[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Opinions of qwertycards.com?



"The 'site name' code ensures that all of your passwords are unique. This
protects you from having all of your passwords compromised by a security
lapse on any individual website."

Totally untrue. If any of the websites has failed to do proper password
hashing (or you password is intercepted due to keylogging, bad HTTPS, bad
remote host, etc) then the security of all your passwords will be VERY low,
depending on the length of the site's name. This is because the beginning
of the password is constant, and the latter part is a (partially
discovered) substitution.

Still, for "ye olde user" this isn't that bad. Could easily be improved
with some sort of substitution-ring-scheme, where you have various
substitutions and select the substitution based upon the website's name.
Shouldn't be much more expensive, but could be a bit bulkier (or less
readable hehe).

Would've been much cooler if they had actually put a display on the thing,
and made it hash the constant key, user secret and website name together.
But the price would be higher, so Yubikeys and the like enter the picture.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://cpunks.org/pipermail/cypherpunks/attachments/20150429/cdb330db/attachment.html>