |
23 |
> > An attacker would simply need to acquire that using various |
24 |
> > nefarious means (shoulder surfing, social engineering, hosepipe |
25 |
> > decryption) and suddenly you are wide open[2]. |
26 |
> |
27 |
> That is true for *any* password scheme... but there are simple ways |
28 |
> to mitigate the risks... |
29 |
> |
30 |
> 1. Use multiple Master Passwords... |
31 |
> 2. Change the character set used (I always do this) |
32 |
|
33 |
I like this one :-) |
34 |
|
35 |
yes, I know it's really just security by obscurity in disguise but I |
36 |
still like it. |
37 |
|
38 |
It's like anti-spam measures - effective at first till the spammers |
39 |
catch on then you go find another method. But in the interim you did |
40 |
have something workableto use |
41 |
|
42 |
|
43 |
> 3. Add additional character modifications to each password (figure out |
44 |
> one way that you can easily remember and do it the same for each |
45 |
> password) |
46 |
> 4. |
47 |
> |
48 |
> > I don't see that it increases cryptographic security by very much |
49 |
> > (it does by a little) |
50 |
> |
51 |
> Actually, it does, and once the site is back up I'll post here and |
52 |
> you can go read all about it... |
53 |
> |
54 |
|
55 |
|
56 |
|
57 |
-- |
58 |
Alan McKinnnon |
59 |
alan.mckinnon@×××××.com |