1 |
Alan McKinnon wrote: |
2 |
> On Wed, 11 Jan 2012 16:07:41 -0500 |
3 |
> Tanstaafl <tanstaafl@×××××××××××.org> wrote: |
4 |
> |
5 |
>> On 2012-01-11 3:56 PM, Alan McKinnon <alan.mckinnon@×××××.com> wrote: |
6 |
>>> On Wed, 11 Jan 2012 11:04:01 -0500 |
7 |
>>> Tanstaafl<tanstaafl@×××××××××××.org> wrote: |
8 |
>>>> http://passwordmaker.org/ |
9 |
>>>> |
10 |
>>> |
11 |
>>> I haven't read the site yet, but just on the basis of your |
12 |
>>> description, all I'm seeing is a teeny-weeny amount of entropy |
13 |
>>> leading to passwords that are very easy for computers to compute. |
14 |
>>> |
15 |
>>> The algorithm is probably known and there can't be that many unique |
16 |
>>> attributes to a URL, leading to a very small pool of random data. |
17 |
>>> |
18 |
>>> In fact, I see this as a distinct possibility: |
19 |
>>> http://xkcd.com/936/ |
20 |
>>> |
21 |
>>> Feel free to correct me if I'm wrong. |
22 |
>> |
23 |
>> You are wrong, but you'll need to read the site to learn why... |
24 |
> |
25 |
> The site doesn't say much. It has one page, no internal links (quite a |
26 |
> few external ones) and a single link to an image. |
27 |
> |
28 |
> But still, one can infer some of the methods of operation. There's a |
29 |
> master password and a few bits of easily guessable[1] entropy in the |
30 |
> additional data the user can configure. |
31 |
> |
32 |
> It has one weakness that reduces it back to the same password being |
33 |
> re-used. And that is that there is a single master password. An |
34 |
> attacker would simply need to acquire that using various nefarious |
35 |
> means (shoulder surfing, social engineering, hosepipe decryption) and |
36 |
> suddenly you are wide open[2]. |
37 |
|
38 |
I would expect it to use a strong forward-only hash. I can't do that in |
39 |
my head, but that's what I'd expect this software to do. A MITM between |
40 |
the computer and the remote host should only result in a single password |
41 |
lost. |
42 |
|
43 |
> |
44 |
> I don't see that it increases cryptographic security by very much (it |
45 |
> does by a little) but it will increase real-life effective security by |
46 |
> a lot. It removes most of the threat from shoulder-surfing and |
47 |
> StickyNoteSyndrome (much like ssh agents do too). In a corporate |
48 |
> environment[3], that is the major threat we face, the onbe that keeps |
49 |
> me awake at night, the one ignored by all security auditors and the one |
50 |
> understood by a mere three people in the company... :-( |
51 |
|
52 |
I was convinced you completely missed the point, but I think you found |
53 |
it here. |
54 |
|
55 |
> |
56 |
> [1] Easily guessable by a computer |
57 |
> [2] I have my paranoia hat on currently |
58 |
> [3] for example, mine |
59 |
> |
60 |
|
61 |
I'm seriously unconvinced that concatenating words significantly |
62 |
increases the difficulty of the problem. Just as a mentalist will |
63 |
presume you're thinking about '7', your average demographic would |
64 |
probably draw from a small pool of source words, even latching on to |
65 |
catchphrases and other memes. You're likely to see "steamingmonkeypile", |
66 |
"nyanyanyan", "dontsaycandleja-" and "hasturhasturhast-" used more than |
67 |
once, for example. I'd give a better list of likely results, but I don't |
68 |
want to run too far afoul of good taste in public posting. :) |