[cryptography] Hi all, would like your feedback on something
givonne at gmx.com
Sun Dec 20 06:20:56 EST 2015
On 12/20/2015 2:14 AM, Jeffrey Goldberg wrote:
> The problem you address is certainly real. And a lot of people have
> looked at various approaches over the decades. None, so far, is fully
> satisfactory. (I obviously believe that a well designed password
> manager is the best solution for most people available today, but I do
> not see them as the long term solution.) One common mistake
IMHO, the basic problem [on a meta level] is, that if you put all your
passwords [eggs] into one basket, all you have to do is steal the
basket. crack the master password to the password file and you have all
old school, manually, ppl used to keep a rolodex of which files to look
in for the passwords to certain items. and, passwords would be hidden
in those files. obstensively, the CIA does this with files that need to
"disappear". e.g. keeping a record in the Atomic Energy Commissions
files of some covert op. with a cross reference that tells someone
where to find it. who's going to look through a warehouse of files to
find a record? it's like a needle in a haystack. if you could
implement that electronically, that would probably be the best way to
> made in approaching this problem is a failure to look at the previous
> literature. Pretty much every scheme that people new to the problem
> propose has been examined before. If your approach isn’t in wide use,
> there is probably a reason for it.
typical of newbie cryptographers. i think we've all done it.
> site password = base64(hash(long-term-secret, site-name))
password = base64(hash(long-term-secret, site-name, password))
alter the dynamics of this problem?
also, what if you add additional logic, to the process?
password = f[base64(hash(long-term-secret, site-name, password))]
f=replaces any invalid characters with valid characters and; adds any necessary valid characters?
> 3. If one of your generated passwords is captured as plaintext (lots of sites store things as plaintext), it can be used for trying to crack your long term secret, from which they can then reconstruct all of your passwords.
point 3 is most critical
> I have a rule that I’ve found very useful. Every time I come up with a “great new idea”, I recognize that in all likelihood the idea is neither great nor new. What it means that I haven’t done my homework.
give yourself more credit than that. it means u r thinking and discovering.
More information about the cryptography