On 12/20/2015 2:14 AM, Jeffrey Goldberg wrote:
The problem you address is certainly real. And a lot of people have
looked at various approaches over the decades. None, so far, is fully
satisfactory. (I obviously believe that a well designed password
manager is the best solution for most people available today, but I do
not see them as the long term solution.) One common mistake
IMHO, the basic problem [on a meta level] is, that if you put all your
passwords [eggs] into one basket, all you have to do is steal the
basket. crack the master password to the password file and you have all
the passwords.
old school, manually, ppl used to keep a rolodex of which files to look
in for the passwords to certain items. and, passwords would be hidden
in those files. obstensively, the CIA does this with files that need to
"disappear". e.g. keeping a record in the Atomic Energy Commissions
files of some covert op. with a cross reference that tells someone
where to find it. who's going to look through a warehouse of files to
find a record? it's like a needle in a haystack. if you could
implement that electronically, that would probably be the best way to
go. imho.
made in approaching this problem is a failure to look at the previous
literature. Pretty much every scheme that people new to the problem
propose has been examined before. If your approach isn’t in wide use,
there is probably a reason for it.
typical of newbie cryptographers. i think we've all done it.
site password = base64(hash(long-term-secret, site-name))
how does
password = base64(hash(long-term-secret, site-name, password))
alter the dynamics of this problem?
also, what if you add additional logic, to the process?
password = f[base64(hash(long-term-secret, site-name, password))]
f[]=replaces any invalid characters with valid characters and; adds any
necessary valid characters?
3. If one of your generated passwords is captured as plaintext (lots of sites
store things as plaintext), it can be used for trying to crack your long term
secret, from which they can then reconstruct all of your passwords.
point 3 is most critical
I have a rule that I’ve found very useful. Every time I come up with a “great
new idea”, I recognize that in all likelihood the idea is neither great nor
new. What it means that I haven’t done my homework.
give yourself more credit than that. it means u r thinking and discovering.
_______________________________________________
cryptography mailing list
cryptography@randombit.net
http://lists.randombit.net/mailman/listinfo/cryptography
