https://www.qwertycards.com Has anyone on the list tried one of these? Thoughts? -- Shawn K. Quinn <skquinn@rushpost.com>
"The 'site name' code ensures that all of your passwords are unique. This protects you from having all of your passwords compromised by a security lapse on any individual website." Totally untrue. If any of the websites has failed to do proper password hashing (or you password is intercepted due to keylogging, bad HTTPS, bad remote host, etc) then the security of all your passwords will be VERY low, depending on the length of the site's name. This is because the beginning of the password is constant, and the latter part is a (partially discovered) substitution. Still, for "ye olde user" this isn't that bad. Could easily be improved with some sort of substitution-ring-scheme, where you have various substitutions and select the substitution based upon the website's name. Shouldn't be much more expensive, but could be a bit bulkier (or less readable hehe). Would've been much cooler if they had actually put a display on the thing, and made it hash the constant key, user secret and website name together. But the price would be higher, so Yubikeys and the like enter the picture.
I doubt whether anyone who regularly posts on CP would admit to using their system.It would make _a_bit_ more sense if a person appended a fixed randomized string (of their OWN construction, one that nobody else knows...) to their usual password, perhaps AFTER ALSO customizing that password using the name of the website too. However, it would certainly be questionable to advertise this randomized string on a keyboard. Perhaps an array of characters, which only the user knew what portion to employ. (Right/left, Up/down, diagonal, etc.)Depends on the threat model, of course. Jim Bell From: Shawn K. Quinn <skquinn@rushpost.com> To: cypherpunks@cpunks.org Sent: Tuesday, April 28, 2015 11:17 PM Subject: Opinions of qwertycards.com? https://www.qwertycards.com Has anyone on the list tried one of these? Thoughts? -- Shawn K. Quinn <skquinn@rushpost.com>
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 On 04/30/2015 08:45 PM, jim bell wrote:
It would make _a_bit_ more sense if a person appended a fixed randomized string (of their OWN construction, one that nobody else knows...) to their usual password, perhaps AFTER ALSO customizing that password using the name of the website too. However, it would certainly be
I know a couple of folks who travel regularly who use this: https://github.com/gardners/whirlenig Their usage model is this: Unique Whirlenig disks are generated and used for their passwords. The passphrase used to generate the unique Whirlenig disk is memorized. They travel with a burner laptop with no local password storage or sensitive information, just Git installed. At the destination they check out the repo and re-generate their Whirlenig disk, then print and assemble it locally. The Whirlenig assembly is securely destroyed (I presume by burning, I don't ask) prior to departure. I don't know what their on-storage cache destruction protocols are like (my guess is RAMdisk, no swap on storage). - -- The Doctor [412/724/301/703/415] [ZS] PGP: 0x807B17C1 / 7960 1CDC 85C9 0B63 8D9F DD89 3BD8 FF2B 807B 17C1 WWW: https://drwho.virtadpt.net/ "Oh, boy." --Sam Beckett -----BEGIN PGP SIGNATURE----- iQIcBAEBCgAGBQJVQ7pyAAoJED1np1pUQ8RkFfgQAIrU0DfFTd1ZT6FqYiPqVOaM svrHz244Pq3+8aCObkWOG5FzJJXfAtDllqwt+KRYT68t/mnm+XxuuMU81K5I+HXq K8y6oKBY4536zZJR66/RpqTo/gsfPh9qE52vh4ygXCohcjhwSzcrneEWZthnCd0u ocKbLi1vKyyU3qderKpNd+jH0JWtIo+IRAWiIUDV94X4wS9QruNltouC7Q+gNkQy n6AQYfNQK5S08i0B/6dUxT6Y80jHNVGLuciAnuQ7EKkK3ZUV27FwKFXQikYctglN 4StVn4iRfhGcqv8wPkKc0Yp7eX3PlcuehHldQ/67oXzGX/+1lBi/xY+m+Ic3wmGN ZwazEtiTR9ioqrL28rsN+jM3Gi23EqBWhskigUu5q74bdIjjOIVz9calzO9/w4rR QHzm9ZjM0RX2QAQxPAO1VLFrut3NDiWmMYQ5qaGypsSNNOh44s3Ed1DctFbWtUbp SEP8+w6MMuJ0Mf/wcOmXwob4tT/pHbcw4xieB9pu0FzxeqEmwkf6Xxqf5DT7Zv2h jaG0Y3AVP4VHFjMb0Kz/W5/RebuXc/qxQLxhuPKHud+rShPyi2ljGf5EkP7Onao6 pauBAPAsCE6eDbY/6t23YyY4MmQN3wU043iWiYmlXU5mtTBGXLJ24pZmRohXAerU SoY0MNGBCiVD5D7EwBSD =qwpq -----END PGP SIGNATURE-----
participants (4)
-
jim bell -
Lodewijk andré de la porte -
Shawn K. Quinn -
The Doctor