Please create an account to participate in the Slashdot moderation system

 



Forgot your password?
typodupeerror
Get HideMyAss! VPN, PC Mag's Top 10 VPNs of 2016 for 55% off for a Limited Time ×

Comment Re:Why not a password hasher? (Score 1) 134

One issue I see with your hash is using it for sites that have piss poor password policies such as your password can't be over X characters long, or it has to contain letter, number, and limited list of symbols, etc. Your hash could possibly not match the requirements. What do you do in this case?

The final step of the hashing algorithm maps the resulting hash into a character string. The algorithm allows you to customise this mapping to use only a given subset of characters, or given length. Using this feature will require you to store this metadata in your state file, because you rarely get reminded of these password limitations at login, only at registration. Fortunately these sites are rare; the default policy of 8 characters with alpha + numeric + special – and the algorithm makes sure you have at least one of each – works fine for almost all sites.

I encourage you to download and try one of the implementations. The two I mentioned earlier implement the same algorithm, as does a Firefox version and a portable Javascript version.

Comment Re:Why not a password hasher? (Score 1) 134

With the first option, you introduce the need for some state information that you need to store and forever be able to retrieve (and possibly sync between your other devices). You now need a persistent database and you've lost any advantage over just encrypting random passphrases.

Well, maybe. But this state is not highly confidential so you can for example let Chrome store it in the cloud. In practice the number of times a password change is required is small (at least for me), so you can either brute force it (bump until you find the right password) or reset your password if this happens.

The second option starts to move you away from the simplicity or having a single passphrase to remember and eventually leads to just as complicated a situation as just memorizing different passwords for different sites. What happens as the list of compromised accounts increases and some accounts are compromised a different number of times?

Again I see your point. But I've used this system for close to a decade now and I'm only using two master passwords so far. How many passwords have you memorised in the last ten years?

I should emphasise that I wouldn't recommend using this system for everything. I have a completely different set of passwords for banking, and servers I administer, and certain other high-security things. But for general web things I access from home and work, desktop and mobile, coffee shop and library, it works really well and addresses all of the real life threat scenarios I care about. Even if I have to register a throwaway account for a throwaway website, I can still give it a real, strong password that I can recover any time later, even if I don't remember registering for that site. (For full disclosure, the only time the algorithm actually fails is when a site keeps its user database but changes its domain. Then I'll have to remember to update the site tag to the old domain.)

Comment Re:Why not a password hasher? (Score 1) 134

Say there is a security breach and you are forced to update your password. With your hasher you now need to update every single site to use the new password.

No, you have at least two options:

1. Change the site tag. For example, on the Password Hasher Chrome extension, you can hit the "Bump" button which replaces "slashdot" with "slashdot:1" and gives you a new unique password. The new tag gets stored in the extension settings. I don't use this but it works, and would be good for sites that actually require periodic password updates.

2. Change your master password for that site only. I use a completely different master password for the two or three sites which I know may have been compromised. It's not hard to remember which ones these are.

Comment Re:Why not a password hasher? (Score 1) 134

True, but how exactly would they get your master password? You never need to enter it anywhere online, just your offline, one-way hashing algorithm.

Exactly the same as an offline password manager, so no benefit.

Right, compared to an offline password manager there's no security benefit. I use KeepassX for a few high-security things like financial accounts, but find offline password managers much less convenient for everyday stuff. With a password hasher you can use a JavaScript version from anywhere. (Yes, keyloggers would be an issue. And I host my own copy to make sure it's not backdoored.)

Except this file does not need to be secure in any way.

It does. If someone has your salt and the URL of the site, and say that site gets compromised

...or they are the site owner...

so they have the hash of your hash too. Now they can brute force your master password, and then get into every other site you used it with, and your file has a handy list of URLs where it will work.

First of all, in practice I don't back up the settings file anywhere, as almost all sites work fine with the default settings and the ones that don't I either remember or just reset the password for if required.

Having said that, your point is valid but not an actual concern for me. If someone wanted to waste lots of CPU power brute forcing my (long, random, high security) master password, they probably could do so. But just never reusing passwords is generally enough to limit the damage of the inevitable database leaks and hacks, which is the actual, realistic threat we're dealing with here. Never using the same password twice is the most important protective measure you can take, and hashing is, imho, the most frictionless way to do it.

You could also choose to limit any potential damage by having a few master passwords for different classes of websites.

Comment Re:Why not a password hasher? (Score 1) 134

If an attacker steals your master password they still get everything.

True, but how exactly would they get your master password? You never need to enter it anywhere online, just your offline, one-way hashing algorithm. Obviously keeping this one master password safe is extra important, but as you only need to remember one, you can probably afford to give it a bit more entropy.

Due to the requirement to meet password length and other requirements, and to allow for changing compromised passwords you still need a file containing those details. There is no benefit over simply encrypting that file with the master password.

Except this file does not need to be secure in any way.

Comment Why not a password hasher? (Score 4, Interesting) 134

Password managers seem like an inherently terrible idea, particularly onlines ones.

Can someone explain to me why password hashers are not more common? I've used one for years and really can't understand why nobody else does. Take the master password, append (a portion of) the site's domain name, and hash to arrive at a random password. There's only one password to remember, you get a unique strong password for every website, and everything can be done offline without storing anything anywhere. There are extra refinements to create new passwords to replace e.g. compromised ones, or conform to the site's password length and other requirements, but they are trivial. Extensions are available for browsers and mobiles.

Comment Re:Homeopathy on BBC news this morning (Score 1) 287

Why would you think it's too non-PC? As good skeptics, they go where the evidence leads. Overdiagnosis is a well known thing in skeptical circles.

As for annual physicals, I'm pretty sure that's only a thing in countries with privatised healthcare. I don't think the NHS has ever proposed such at thing.

Comment Re:Bigger Pixels: Buy a TV. (Score 2) 197

This, unfortunately. Scaling and dpi setting both fail due to an unholy mess of percent, point and pixel based measurements in both apps and web pages, and lazy web developers who assume everyone has the same MacBook they do. Get a large, low-res display (TVs around 32-50 inches would be ideal), run it at native resolution and make your OS believe it has the dpi of a smaller one.

Slashdot Top Deals

The trouble with money is it costs too much!

Working...