| 1 |
On Mon, Nov 30, 2009 at 09:29:30PM -0600, Penguin Lover Dale squawked: |
| 2 |
> chrome://messenger/locale/messengercompose/composeMsgs.properties: |
| 3 |
>> There is a tool I've used in the past called PasswordMaker. It uses a |
| 4 |
>> master password and a flexible set of parameters to generate passwords and |
| 5 |
>> if necessary, enter them on a site. |
| 6 |
|
| 7 |
<snip> |
| 8 |
|
| 9 |
>> Once you enter the master password and select the appropriate settings |
| 10 |
>> (length, character set, hashing algorithm etc etc), the password will be |
| 11 |
>> generated. You can also use the current website as a salt, so using the |
| 12 |
>> same settings will yield a different password for different sites. |
| 13 |
|
| 14 |
Isn't this just security by obscurity? You still use the same master |
| 15 |
password: so finding out the one password is enough to break into ALL |
| 16 |
your sites. The only additional protection you gain is by that the Bad |
| 17 |
Guys do not know that you are using the tool. The salt hardly matters: |
| 18 |
to make sure the plugin will behave the same if you run firefox from |
| 19 |
different computers, they are still using the same hash function and |
| 20 |
same salt for the same site. If someone is saavy enough to know the |
| 21 |
list of websites you access and the usernames you use to access them, |
| 22 |
then that someone should also be able to find out the tool you are |
| 23 |
using for the passwords. |
| 24 |
|
| 25 |
In the end, I think it offers only marginally more protection than |
| 26 |
having the same very strong password on all your sites. |
| 27 |
|
| 28 |
The only case I think "encryption"/hash approach is useful is when you |
| 29 |
have a low security account (say an online game, or a MUD that you |
| 30 |
connect to via telnet) whose password is transmited in plaintext. If |
| 31 |
you insist on only using one master password, and don't want to bother |
| 32 |
memorizing a different one for the low security account, I guess by |
| 33 |
passing your password through a one-way hash makes it harder for your |
| 34 |
other accounts to be compromised. But that's about it. |
| 35 |
|
| 36 |
Just my two cents |
| 37 |
|
| 38 |
W |
| 39 |
-- |
| 40 |
Where do you get Mercury? |
| 41 |
|
| 42 |
H.G. Wells |
| 43 |
Sortir en Pantoufles: up 1089 days, 8:58 |
Archives