On Wed, 11 Jan 2012 16:07:41 -0500 Tanstaafl <[email protected]> wrote:
> On 2012-01-11 3:56 PM, Alan McKinnon <[email protected]> wrote: > > On Wed, 11 Jan 2012 11:04:01 -0500 > > Tanstaafl<[email protected]> wrote: > >> http://passwordmaker.org/ > >> > > > > I haven't read the site yet, but just on the basis of your > > description, all I'm seeing is a teeny-weeny amount of entropy > > leading to passwords that are very easy for computers to compute. > > > > The algorithm is probably known and there can't be that many unique > > attributes to a URL, leading to a very small pool of random data. > > > > In fact, I see this as a distinct possibility: > > http://xkcd.com/936/ > > > > Feel free to correct me if I'm wrong. > > You are wrong, but you'll need to read the site to learn why... The site doesn't say much. It has one page, no internal links (quite a few external ones) and a single link to an image. But still, one can infer some of the methods of operation. There's a master password and a few bits of easily guessable[1] entropy in the additional data the user can configure. It has one weakness that reduces it back to the same password being re-used. And that is that there is a single master password. An attacker would simply need to acquire that using various nefarious means (shoulder surfing, social engineering, hosepipe decryption) and suddenly you are wide open[2]. I don't see that it increases cryptographic security by very much (it does by a little) but it will increase real-life effective security by a lot. It removes most of the threat from shoulder-surfing and StickyNoteSyndrome (much like ssh agents do too). In a corporate environment[3], that is the major threat we face, the onbe that keeps me awake at night, the one ignored by all security auditors and the one understood by a mere three people in the company... :-( [1] Easily guessable by a computer [2] I have my paranoia hat on currently [3] for example, mine -- Alan McKinnnon [email protected]
