On May 29, 2012, at 7:01 22PM, Maarten Billemont wrote:
> Dear readers,
>
> I've written an iOS / Mac application whose goal it is to produce passwords
> for any purpose. I was really hoping for the opportunity to receive some
> critical feedback or review of the algorithm used[1].
>
> --
> ABOUT
>
> With an increasing trend of web applications requiring users to register
> accounts, we find ourselves with countless accounts. Ideally, each should
> have a different password, so that authenticating yourself for one account
> doesn't reveal your credentials of other accounts. That becomes really hard
> when you've got tens or hundreds of passwords to remember.
>
> Solutions exist, mostly in the form of password "vaults" that list your
> passwords and get stored in an encrypted form. Other solutions send your
> passwords off to be stored on some company's cloud service.
>
> Master Password is different in that it generates passwords based purely off
> of a user's master password and the name of the site. That means you need no
> storage and have a fully offline algorithm that needs nothing more than what
> you can remember easily.
> --
>
> I'm rather a notice in the field of security (certainly in comparison to some
> of you), and I was hoping that some of you might find the time to have a look
> at the algorithm and see if there are any obvious flaws or risks to the
> security and integrity of the solution.
>
> As a side-note, the iOS application, Master Password, is fully open-source[2]
> under the GPLv3. If any of you speak fluent Objective-C, it would be awesome
> if they could have a peek at the source code as well.
>From a very quick glance, it looks to be about the same as
@inproceedings{web-pw-gen,
Author = {J. Alex Halderman and Brent Waters and Edward W. Felten},
Booktitle = {Proc. 14th Intl. World Wide Web Conference},
Month = {May},
Title = {A Convenient Method for Securely Managing Passwords},
Url = {http://userweb.cs.utexas.edu/~bwaters/publications/papers/www2005
.pdf},
Year = 2005,
}
As someone else has noted, a crucial issue is that every site receives a
function of your master password, the site name, and a counter that
defaults to zero. If they launch a password-guessing attack -- and I
know you've made it expensive, but you can't go too far in that
direction without making user password retrieval too time-consuming, and
the attackers have GPUs, botnets, and things like EC2 to parallelize
their work -- they can retrieve the master password and hence all of
your others. You can strengthen you scheme significantly by making the
counter 8 bytes and starting it with some random value.
--Steve Bellovin, https://www.cs.columbia.edu/~smb
_______________________________________________
cryptography mailing list
cryptography@randombit.net
http://lists.randombit.net/mailman/listinfo/cryptography
