[cryptography] Hi all, would like your feedback on something

Jeffrey Goldberg jeffrey at goldmark.org
Sun Dec 20 02:14:42 EST 2015

Perhaps I shouldn’t comment as I work for a company that makes a password manager, and so a critique of your scheme might involve a conflict of interest. But with that disclosure in mind, I will go ahead.

On 2015-12-18, at 8:27 AM, Brian Hankey <bhankey at gmail.com> wrote:
> The question we are trying to answer here is how could we all have ultra strong passwords i.e. “!3AbDEE9eE45DCea” that are you unique for each and every website, email, social media, etc. service that we use but without having to trust any third parties to store them for us protected by single password (perhaps with 2 factor authentication, hardware key, etc., admittedly), or to use some kind of local password manager that needs to be installed on every device you want to use it on with a local encrypted password file.  Lastly, it should be extremely resistant to rainbow tables if and when one of your passwords is leaked.

The problem you address is certainly real. And a lot of people have looked at various approaches over the decades. None, so far, is fully satisfactory. (I obviously believe that a well designed password manager is the best solution for most people available today, but I do not see them as the long term solution.)

One common mistake made in approaching this problem is a failure to look at the previous literature. Pretty much every scheme that people new to the problem propose has been examined before. If your approach isn’t in wide use, there is probably a reason for it.

> The idea is to have a very compact piece of open source code that can run in your browser that would help you to generate nearly unbreakable passwords on the fly every time you need them instead of storing them somehow, or writing them down where other parties may be able to access them.

When I first read this, I thought you were proposing the oft suggested scheme of 

 site password = base64(hash(long-term-secret, site-name))

The fine details of those proposals differ (what encoding, what hash scheme, how things truncate, etc) but the essence is to is generate some very strong passwords per site/service based on some master password using some hashing mechanism.

There are a number of problems with such a scheme:

1. The generated password may not confirm to the requirements of the site or service.
2. You cannot change the password a site if, say, there is a breach and you are told to change your password.
3. If one of your generated passwords is captured as plaintext (lots of sites store things as plaintext), it can be used for trying to crack your long term secret, from which they can then reconstruct all of your passwords.

Anyway that is the usual proposal and some of the very major problems with it. Most people who come up with variants of that scheme are unaware of the problems, and are unaware that this gets reinvented many times a year if my passwords stackexchange feed is any clue.

There is (at least) one team that pursued the idea aware of all of the problems and tried to mitigate them. Some of their mitigations are quite useful and clever (for other things). In my view, they do not come up with a workable scheme, but it is good that they tried in a way that acknowledged the threats:

	Author = {Halderman, J. Alex and Waters, Brent and Felten, Edward W.},
	Booktitle = {Proceedings of the 14th international conference on World Wide Web},
	Organization = {ACM},
	Pages = {471--479},
	Title = {A convenient method for securely managing passwords},
	Year = {2005}}

Your particular version of the scheme, if I’ve understood the code correctly, doesn’t even use a cryptographically secure hashing mechanism. So it has all of the problems of the typical proposal and then some more.

> Did somebody else already think of this and do something similar (high probability I guess) - please tell me so I can give credit where credit is due.

I don’t think that Halderman et alter are the first to come up with the idea. I certainly recall it being talked about on mailings lists earlier, but my memory is fuzzy. But look at their paper for citations and for fully explanation of some of the difficulties that need to be overcome to make it work.

I know that I am one of the many many people who independently came up with the scheme, but as I spotted the problems early, I didn’t post/publish it. But this has been reinvented many times, and rejected for all of the same reasons. But I certainly wouldn’t have been the first.

I have a rule that I’ve found very useful. Every time I come up with a “great new idea”, I recognize that in all likelihood the idea is neither great nor new. What it means that I haven’t done my homework.

> Thanks for your time, I look forward to hearing your feedback, good, bad, awful or otherwise.

I’m sorry that this comes across as harsh, but ultimately the “solution” to the problems with the general scheme involve doing what a password manager ultimately does, and so doesn’t improve upon them.



More information about the cryptography mailing list