Don't get me wrong, I like what HushMail is doing too and your
suggestion would make it even better. But the passphrase dependency
issue is a serious one, given what users will typically do. There are
some things HushMail could easily do to reduce the danger:
First Hush could be more explicit about what constitutes a strong
passphrase and how to generate one, or they could point to other
sources of passphrase advice, such as my Diceware.com page or Randall
Williams' Passphrase FAQ.
The difficulty of using a strong passphrase might turn some users
off, but perhaps they should be discouraged. An illusion of security
can be a lot more dangerous than no security at all.
Second, HushMail should add salt to the passphrases. This could be
done by simply appending the user's HushMail name to the passphrase.
Of course this could only be done for new or changed passphrases.
There would also need to be a way to distinguish salted from unsalted
passphrases.
HushMail stores a hash of the user's passphrase in their database.
This makes them vulnerable to a dictionary attack. They say they
only store half of the SHA hash of the passphrase to reduce the
possibility of brute force attack, but I don't see how this helps.
Salt, however, would greatly reduce this danger.
For extra credit, I'd like to see some kind of key stretcher used,
even just hashing the passphrase a few dozen times. This would also
increase the cost of a brute force attack. All the work would be done
at the client side, so the performance cost would be minimal. This
change could be combined with adding salt.
Clueful users can get around these limitations by picking a long
enough random passphrase and adding salt on their own. I give some
advice on this at my Diceware FAQ.
http://world.std.com/~reinhold/dicewarefaq.html#hushmail But with a
little effort on Hush's part, Hushmail could be much safer for all
users.
Arnold Reinhold
At 10:59 AM -0400 5/12/2000, Declan McCullagh wrote:
>Lisa:
>I rather like what Hush is doing, even with the
>all-depends-on-passphrase issue. I wrote about them a few months ago
>(http://www.wired.com/news/business/0,1367,34610,00.html). At that
>time Hush only encrypted email between Hush users. When I had dinner
>with the founder in Anguilla, I suggested to him that Hush encrypt
>*outside* email to Hush users so it would be more difficult for
>lawyers to go on Yahoo-esque subpoena fishing expeditions
>(http://www.epic.org/anonymity/epic_aclu_release.html). He said he
>hadn't thought of it before and was going to do it.
>
>-Declan
