Comments on: PasswordMaker: safe, secure, simple, site-specific, smart password management http://www.tummblr.com/software/passwordmaker-safe-secure-simple-site-specific-smart-password-management/ Records of my tumblings through the intarwebs Fri, 25 Jul 2008 00:03:18 +0000 http://wordpress.org/?v=2.3.3 By: Tummblr http://www.tummblr.com/software/passwordmaker-safe-secure-simple-site-specific-smart-password-management/#comment-32 Tummblr Tue, 20 Nov 2007 22:37:37 +0000 http://www.tummblr.com/software/passwordmaker-safe-secure-simple-site-specific-smart-password-management/#comment-32 random commenter: Thanks for your input. I think you're correct that, in general, proper password vaults are no less secure than on-the-fly password hashing. My main issue with vaults is the annoyance of having to backup the vault and transport the vault to other locations. If you are using a public workstation or some computer that you don't want to install your vault onto, you're locked out of your accounts. Some password vaults also don't protect you from phishing schemes. You can easily retrieve a secure password from your vault and hand it over voluntarily to a clever phisher. (I think Roboform has phishing protection though.) Such phishing schemes don't work with on-the-fly password hashing. random commenter: Thanks for your input. I think you’re correct that, in general, proper password vaults are no less secure than on-the-fly password hashing. My main issue with vaults is the annoyance of having to backup the vault and transport the vault to other locations. If you are using a public workstation or some computer that you don’t want to install your vault onto, you’re locked out of your accounts.

Some password vaults also don’t protect you from phishing schemes. You can easily retrieve a secure password from your vault and hand it over voluntarily to a clever phisher. (I think Roboform has phishing protection though.) Such phishing schemes don’t work with on-the-fly password hashing.

]]> By: random commenter http://www.tummblr.com/software/passwordmaker-safe-secure-simple-site-specific-smart-password-management/#comment-31 random commenter Tue, 20 Nov 2007 15:57:04 +0000 http://www.tummblr.com/software/passwordmaker-safe-secure-simple-site-specific-smart-password-management/#comment-31 How is a URL-hash-based system any more secure than a vault? (except for not having to make backups?) The only way I can think of for someone to get access to your vault is if he has taken control of your system. In this situation the URL-hash system would fail too, since he'd just have to wait for you to enter your master password (and find out which sites you use), no? And added secrets for each particular URL would defeat the whole purpose, it seems. On a different nore, I find some programs' claim that the master pw can be saved in "encrypted" form highly dubious. The encryption key would have to be in the password program, right? How is a URL-hash-based system any more secure than a vault? (except for not having to make backups?)

The only way I can think of for someone to get access to your vault is if he has taken control of your system. In this situation the URL-hash system would fail too, since he’d just have to wait for you to enter your master password (and find out which sites you use), no? And added secrets for each particular URL would defeat the whole purpose, it seems.

On a different nore, I find some programs’ claim that the master pw can be saved in “encrypted” form highly dubious. The encryption key would have to be in the password program, right?

]]> By: Tummblr http://www.tummblr.com/software/passwordmaker-safe-secure-simple-site-specific-smart-password-management/#comment-23 Tummblr Thu, 15 Nov 2007 19:14:49 +0000 http://www.tummblr.com/software/passwordmaker-safe-secure-simple-site-specific-smart-password-management/#comment-23 Thanks for the comment! My apologies for the bad facts. Will correct ASAP. Thanks for the comment! My apologies for the bad facts. Will correct ASAP.

]]> By: Eric H. Jung http://www.tummblr.com/software/passwordmaker-safe-secure-simple-site-specific-smart-password-management/#comment-22 Eric H. Jung Thu, 15 Nov 2007 16:38:16 +0000 http://www.tummblr.com/software/passwordmaker-safe-secure-simple-site-specific-smart-password-management/#comment-22 Very nice article! One comment. You wrote: "A group of students at Stanford University (including Blake Ross of Firefox fame) came up with the concept of site-specific web password hashing." Actually, Nick Wolff is the first person to come up with and publish this idea. His page is at http://angel.net/~nic/passwd.html. Both myself and Blake Ross came up with the idea independently of Nick, but Nick definitely had the aforementioned web page before PasswordMaker and PwdHash. Very nice article! One comment. You wrote: “A group of students at Stanford University (including Blake Ross of Firefox fame) came up with the concept of site-specific web password hashing.”

Actually, Nick Wolff is the first person to come up with and publish this idea. His page is at http://angel.net/~nic/passwd.html. Both myself and Blake Ross came up with the idea independently of Nick, but Nick definitely had the aforementioned web page before PasswordMaker and PwdHash.

]]>