> From: Phil Pennock [mailto:lopsa-t...@spodhuis.org] > > I could swear that one of the public password management tools already > supported deterministic side-specific passwords,
The thing is - If you just hash & mix your password and send a generated site-specific password to the site... Without a workfactor, it does very little to protect your password, but giving them the benefit of the doubt and assuming they are using a workfactor... Yes, that *does* protect your original password, but anybody who intercepts your generated password is able to impersonate you at that site. If these site-specific password generators are "doing the right thing" by mixing site specific factors with your password and hashing it all with a workfactor, then it's only one step further, to feed the generated hash into a PRNG and generate a public/private keypair. Send the public key. So you can prove that you know your password, without exposing your password, and even if somebody intercepts it, they still cannot impersonate you. _______________________________________________ Tech mailing list Tech@lists.lopsa.org https://lists.lopsa.org/cgi-bin/mailman/listinfo/tech This list provided by the League of Professional System Administrators http://lopsa.org/
