On 2006-03-27T14:04:55-0800, coderman wrote:
On 3/27/06, Michael J Freedman <mfreed@cs.nyu.edu> wrote:
As a solution developed precisely for this problem, you should check out the pwdhash extension for browsers:
i'd still be concerned about dictionary attacks on poor passwords (that is, discovering '.848fe29s44j' is the hash for pwned.com and 'secret'.) secure digests make this more expensive but not by much.
* are you aware of any utility for the browser that generates random passwords?
Two that are in app-admin/ under gentoo are pwgen and ranpwd. pwgen is neat. It prints out a bunch of passwords and you pick one, so that shoulder surfing doesn't work (unless it's with a camera). It also has an option to generate a password given a seed value (which could be your basic password you might use for PwdHash) and an input file, using sha-1. I recall a similar program that printed out skey-style many-word passwords. I wish I could remember what it was called. I like those kinds of passwords. I don't understand why some people are fixated on 8-character passwords, and why they insist on using every character on the keyboard. Compare [:alnum:]{8} -- 47.6 bits of entropy with :alnum: plus punctuation -- 52.5 bits. What kind of threat model might there be where the former is unacceptable while the latter is sufficient? Both provide more than enough security against a casual snoop, particularly when authentication methods go through processes that implement wrong-password delays and/or eventual lock-outs, and when the risk of another attack that provides access to the password file for an offline brute-force attack is minimal. Neither 47 nor 52 bits is nearly enough security to resist serious attacks by serious people with lots of hardware, TLAs, etc. -- The six phases of a project: I. Enthusiasm. IV. Search for the Guilty. II. Disillusionment. V. Punishment of the Innocent. III. Panic. VI. Praise & Honor for the Nonparticipants.