[cryptography] Hi all, would like your feedback on something

Brian Hankey bhankey at gmail.com
Fri Dec 18 09:27:46 EST 2015


I am curious to get some feedback from you about a little thought experiment/hobby project I’ve been working on with some of my coworkers and have a very early prototype of the concept.

The question we are trying to answer here is how could we all have ultra strong passwords i.e. “!3AbDEE9eE45DCea” that are you unique for each and every website, email, social media, etc. service that we use but without having to trust any third parties to store them for us protected by single password (perhaps with 2 factor authentication, hardware key, etc., admittedly), or to use some kind of local password manager that needs to be installed on every device you want to use it on with a local encrypted password file.  Lastly, it should be extremely resistant to rainbow tables if and when one of your passwords is leaked.

The idea is to have a very compact piece of open source code that can run in your browser that would help you to generate nearly unbreakable passwords on the fly every time you need them instead of storing them somehow, or writing them down where other parties may be able to access them.  

Also, clearly, nothing is unbeatable. Garbage in garbage out. If someone knows you and your habits they could possibly still break your password- especially if they know you use this tool and you put very weak things into it (i.e. google 1234 ! 1 - this will make sense when you look at the demo and the FAQ).  However, the concept is more about: 

1) Not being the “low hanging fruit” when some major site gets hacked and usernames and passwords get leaked on the net (i.e. don’t be the guy that is “u:billsmith32 p:Password123!” on every site he uses).

2) Not having trust third parties (i.e.what if I don’t want Apple to store all my passwords in their cloud?). 

3) Not requiring cumbersome software that requires installation on your computer and an encrypted local password file to function (i.e. what if I am a friend’s house and I need to login somewhere?).

Known vulnerabilities: Keyloggers, compromised hardware, anyone that can observe you.  (We were thinking of adding a virtual keyboard that bounces around the screen randomly to help foil key loggers).

Disclaimer: I am not a programmer, I’m sure the code is buggy (and the bugs were probably introduced by me and not my coworkers). I am not a mathematician, and I’m sure there are far better hash functions to use. I’m also sure that there are better ways to handle the forcing of 1 special char, 1 upper, 1 lower and 1 number minimum in each password to satisfy the peskiest “your password is too weak” systems.  

The most important feedback I’m looking for is, do you think the concept is sound and if so why or why not? If you do think it’s sound then I would like to know how to improve it? If you think there is potential do you think it is worth developing further? Assuming it is sound how can we increase user friendliness and/or security?

Did somebody else already think of this and do something similar (high probability I guess) - please tell me so I can give credit where credit is due.  I thought up this idea on a long car trip a year ago and finally got the courage to con my coworkers into helping me build it to the bare minimum stage that I could ask some real experts for an opinion. I asked a few friends already who are pretty well advanced in computer sciences and nobody called me a stark raving idiot so I thought it would be OK to ask a crypto mailing list, hope you don’t mind.

If you find any egregious idiocy in the code it is probably my fault because I’ve been fooling with it a little bit while being too impatient to get the experts to fix it.  I think it still works as a demo though. I am the only non-coder of the three that have worked on this so far. The .php version is only to have a cool looking animation to go with the demo, this is intended to be run locally. If you want to see the very original version it’s there too as secretpassv1.html 

Thanks for your time, I look forward to hearing your feedback, good, bad, awful or otherwise.

Links - 

live demo http://secretpass.org <http://secretpass.org/>
git: https://github.com/brianci/secretpass <https://github.com/brianci/secretpass>

Thanks. Happy Holidays! 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.randombit.net/pipermail/cryptography/attachments/20151218/8c69c145/attachment-0001.html>

More information about the cryptography mailing list