[cryptography] Hi all, would like your feedback on something

Givon Zirkind givonne at gmx.com
Sun Dec 20 06:20:56 EST 2015


On 12/20/2015 2:14 AM, Jeffrey Goldberg wrote:
> The problem you address is certainly real. And a lot of people have 
> looked at various approaches over the decades. None, so far, is fully 
> satisfactory. (I obviously believe that a well designed password 
> manager is the best solution for most people available today, but I do 
> not see them as the long term solution.) One common mistake 
IMHO, the basic problem [on a meta level] is, that if you put all your 
passwords [eggs] into one basket, all you have to do is steal the 
basket.  crack the master password to the password file and you have all 
the passwords.

old school, manually, ppl used to keep a rolodex of which files to look 
in for the passwords to certain items.  and, passwords would be hidden 
in those files.  obstensively, the CIA does this with files that need to 
"disappear".  e.g. keeping a record in the Atomic Energy Commissions 
files of some covert op.  with a cross reference that tells someone 
where to find it.  who's going to look through a warehouse of files to 
find a record?  it's like a needle in a haystack.  if you could 
implement that electronically, that would probably be the best way to 
go.  imho.

> made in approaching this problem is a failure to look at the previous 
> literature. Pretty much every scheme that people new to the problem 
> propose has been examined before. If your approach isn’t in wide use, 
> there is probably a reason for it. 
typical of newbie cryptographers.  i think we've all done it.

> site password = base64(hash(long-term-secret, site-name))
how does

password = base64(hash(long-term-secret, site-name, password))

alter the dynamics of this problem?

also, what if you add additional logic, to the process?

password = f[base64(hash(long-term-secret, site-name, password))]
f[]=replaces any invalid characters with valid characters and; adds any necessary valid characters?

> 3. If one of your generated passwords is captured as plaintext (lots of sites store things as plaintext), it can be used for trying to crack your long term secret, from which they can then reconstruct all of your passwords.
point 3 is most critical

> I have a rule that I’ve found very useful. Every time I come up with a “great new idea”, I recognize that in all likelihood the idea is neither great nor new. What it means that I haven’t done my homework.
give yourself more credit than that.  it means u r thinking and discovering.




More information about the cryptography mailing list