| 1 |
Alan McKinnon wrote: |
| 2 |
> On Wed, 11 Jan 2012 16:07:41 -0500 |
| 3 |
> Tanstaafl <tanstaafl@×××××××××××.org> wrote: |
| 4 |
> |
| 5 |
>> On 2012-01-11 3:56 PM, Alan McKinnon <alan.mckinnon@×××××.com> wrote: |
| 6 |
>>> On Wed, 11 Jan 2012 11:04:01 -0500 |
| 7 |
>>> Tanstaafl<tanstaafl@×××××××××××.org> wrote: |
| 8 |
>>>> http://passwordmaker.org/ |
| 9 |
>>>> |
| 10 |
>>> |
| 11 |
>>> I haven't read the site yet, but just on the basis of your |
| 12 |
>>> description, all I'm seeing is a teeny-weeny amount of entropy |
| 13 |
>>> leading to passwords that are very easy for computers to compute. |
| 14 |
>>> |
| 15 |
>>> The algorithm is probably known and there can't be that many unique |
| 16 |
>>> attributes to a URL, leading to a very small pool of random data. |
| 17 |
>>> |
| 18 |
>>> In fact, I see this as a distinct possibility: |
| 19 |
>>> http://xkcd.com/936/ |
| 20 |
>>> |
| 21 |
>>> Feel free to correct me if I'm wrong. |
| 22 |
>> |
| 23 |
>> You are wrong, but you'll need to read the site to learn why... |
| 24 |
> |
| 25 |
> The site doesn't say much. It has one page, no internal links (quite a |
| 26 |
> few external ones) and a single link to an image. |
| 27 |
> |
| 28 |
> But still, one can infer some of the methods of operation. There's a |
| 29 |
> master password and a few bits of easily guessable[1] entropy in the |
| 30 |
> additional data the user can configure. |
| 31 |
> |
| 32 |
> It has one weakness that reduces it back to the same password being |
| 33 |
> re-used. And that is that there is a single master password. An |
| 34 |
> attacker would simply need to acquire that using various nefarious |
| 35 |
> means (shoulder surfing, social engineering, hosepipe decryption) and |
| 36 |
> suddenly you are wide open[2]. |
| 37 |
|
| 38 |
I would expect it to use a strong forward-only hash. I can't do that in |
| 39 |
my head, but that's what I'd expect this software to do. A MITM between |
| 40 |
the computer and the remote host should only result in a single password |
| 41 |
lost. |
| 42 |
|
| 43 |
> |
| 44 |
> I don't see that it increases cryptographic security by very much (it |
| 45 |
> does by a little) but it will increase real-life effective security by |
| 46 |
> a lot. It removes most of the threat from shoulder-surfing and |
| 47 |
> StickyNoteSyndrome (much like ssh agents do too). In a corporate |
| 48 |
> environment[3], that is the major threat we face, the onbe that keeps |
| 49 |
> me awake at night, the one ignored by all security auditors and the one |
| 50 |
> understood by a mere three people in the company... :-( |
| 51 |
|
| 52 |
I was convinced you completely missed the point, but I think you found |
| 53 |
it here. |
| 54 |
|
| 55 |
> |
| 56 |
> [1] Easily guessable by a computer |
| 57 |
> [2] I have my paranoia hat on currently |
| 58 |
> [3] for example, mine |
| 59 |
> |
| 60 |
|
| 61 |
I'm seriously unconvinced that concatenating words significantly |
| 62 |
increases the difficulty of the problem. Just as a mentalist will |
| 63 |
presume you're thinking about '7', your average demographic would |
| 64 |
probably draw from a small pool of source words, even latching on to |
| 65 |
catchphrases and other memes. You're likely to see "steamingmonkeypile", |
| 66 |
"nyanyanyan", "dontsaycandleja-" and "hasturhasturhast-" used more than |
| 67 |
once, for example. I'd give a better list of likely results, but I don't |
| 68 |
want to run too far afoul of good taste in public posting. :) |
Archives