1 |
Willie Wong wrote: |
2 |
> On Mon, Nov 30, 2009 at 09:29:30PM -0600, Penguin Lover Dale squawked: |
3 |
> |
4 |
>> chrome://messenger/locale/messengercompose/composeMsgs.properties: |
5 |
>> |
6 |
>>> There is a tool I've used in the past called PasswordMaker. It uses a |
7 |
>>> master password and a flexible set of parameters to generate passwords and |
8 |
>>> if necessary, enter them on a site. |
9 |
>>> |
10 |
> |
11 |
> <snip> |
12 |
> |
13 |
> |
14 |
>>> Once you enter the master password and select the appropriate settings |
15 |
>>> (length, character set, hashing algorithm etc etc), the password will be |
16 |
>>> generated. You can also use the current website as a salt, so using the |
17 |
>>> same settings will yield a different password for different sites. |
18 |
>>> |
19 |
> |
20 |
> Isn't this just security by obscurity? You still use the same master |
21 |
> password: so finding out the one password is enough to break into ALL |
22 |
> your sites. The only additional protection you gain is by that the Bad |
23 |
> Guys do not know that you are using the tool. The salt hardly matters: |
24 |
> to make sure the plugin will behave the same if you run firefox from |
25 |
> different computers, they are still using the same hash function and |
26 |
> same salt for the same site. If someone is saavy enough to know the |
27 |
> list of websites you access and the usernames you use to access them, |
28 |
> then that someone should also be able to find out the tool you are |
29 |
> using for the passwords. |
30 |
> |
31 |
> In the end, I think it offers only marginally more protection than |
32 |
> having the same very strong password on all your sites. |
33 |
> |
34 |
> The only case I think "encryption"/hash approach is useful is when you |
35 |
> have a low security account (say an online game, or a MUD that you |
36 |
> connect to via telnet) whose password is transmited in plaintext. If |
37 |
> you insist on only using one master password, and don't want to bother |
38 |
> memorizing a different one for the low security account, I guess by |
39 |
> passing your password through a one-way hash makes it harder for your |
40 |
> other accounts to be compromised. But that's about it. |
41 |
> |
42 |
> Just my two cents |
43 |
> |
44 |
> W |
45 |
> |
46 |
|
47 |
Well this is where some things are not real clear. I'm not sure when |
48 |
the master password would be sent to the website. It may be only when |
49 |
doing the setup but you could be right. |
50 |
|
51 |
Of course, I also read a study done by a group of Universities a few |
52 |
years ago that said a LOT of the security stuff that is done doesn't |
53 |
really work. If a person uses common information for their password, |
54 |
then anything the websites do is pretty much meaningless anyway. I |
55 |
actually sent a link to my bank regarding the specific set up they are |
56 |
using. |
57 |
|
58 |
I think the point is, a good secure password is the best policy. For me |
59 |
tho, having a good tool that is local and secure to type that sucker in |
60 |
for me is really good. I'm not worried about someone stealing my |
61 |
computer and gaining access that way, I'm just worried that someone |
62 |
could keep banging away at my password until it guesses it. As |
63 |
mentioned before, my password is not anything related to information |
64 |
about me but just a random bunch of stuff. Given time tho, a hacker |
65 |
would eventually guess it. |
66 |
|
67 |
Dale |
68 |
|
69 |
:-) :-) |