www.dashlane.com
On 12/18/2015 9:27 AM, Brian Hankey wrote:
Hi,
I am curious to get some feedback from you about a little thought
experiment/hobby project I’ve been working on with some of my
coworkers and have a _/*very*/_ early prototype of the concept.
The question we are trying to answer here is how could we all have
ultra strong passwords i.e. “!3AbDEE9eE45DCea” that are you unique for
each and every website, email, social media, etc. service that we use
but without having to trust any third parties to store them for us
protected by single password (perhaps with 2 factor authentication,
hardware key, etc., admittedly), or to use some kind of local password
manager that needs to be installed on every device you want to use it
on with a local encrypted password file. Lastly, it should be
extremely resistant to rainbow tables if and when one of your
passwords is leaked.
The idea is to have a very compact piece of open source code that can
run in your browser that would help you to generate nearly unbreakable
passwords on the fly every time you need them instead of storing them
somehow, or writing them down where other parties may be able to
access them.
Also, clearly, nothing is unbeatable. Garbage in garbage out. If
someone knows you and your habits they could possibly still break your
password- especially if they know you use this tool and you put very
weak things into it (i.e. google 1234 ! 1 - this will make sense when
you look at the demo and the FAQ). However, the concept is more about:
1) Not being the “low hanging fruit” when some major site gets hacked
and usernames and passwords get leaked on the net (i.e. don’t be the
guy that is “u:billsmith32 p:Password123!” on every site he uses).
2) Not having trust third parties (i.e.what if I don’t want Apple to
store all my passwords in their cloud?).
3) Not requiring cumbersome software that requires installation on
your computer and an encrypted local password file to function (i.e.
what if I am a friend’s house and I need to login somewhere?).
Known vulnerabilities: Keyloggers, compromised hardware, anyone that
can observe you. (We were thinking of adding a virtual keyboard that
bounces around the screen randomly to help foil key loggers).
Disclaimer: I am not a programmer, I’m sure the code is buggy (and the
bugs were probably introduced by me and not my coworkers). I am not a
mathematician, and I’m sure there are far better hash functions to
use. I’m also sure that there are better ways to handle the forcing of
1 special char, 1 upper, 1 lower and 1 number minimum in each password
to satisfy the peskiest “your password is too weak” systems.
The most important feedback I’m looking for is, do you think the
concept is sound and if so why or why not? If you do think it’s sound
then I would like to know how to improve it? If you think there is
potential do you think it is worth developing further? Assuming it is
sound how can we increase user friendliness and/or security?
Did somebody else already think of this and do something similar (high
probability I guess) - please tell me so I can give credit where
credit is due. I thought up this idea on a long car trip a year ago
and finally got the courage to con my coworkers into helping me build
it to the bare minimum stage that I could ask some real experts for an
opinion. I asked a few friends already who are pretty well advanced in
computer sciences and nobody called me a stark raving idiot so I
thought it would be OK to ask a crypto mailing list, hope you don’t mind.
If you find any egregious idiocy in the code it is probably my fault
because I’ve been fooling with it a little bit while being too
impatient to get the experts to fix it. I think it still works as a
demo though. I am the only non-coder of the three that have worked on
this so far. The .php version is only to have a cool looking animation
to go with the demo, this is intended to be run locally. If you want
to see the very original version it’s there too as secretpassv1.html
Thanks for your time, I look forward to hearing your feedback, good,
bad, awful or otherwise.
Links -
live demo http://secretpass.org
git: https://github.com/brianci/secretpass
Thanks. Happy Holidays!
_______________________________________________
cryptography mailing list
cryptography@randombit.net
http://lists.randombit.net/mailman/listinfo/cryptography
_______________________________________________
cryptography mailing list
cryptography@randombit.net
http://lists.randombit.net/mailman/listinfo/cryptography