On Mon, Mar 24, 2014 at 10:10 PM, Edward Ned Harvey (lopser) <lop...@nedharvey.com> wrote: > If you login to servers that utilize bcrypt, scrypt, pbkdf2, etc, to salt & > stretch your password for storage in a backend database, then you are > vulnerable to phishing attacks, and cross-site attacks if you repeat > passwords at different sites, and a few other vulnerabilities. > > I think the internet can do better. So I created CBcrypt > https://github.com/rahvee/CBcrypt > > The goal is to change the way we do authentication on the internet. Never > give your password to anyone, not even trusted sites, not even when you're > logging into them.
Looks interesting. Some comments/questions: 1. If one uses the full hostname for site identification then the generated key pair for wiki.foo.com would be different then for forums.foo.com. This seems like it could be annoying depending on how a site implements site-wide logins. 2. If one uses a suffix instead (say foo.com), then if an attacker convinces someone to login to trojan.foo.com after managing to pollute their DNS lookup (or manage some other man in the middle type attack), then they can capture the user's credentials for the whole site. Since you can't (generally) control whether people are using DNSSEC for the entire path for DNS lookups, this seems problematic. Even if you use SSL for all of the real servers on your site, the attackers don't have to do so for their trojan host so there won't be any certificate failures on connection to the trojan server. Hopefully #1 is not really a problem. 3. If users re-use password between sites that use your system and those that send to/store credentials on the server, then passwords stolen from those sites can be used to authenticate to your site. Since one of the advantages of this system is that users can remember just a few passwords, this is annoying. At a minimum, you will need to educate users to use a new password for those sites that use this new system. I'm doubtful though that typical users verify this correctly and would expect plenty of trojan sites which will claim to do so in order to capture user credentials. Not sure how to police this. Bill Bogstad P.S. I've posted this only to t...@lopsa.org at Paul Graydon's request to stop crossposting. _______________________________________________ Tech mailing list Tech@lists.lopsa.org https://lists.lopsa.org/cgi-bin/mailman/listinfo/tech This list provided by the League of Professional System Administrators http://lopsa.org/
