1 |
On 2012-01-11 4:51 PM, Alan McKinnon <alan.mckinnon@×××××.com> wrote: |
2 |
> The site doesn't say much. It has one page, no internal links (quite a |
3 |
> few external ones) and a single link to an image. |
4 |
|
5 |
Weird... the wiki tree is gone... there are a *ton* of pages there, I'll |
6 |
have to poke the maintainers... maybe they were updating mediawiki and |
7 |
broke something... |
8 |
|
9 |
> But still, one can infer some of the methods of operation. There's a |
10 |
> master password and a few bits of easily guessable[1] entropy in the |
11 |
> additional data the user can configure. |
12 |
> |
13 |
> It has one weakness that reduces it back to the same password being |
14 |
> re-used. And that is that there is a single master password. |
15 |
|
16 |
Like I said, you can use more than one. The trick is remembering which |
17 |
one you used with which accounts. I use different Master Passwords for |
18 |
different Account Groups. |
19 |
|
20 |
> An attacker would simply need to acquire that using various |
21 |
> nefarious means (shoulder surfing, social engineering, hosepipe |
22 |
> decryption) and suddenly you are wide open[2]. |
23 |
|
24 |
That is true for *any* password scheme... but there are simple ways to |
25 |
mitigate the risks... |
26 |
|
27 |
1. Use multiple Master Passwords... |
28 |
2. Change the character set used (I always do this) |
29 |
3. Add additional character modifications to each password (figure out |
30 |
one way that you can easily remember and do it the same for each |
31 |
password) |
32 |
4. |
33 |
|
34 |
> I don't see that it increases cryptographic security by very much (it |
35 |
> does by a little) |
36 |
|
37 |
Actually, it does, and once the site is back up I'll post here and you |
38 |
can go read all about it... |