At 2:52 PM +0000 5/31/16, [EMAIL PROTECTED] wrote:
...
>
>Given that your passphrase is the only thing that keeps the server
>from knowing your private key, the system is relying very heavily on
>users choosing good passphrases. While salt does help against
>dictionary attacks, it is really important that no passphrases be in
>anyone's dictionary anyway. If that is accomplished, salt doesn't
>matter that much.
It is hard to get users to pick a passphrase that will not show up in
someone's dictionary. Dictionaries can be very large. Salt also prevents a
massively parallel hardware attack against a large number of keys at once.
This is as much a philosophical argument as a technical one. Is it OK to
field systems that are secure if users always do exactly what the experts
tell them, or is there a responsibility to use proven techniques that
reduce the risk to users who are less than perfect? If the goal is to
achive actual security, than I think the latter approach is required, both
for moral and practical reasons. Remember, the security of the message you
send depends on the receipient's passphrase, not your own.
Even worse, users are presented with a wide variety of passphrase advice,
much of it wrong. So even a user who tries to do the right thing could
easily end up with a weak passphrase. I have added suggestions for HushMail
to my Diceware page http://www.hayom.com/diceware.html but I expect only a
fraction of HushMail users will read it.
The is no excuse for not using salt with passphrases and it would be quite
easy fo HushMail to correct this problem. I hope they are listening.
Arnold Reinhold
