[cryptography] Peer review request - Loplop

Kyle Creyts kyle.creyts at gmail.com
Fri Nov 16 21:51:25 EST 2012

giving it an extremely brief run-through, I'd say that you've made a
different compromise than the app-maker chose in making the limit 8.

the choice of 8 base64 digits out of the 24 given by the md5 appears
to have been explicitly done to combat attempts to attack the master
password, or other account passwords, based on the possession of any
one (or several) account passwords and nicknames or labels.

while you may have succeeded in making your individual passwords
somewhat harder to brute-force, you've also used a larger portion of
the md5, increasing the amount of information an attacker is given by
the compromise of an individual password, and shrinking the number of
possible candidate md5s they would have to guess to attempt to collide
in hopes of getting your master password. in addition, they would
likely have to have at least another of your passwords and nicknames
to confirm the plausibility of the correctness of a given collision
for a given MD5 guess, if I understand it correctly. there may have
been some oversights in the conception of the scheme which weaken it
but are not immediately apparent to me. I haven't given it a good
look, and I am probably not the right person to look at it and
contribute meaningfully to the discussion anyway.


only using base64 strings with numbers in them, and prepending a 1 in
some cases... this seems like it would shrink the keyspace/randomness
by at least a few bits. shrug.

On Fri, Nov 16, 2012 at 10:46 AM, Uncle Zzzen <unclezzzen at gmail.com> wrote:
> On Sat, Nov 17, 2012 at 1:10 AM, Jeffrey Walton <noloader at gmail.com> wrote:
>> On Fri, Nov 16, 2012 at 12:34 PM, Uncle Zzzen <unclezzzen at gmail.com>
>> wrote:
>> > Hi.
>> > I need peer review for loplop
>> > https://github.com/thedod/loplop
>> For the whole scheme, or just the change?
> The whole scheme (including the change), or course. If it's bad, it doesn't
> matter why it's bad.
>> If its the whole scheme, a
>> recent discussion relating to password managers can be found at
>> "Master Password,"
>> http://lists.randombit.net/pipermail/cryptography/2012-May/002920.html.
> I already discuss it (to the best of my abilities) at
> https://dubiousdod.org/go/PasswordGenerators
> IIUC, what Marsh Ray says there doesn't necessarily mean loplop is insecure,
> but the fact that a *specific* attack wouldn't work on loplop doesn't
> comfort me much :)
>> Heuristically, a longer password is *not* less secure than a shorter
>> password. So you probably did not lessen the security of the system.
> That's what my intuition tells me, but these things can be tricky, so I'm
> glad to hear this is also your intuition.
>> (But the system may be insecure from the start, in which case its a
>> moot point).
> Indeed.
> I guess I'm actually asking for peer review of oplop by proxy, but it's
> about time somebody took a look at it: I know quite a few people using it
> (it's ideal for backpackers), and such things get more dangerous the more
> popular they get (as Marsh Ray points out).
> Best case scenario is if I could tell people "don't use oplop, use loplop",
> but - depending on what people say here - maybe I should only say the first
> part of the sentence :)
> _______________________________________________
> cryptography mailing list
> cryptography at randombit.net
> http://lists.randombit.net/mailman/listinfo/cryptography

Kyle Creyts

Information Assurance Professional
BSidesDetroit Organizer

More information about the cryptography mailing list