Willie Wong wrote:
On Mon, Nov 30, 2009 at 09:29:30PM -0600, Penguin Lover Dale squawked:
chrome://messenger/locale/messengercompose/composeMsgs.properties:
There is a tool I've used in the past called PasswordMaker. It uses a
master password and a flexible set of parameters to generate passwords and
if necessary, enter them on a site.
<snip>
Once you enter the master password and select the appropriate settings
(length, character set, hashing algorithm etc etc), the password will be
generated. You can also use the current website as a salt, so using the
same settings will yield a different password for different sites.
Isn't this just security by obscurity? You still use the same master
password: so finding out the one password is enough to break into ALL
your sites. The only additional protection you gain is by that the Bad
Guys do not know that you are using the tool. The salt hardly matters:
to make sure the plugin will behave the same if you run firefox from
different computers, they are still using the same hash function and
same salt for the same site. If someone is saavy enough to know the
list of websites you access and the usernames you use to access them,
then that someone should also be able to find out the tool you are
using for the passwords.
In the end, I think it offers only marginally more protection than
having the same very strong password on all your sites.
The only case I think "encryption"/hash approach is useful is when you
have a low security account (say an online game, or a MUD that you
connect to via telnet) whose password is transmited in plaintext. If
you insist on only using one master password, and don't want to bother
memorizing a different one for the low security account, I guess by
passing your password through a one-way hash makes it harder for your
other accounts to be compromised. But that's about it.
Just my two cents
W
Well this is where some things are not real clear. I'm not sure when
the master password would be sent to the website. It may be only when
doing the setup but you could be right.
Of course, I also read a study done by a group of Universities a few
years ago that said a LOT of the security stuff that is done doesn't
really work. If a person uses common information for their password,
then anything the websites do is pretty much meaningless anyway. I
actually sent a link to my bank regarding the specific set up they are
using.
I think the point is, a good secure password is the best policy. For me
tho, having a good tool that is local and secure to type that sucker in
for me is really good. I'm not worried about someone stealing my
computer and gaining access that way, I'm just worried that someone
could keep banging away at my password until it guesses it. As
mentioned before, my password is not anything related to information
about me but just a random bunch of stuff. Given time tho, a hacker
would eventually guess it.
Dale
:-) :-)
