| 1 |
Willie Wong wrote: |
| 2 |
> On Mon, Nov 30, 2009 at 09:29:30PM -0600, Penguin Lover Dale squawked: |
| 3 |
> |
| 4 |
>> chrome://messenger/locale/messengercompose/composeMsgs.properties: |
| 5 |
>> |
| 6 |
>>> There is a tool I've used in the past called PasswordMaker. It uses a |
| 7 |
>>> master password and a flexible set of parameters to generate passwords and |
| 8 |
>>> if necessary, enter them on a site. |
| 9 |
>>> |
| 10 |
> |
| 11 |
> <snip> |
| 12 |
> |
| 13 |
> |
| 14 |
>>> Once you enter the master password and select the appropriate settings |
| 15 |
>>> (length, character set, hashing algorithm etc etc), the password will be |
| 16 |
>>> generated. You can also use the current website as a salt, so using the |
| 17 |
>>> same settings will yield a different password for different sites. |
| 18 |
>>> |
| 19 |
> |
| 20 |
> Isn't this just security by obscurity? You still use the same master |
| 21 |
> password: so finding out the one password is enough to break into ALL |
| 22 |
> your sites. The only additional protection you gain is by that the Bad |
| 23 |
> Guys do not know that you are using the tool. The salt hardly matters: |
| 24 |
> to make sure the plugin will behave the same if you run firefox from |
| 25 |
> different computers, they are still using the same hash function and |
| 26 |
> same salt for the same site. If someone is saavy enough to know the |
| 27 |
> list of websites you access and the usernames you use to access them, |
| 28 |
> then that someone should also be able to find out the tool you are |
| 29 |
> using for the passwords. |
| 30 |
> |
| 31 |
> In the end, I think it offers only marginally more protection than |
| 32 |
> having the same very strong password on all your sites. |
| 33 |
> |
| 34 |
> The only case I think "encryption"/hash approach is useful is when you |
| 35 |
> have a low security account (say an online game, or a MUD that you |
| 36 |
> connect to via telnet) whose password is transmited in plaintext. If |
| 37 |
> you insist on only using one master password, and don't want to bother |
| 38 |
> memorizing a different one for the low security account, I guess by |
| 39 |
> passing your password through a one-way hash makes it harder for your |
| 40 |
> other accounts to be compromised. But that's about it. |
| 41 |
> |
| 42 |
> Just my two cents |
| 43 |
> |
| 44 |
> W |
| 45 |
> |
| 46 |
|
| 47 |
Well this is where some things are not real clear. I'm not sure when |
| 48 |
the master password would be sent to the website. It may be only when |
| 49 |
doing the setup but you could be right. |
| 50 |
|
| 51 |
Of course, I also read a study done by a group of Universities a few |
| 52 |
years ago that said a LOT of the security stuff that is done doesn't |
| 53 |
really work. If a person uses common information for their password, |
| 54 |
then anything the websites do is pretty much meaningless anyway. I |
| 55 |
actually sent a link to my bank regarding the specific set up they are |
| 56 |
using. |
| 57 |
|
| 58 |
I think the point is, a good secure password is the best policy. For me |
| 59 |
tho, having a good tool that is local and secure to type that sucker in |
| 60 |
for me is really good. I'm not worried about someone stealing my |
| 61 |
computer and gaining access that way, I'm just worried that someone |
| 62 |
could keep banging away at my password until it guesses it. As |
| 63 |
mentioned before, my password is not anything related to information |
| 64 |
about me but just a random bunch of stuff. Given time tho, a hacker |
| 65 |
would eventually guess it. |
| 66 |
|
| 67 |
Dale |
| 68 |
|
| 69 |
:-) :-) |
Archives