| 1 |
On Wed, 11 Jan 2012 17:05:28 -0500 |
| 2 |
Tanstaafl <tanstaafl@×××××××××××.org> wrote: |
| 3 |
|
| 4 |
> On 2012-01-11 4:51 PM, Alan McKinnon <alan.mckinnon@×××××.com> wrote: |
| 5 |
> > The site doesn't say much. It has one page, no internal links |
| 6 |
> > (quite a few external ones) and a single link to an image. |
| 7 |
> |
| 8 |
> Weird... the wiki tree is gone... there are a *ton* of pages there, |
| 9 |
> I'll have to poke the maintainers... maybe they were updating |
| 10 |
> mediawiki and broke something... |
| 11 |
> |
| 12 |
> > But still, one can infer some of the methods of operation. There's a |
| 13 |
> > master password and a few bits of easily guessable[1] entropy in the |
| 14 |
> > additional data the user can configure. |
| 15 |
> > |
| 16 |
> > It has one weakness that reduces it back to the same password being |
| 17 |
> > re-used. And that is that there is a single master password. |
| 18 |
> |
| 19 |
> Like I said, you can use more than one. The trick is remembering |
| 20 |
> which one you used with which accounts. I use different Master |
| 21 |
> Passwords for different Account Groups. |
| 22 |
> |
| 23 |
> > An attacker would simply need to acquire that using various |
| 24 |
> > nefarious means (shoulder surfing, social engineering, hosepipe |
| 25 |
> > decryption) and suddenly you are wide open[2]. |
| 26 |
> |
| 27 |
> That is true for *any* password scheme... but there are simple ways |
| 28 |
> to mitigate the risks... |
| 29 |
> |
| 30 |
> 1. Use multiple Master Passwords... |
| 31 |
> 2. Change the character set used (I always do this) |
| 32 |
|
| 33 |
I like this one :-) |
| 34 |
|
| 35 |
yes, I know it's really just security by obscurity in disguise but I |
| 36 |
still like it. |
| 37 |
|
| 38 |
It's like anti-spam measures - effective at first till the spammers |
| 39 |
catch on then you go find another method. But in the interim you did |
| 40 |
have something workableto use |
| 41 |
|
| 42 |
|
| 43 |
> 3. Add additional character modifications to each password (figure out |
| 44 |
> one way that you can easily remember and do it the same for each |
| 45 |
> password) |
| 46 |
> 4. |
| 47 |
> |
| 48 |
> > I don't see that it increases cryptographic security by very much |
| 49 |
> > (it does by a little) |
| 50 |
> |
| 51 |
> Actually, it does, and once the site is back up I'll post here and |
| 52 |
> you can go read all about it... |
| 53 |
> |
| 54 |
|
| 55 |
|
| 56 |
|
| 57 |
-- |
| 58 |
Alan McKinnnon |
| 59 |
alan.mckinnon@×××××.com |
Archives