[cryptography] Hi all, would like your feedback on something

Givon Zirkind givonne at gmx.com
Fri Dec 18 12:04:54 EST 2015


On 12/18/2015 9:27 AM, Brian Hankey wrote:
> Hi,
> I am curious to get some feedback from you about a little thought 
> experiment/hobby project I’ve been working on with some of my 
> coworkers and have a _/*very*/_ early prototype of the concept.
> The question we are trying to answer here is how could we all have 
> ultra strong passwords i.e. “!3AbDEE9eE45DCea” that are you unique for 
> each and every website, email, social media, etc. service that we use 
> but without having to trust any third parties to store them for us 
> protected by single password (perhaps with 2 factor authentication, 
> hardware key, etc., admittedly), or to use some kind of local password 
> manager that needs to be installed on every device you want to use it 
> on with a local encrypted password file.  Lastly, it should be 
> extremely resistant to rainbow tables if and when one of your 
> passwords is leaked.
> The idea is to have a very compact piece of open source code that can 
> run in your browser that would help you to generate nearly unbreakable 
> passwords on the fly every time you need them instead of storing them 
> somehow, or writing them down where other parties may be able to 
> access them.
> Also, clearly, nothing is unbeatable. Garbage in garbage out. If 
> someone knows you and your habits they could possibly still break your 
> password- especially if they know you use this tool and you put very 
> weak things into it (i.e. google 1234 ! 1 - this will make sense when 
> you look at the demo and the FAQ).  However, the concept is more about:
> 1) Not being the “low hanging fruit” when some major site gets hacked 
> and usernames and passwords get leaked on the net (i.e. don’t be the 
> guy that is “u:billsmith32 p:Password123!” on every site he uses).
> 2) Not having trust third parties (i.e.what if I don’t want Apple to 
> store all my passwords in their cloud?).
> 3) Not requiring cumbersome software that requires installation on 
> your computer and an encrypted local password file to function (i.e. 
> what if I am a friend’s house and I need to login somewhere?).
> Known vulnerabilities: Keyloggers, compromised hardware, anyone that 
> can observe you.  (We were thinking of adding a virtual keyboard that 
> bounces around the screen randomly to help foil key loggers).
> Disclaimer: I am not a programmer, I’m sure the code is buggy (and the 
> bugs were probably introduced by me and not my coworkers). I am not a 
> mathematician, and I’m sure there are far better hash functions to 
> use. I’m also sure that there are better ways to handle the forcing of 
> 1 special char, 1 upper, 1 lower and 1 number minimum in each password 
> to satisfy the peskiest “your password is too weak” systems.
> The most important feedback I’m looking for is, do you think the 
> concept is sound and if so why or why not? If you do think it’s sound 
> then I would like to know how to improve it? If you think there is 
> potential do you think it is worth developing further? Assuming it is 
> sound how can we increase user friendliness and/or security?
> Did somebody else already think of this and do something similar (high 
> probability I guess) - please tell me so I can give credit where 
> credit is due.  I thought up this idea on a long car trip a year ago 
> and finally got the courage to con my coworkers into helping me build 
> it to the bare minimum stage that I could ask some real experts for an 
> opinion. I asked a few friends already who are pretty well advanced in 
> computer sciences and nobody called me a stark raving idiot so I 
> thought it would be OK to ask a crypto mailing list, hope you don’t mind.
> If you find any egregious idiocy in the code it is probably my fault 
> because I’ve been fooling with it a little bit while being too 
> impatient to get the experts to fix it.  I think it still works as a 
> demo though. I am the only non-coder of the three that have worked on 
> this so far. The .php version is only to have a cool looking animation 
> to go with the demo, this is intended to be run locally. If you want 
> to see the very original version it’s there too as secretpassv1.html
> Thanks for your time, I look forward to hearing your feedback, good, 
> bad, awful or otherwise.
> Links -
> live demo http://secretpass.org
> git: https://github.com/brianci/secretpass
> Thanks. Happy Holidays!
> _______________________________________________
> cryptography mailing list
> cryptography at randombit.net
> http://lists.randombit.net/mailman/listinfo/cryptography

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.randombit.net/pipermail/cryptography/attachments/20151218/c1fcf636/attachment.html>

More information about the cryptography mailing list