If your goal is to use unique passwords for each site without having to remember them all or carry around the password database, you could try something like http://crypto.stanford.edu/PwdHash/
If someone is able to get acess to your master password they can generate all of your passwords from their own installation without having to have physical access to your password database (since there is no password database). It also makes rotating passwords for individual sites difficult; but like everything, its a trade off between usability and security. This approach also has an interesting property of allowing an attacker who has access to one of your site specific passwords (either by running the site of gaining access to it) to perform an offline attack to try to determine your master password since the program essentially uses an HMAC algorithm using site specific identifiers as m and your master password as K. That being said, its still a whole lot better than reusing passwords between sites. On Wed, Jul 29, 2009 at 6:11 PM, iamnowonmai <[email protected]> wrote: > I think it has even been mentioned on PSW within the past year and a half > or so...Could be wrong though. > Besides. IRONGEEK needs to use the IRONKEY!!!!! > :) > > > On Wed, Jul 29, 2009 at 7:44 PM, Vincent Lape <[email protected]> wrote: > >> I think this has already been done. If memory serves me correctly Steve >> Gibson talked about it on Security Now. >> On Jul 29, 2009, at 4:40 PM, Adrian Crenshaw wrote: >> >> I'm sure by now the many of you here have heard of the asshatery that is >> zero for 0wned (zf05.txt) and it's started me thinking about password >> management across websites. >> >> Remembering a unique password for each and every site is hard to manage. >> Now, what I currently do is have one password for finance stuff, another for >> website related stuff and yet another for forums I've visited, sort of by >> level of how much I care if they get compromised. Still, it's a pain to go >> around changing passwords when you hear Binrev or Hak5 got hacked and your >> not sure if they got your credintials. >> >> I was wondering if this schem is workable from a security standpoint, and >> if someone has already implemented it into a Firefox plugin. Lets say you do >> this, take a password you use everywhere, conatinate it with the domain name >> of the site you are making a password for, then take the md5 hash and use it >> as your password.For example, if my password was "mypassword" and I were >> using it on Pauldotcom.com: >> >> >> md5("mypasswordpauldotcom.com") = "4b7958e4302cae2836f1c05532f835f4" >> >> This way, it's still easy to remeber, but even if an attacker gets the >> plain text from what is store on the site (4b7958e4302cae2836f1c05532f835f4 >> in this case), they can't use it to compromise account on other sites since >> your password would be different, for example: >> >> md5("mypasswordirongeek.com") = "1c96d14e6e048924cabf3009b064958f" >> >> Do you see any major weaknesses in this scheme? Anyone know how to >> implement a Firefox plugin to simplify it? >> >> Thanks, >> Adrian >> _______________________________________________ >> Pauldotcom mailing list >> [email protected] >> http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom >> Main Web Site: http://pauldotcom.com >> >> >> >> _______________________________________________ >> Pauldotcom mailing list >> [email protected] >> http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom >> Main Web Site: http://pauldotcom.com >> > > > _______________________________________________ > Pauldotcom mailing list > [email protected] > http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom > Main Web Site: http://pauldotcom.com >
_______________________________________________ Pauldotcom mailing list [email protected] http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom Main Web Site: http://pauldotcom.com
