On Mon, Nov 30, 2009 at 09:29:30PM -0600, Penguin Lover Dale squawked: > chrome://messenger/locale/messengercompose/composeMsgs.properties: >> There is a tool I've used in the past called PasswordMaker. It uses a >> master password and a flexible set of parameters to generate passwords and >> if necessary, enter them on a site.
<snip> >> Once you enter the master password and select the appropriate settings >> (length, character set, hashing algorithm etc etc), the password will be >> generated. You can also use the current website as a salt, so using the >> same settings will yield a different password for different sites. Isn't this just security by obscurity? You still use the same master password: so finding out the one password is enough to break into ALL your sites. The only additional protection you gain is by that the Bad Guys do not know that you are using the tool. The salt hardly matters: to make sure the plugin will behave the same if you run firefox from different computers, they are still using the same hash function and same salt for the same site. If someone is saavy enough to know the list of websites you access and the usernames you use to access them, then that someone should also be able to find out the tool you are using for the passwords. In the end, I think it offers only marginally more protection than having the same very strong password on all your sites. The only case I think "encryption"/hash approach is useful is when you have a low security account (say an online game, or a MUD that you connect to via telnet) whose password is transmited in plaintext. If you insist on only using one master password, and don't want to bother memorizing a different one for the low security account, I guess by passing your password through a one-way hash makes it harder for your other accounts to be compromised. But that's about it. Just my two cents W -- Where do you get Mercury? H.G. Wells Sortir en Pantoufles: up 1089 days, 8:58
