On Sat, Nov 17, 2012 at 1:10 AM, Jeffrey Walton <[email protected]> wrote:
> On Fri, Nov 16, 2012 at 12:34 PM, Uncle Zzzen <[email protected]> > wrote: > > Hi. > > I need peer review for loplop > > https://github.com/thedod/loplop > For the whole scheme, or just the change? The whole scheme (including the change), or course. If it's bad, it doesn't matter why it's bad. > If its the whole scheme, a > recent discussion relating to password managers can be found at > "Master Password," > http://lists.randombit.net/pipermail/cryptography/2012-May/002920.html. > I already discuss it (to the best of my abilities) at https://dubiousdod.org/go/PasswordGenerators IIUC, what Marsh Ray says there doesn't necessarily mean loplop is insecure, but the fact that a *specific* attack wouldn't work on loplop doesn't comfort me much :) > Heuristically, a longer password is *not* less secure than a shorter > password. So you probably did not lessen the security of the system. > That's what my intuition tells me, but these things can be tricky, so I'm glad to hear this is also your intuition. > (But the system may be insecure from the start, in which case its a > moot point). > Indeed. I guess I'm actually asking for peer review of oplop by proxy, but it's about time somebody took a look at it: I know quite a few people using it (it's ideal for backpackers), and such things get more dangerous the more popular they get (as Marsh Ray points out). Best case scenario is if I could tell people "don't use oplop, use loplop", but - depending on what people say here - maybe I should only say the first part of the sentence :)
_______________________________________________ cryptography mailing list [email protected] http://lists.randombit.net/mailman/listinfo/cryptography
