Re: Password scrambler program
- From: Tim Smith <reply_in_group@xxxxxxxxxxxxxxxx>
- Date: Mon, 10 Mar 2008 00:55:00 -0700
In article <87myp8cd6v.fsf@xxxxxxxxxxxxxxxxxxxx>,
Phil Carmody <thefatphil_demunged@xxxxxxxxxxx> wrote:
more formidable one. You simply type in a short password into a
password box, highlight it, and then press F8 (any Fn key can be
chosen). The short password is then changed into a salted (you
provide the string to salt it with) MD5 equivalent with the ability to
choose the outcome length (8 - 32). I have a password that I always
use and alter it with the same criteria that I get from each website.
The program can be found here:
http://cdn.simtel.net/pub/simtelnet/win95/secmisc/SSOverride.zip
Such passwords would be susceptible to exactly the same
dictionary attack as any other password. Entropy only
comes from what you put in, not from any mixing around
that subsequently takes place.
foreach (word in dictionary) {
foreach (modifier in small set) {
foreach (obfustaction in short list) {
try word munged by modifier and obfuscated by obfuscation
}
foreach (len in 8-32) {
try word salted with modifier at length len via your program
}
}
}
And you've now got 3 things to remember rather than just one
thing. Better to make that original one thing less susceptible
to a dictionary attack.
Suppose, though, you put in a good amount of entropy? Here's one I was
going to do when I got around to it, but is now shelved because the
latest MacHeist bundle had a good password generator/manager, so I don't
need it.
1. When you start the program, you enter your master password. This
should be something with a lot of entropy. Call this M. The program
hashes this and keeps Hash(M) in memory.
2. When you need a new password for a site, say amazon.com, you hit "new
password". Ideally, the program looks at your browser and gets the site
from the current URL, but I would probably be lazy and make you paste in
the URL, and it would extract "www.amazon.com". Anyway, *somehow* you
enter www.amazon.com. You also enter a purpose for the password (such
as "account"). This is to allow for the case where you need more than
one password at a given site. Finally, you enter a small password or
PIN.
3. The program generates your password, based on
Hash( Hash(M), PIN, Site, Purpose, 1 )
4. The program saves in a file Site, Purpose, and that 1.
5. Subsequently, when you need the password again, the program displays
a list based on that file so you can pick which password you want, you
enter your PIN, and it generates the password again.
6. That 1 is a version number. If you need to generate a new password
for a given site/purpose, you bump the version number.
I also considered throwing in a physical token: look for a USB thumb
drive with a magic file on it, and add into the hash the contents of
that file and the serial number of the thumb drive.
(And when I upgrade my thumb drive, I'd simply change the program to xor
the serial number with an appropriate constant before feeding to the
hash so as to produce the old number).
--
--Tim Smith
.
- Follow-Ups:
- Re: Password scrambler program
- From: Phil Carmody
- Re: Password scrambler program
- From: Sebastian G.
- Re: Password scrambler program
- References:
- Password scrambler program
- From: battles
- Re: Password scrambler program
- From: Phil Carmody
- Password scrambler program
- Prev by Date: Not a Prime- c code
- Next by Date: Re: Password scrambler program
- Previous by thread: Re: Password scrambler program
- Next by thread: Re: Password scrambler program
- Index(es):
Relevant Pages
|
