Alan McKinnon wrote: > On Wed, 11 Jan 2012 16:07:41 -0500 > Tanstaafl <tansta...@libertytrek.org> wrote: > >> On 2012-01-11 3:56 PM, Alan McKinnon <alan.mckin...@gmail.com> wrote: >>> On Wed, 11 Jan 2012 11:04:01 -0500 >>> Tanstaafl<tansta...@libertytrek.org> wrote: >>>> http://passwordmaker.org/ >>>> >>> >>> I haven't read the site yet, but just on the basis of your >>> description, all I'm seeing is a teeny-weeny amount of entropy >>> leading to passwords that are very easy for computers to compute. >>> >>> The algorithm is probably known and there can't be that many unique >>> attributes to a URL, leading to a very small pool of random data. >>> >>> In fact, I see this as a distinct possibility: >>> http://xkcd.com/936/ >>> >>> Feel free to correct me if I'm wrong. >> >> You are wrong, but you'll need to read the site to learn why... > > The site doesn't say much. It has one page, no internal links (quite a > few external ones) and a single link to an image. > > But still, one can infer some of the methods of operation. There's a > master password and a few bits of easily guessable[1] entropy in the > additional data the user can configure. > > It has one weakness that reduces it back to the same password being > re-used. And that is that there is a single master password. An > attacker would simply need to acquire that using various nefarious > means (shoulder surfing, social engineering, hosepipe decryption) and > suddenly you are wide open[2].
I would expect it to use a strong forward-only hash. I can't do that in my head, but that's what I'd expect this software to do. A MITM between the computer and the remote host should only result in a single password lost. > > I don't see that it increases cryptographic security by very much (it > does by a little) but it will increase real-life effective security by > a lot. It removes most of the threat from shoulder-surfing and > StickyNoteSyndrome (much like ssh agents do too). In a corporate > environment[3], that is the major threat we face, the onbe that keeps > me awake at night, the one ignored by all security auditors and the one > understood by a mere three people in the company... :-( I was convinced you completely missed the point, but I think you found it here. > > [1] Easily guessable by a computer > [2] I have my paranoia hat on currently > [3] for example, mine > I'm seriously unconvinced that concatenating words significantly increases the difficulty of the problem. Just as a mentalist will presume you're thinking about '7', your average demographic would probably draw from a small pool of source words, even latching on to catchphrases and other memes. You're likely to see "steamingmonkeypile", "nyanyanyan", "dontsaycandleja-" and "hasturhasturhast-" used more than once, for example. I'd give a better list of likely results, but I don't want to run too far afoul of good taste in public posting. :)
