Yep, the plugin at that site is pretty much what I'm looking for, thanks. No idea is new I guess. :)
Thanks, Adrian On Thu, Jul 30, 2009 at 12:43 AM, Chris Biettchert < [email protected]> wrote: > If your goal is to use unique passwords for each site without having to > remember them all or carry around the password database, you could try > something like http://crypto.stanford.edu/PwdHash/ > > If someone is able to get acess to your master password they can generate > all of your passwords from their own installation without having to have > physical access to your password database (since there is no password > database). It also makes rotating passwords for individual sites difficult; > but like everything, its a trade off between usability and security. > > This approach also has an interesting property of allowing an attacker who > has access to one of your site specific passwords (either by running the > site of gaining access to it) to perform an offline attack to try to > determine your master password since the program essentially uses an HMAC > algorithm using site specific identifiers as m and your master password as > K. That being said, its still a whole lot better than reusing passwords > between sites. > > > > On Wed, Jul 29, 2009 at 6:11 PM, iamnowonmai <[email protected]>wrote: > >> I think it has even been mentioned on PSW within the past year and a half >> or so...Could be wrong though. >> Besides. IRONGEEK needs to use the IRONKEY!!!!! >> :) >> >> >> On Wed, Jul 29, 2009 at 7:44 PM, Vincent Lape <[email protected]> wrote: >> >>> I think this has already been done. If memory serves me correctly Steve >>> Gibson talked about it on Security Now. >>> On Jul 29, 2009, at 4:40 PM, Adrian Crenshaw wrote: >>> >>> I'm sure by now the many of you here have heard of the asshatery that is >>> zero for 0wned (zf05.txt) and it's started me thinking about password >>> management across websites. >>> >>> Remembering a unique password for each and every site is hard to manage. >>> Now, what I currently do is have one password for finance stuff, another for >>> website related stuff and yet another for forums I've visited, sort of by >>> level of how much I care if they get compromised. Still, it's a pain to go >>> around changing passwords when you hear Binrev or Hak5 got hacked and your >>> not sure if they got your credintials. >>> >>> I was wondering if this schem is workable from a security standpoint, and >>> if someone has already implemented it into a Firefox plugin. Lets say you do >>> this, take a password you use everywhere, conatinate it with the domain name >>> of the site you are making a password for, then take the md5 hash and use it >>> as your password.For example, if my password was "mypassword" and I were >>> using it on Pauldotcom.com: >>> >>> >>> md5("mypasswordpauldotcom.com") = "4b7958e4302cae2836f1c05532f835f4" >>> >>> This way, it's still easy to remeber, but even if an attacker gets the >>> plain text from what is store on the site (4b7958e4302cae2836f1c05532f835f4 >>> in this case), they can't use it to compromise account on other sites since >>> your password would be different, for example: >>> >>> md5("mypasswordirongeek.com") = "1c96d14e6e048924cabf3009b064958f" >>> >>> Do you see any major weaknesses in this scheme? Anyone know how to >>> implement a Firefox plugin to simplify it? >>> >>> Thanks, >>> Adrian >>> _______________________________________________ >>> Pauldotcom mailing list >>> [email protected] >>> http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom >>> Main Web Site: http://pauldotcom.com >>> >>> >>> >>> _______________________________________________ >>> Pauldotcom mailing list >>> [email protected] >>> http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom >>> Main Web Site: http://pauldotcom.com >>> >> >> >> _______________________________________________ >> Pauldotcom mailing list >> [email protected] >> http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom >> Main Web Site: http://pauldotcom.com >> > > > _______________________________________________ > Pauldotcom mailing list > [email protected] > http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom > Main Web Site: http://pauldotcom.com >
_______________________________________________ Pauldotcom mailing list [email protected] http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom Main Web Site: http://pauldotcom.com
