On Wednesday, December 19, 2012 4:16:43 AM UTC+1, Ryan Schipper wrote: > > That said, I would advise against using Password Maker. > > I've just had a quick browse of the source and the software uses your > master password as direct key material for their HMAC algorithms. This is a > direct violation of HMACs security assumptions (specifically, that the key > derivation function is a pseudo-random function). These sorts of errors > make me nervous regarding the general security posture of the application. >
Security software is rife with issues. Read this paper for more scary stuff: http://www.cs.utexas.edu/~shmat/shmat_ccs12.pdf That is why I don't disagree with Fabrizio for being unduly cautious, despite the fact that I do store my passwords using 1Password. As with all things, it is a tradeoff between security and convenience, and I think that 1Password gives me much better security than "one password", and most of the convenience of that. Cheers, Paul -- You received this message because you are subscribed to the Google Groups "Java Posse" group. To view this discussion on the web visit https://groups.google.com/d/msg/javaposse/-/CvwHje_JU50J. To post to this group, send email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/javaposse?hl=en.
