Comments on: Secure per-site passwords with no encrypted blob

By: terrycojones

terrycojones — Tue, 05 Feb 2013 13:24:00 +0000

Thanks Brandon, I’ll have a look.

By: terrycojones

terrycojones — Tue, 05 Feb 2013 13:24:00 +0000

Thanks Richard, I’ll go look.

By: terrycojones

terrycojones — Tue, 05 Feb 2013 13:23:00 +0000

Hi David. That’s a good question :-) I guess the only answer is that you’d need to choose a different service name for that site (because, as you say, changing your master password would be bad). But that further highlights the need for some kind of management of the service names you’ve used for sites. I don’t like that at all, as I guess is clear – that’s why I say this is a good (hard) question.

Another thing which I find very impractical about this approach is that once you start using a version of this code, it’s very hard to upgrade to another version. Again, you’d want metadata stored elsewhere to keep some idea of state.

Thanks for commenting!

By: David Avraamides

David Avraamides — Tue, 05 Feb 2013 13:09:00 +0000

What if your password expires on one site? How do you change one password without changing the “secret” and therefore changing all passwords?

By: trendels

trendels — Tue, 05 Feb 2013 08:19:00 +0000

Good point. Unfortunately, that means you now have to save the salt between invocations, if I’m not mistaken. You’ll also need the same salt value on every computer you want to generate passwords on (instead of only the same algorithm), and when you lose it, you lose access to all your passwords. I wonder if there’s a better way?

By: Brandon Rhodes

Brandon Rhodes — Mon, 04 Feb 2013 14:36:00 +0000

Note that http://passwordmaker.org/ implements this idea with several competing implementations for many different platforms, and with more secure cryptographic options than the simple hash(secret + message) that you do here. PasswordMaker Pro, the Chrome extension, is the particular implementation of its standard that I recommend that people use.

By: terrycojones

terrycojones — Mon, 04 Feb 2013 02:01:00 +0000

Thanks Christian. I’d not heard of key stretching. I’ll go look…

By: Christian Heimes

Christian Heimes — Mon, 04 Feb 2013 00:56:00 +0000

Never ever do something like hashfunc(secret + message)! This is insecure and open to several attack vectors like length extension attacks. At least you want to use a

message authentication code algorithm like HMAC. If you want to reach a minimum level of security, than add a salt from a proper CPRNG and use a key stretching or key derivation algorithm like PBKDF2. The master passwords has most likely not enough entropy. A key stretching algorithms compensates it a bit.

By: Richard Moore

Richard Moore — Sun, 03 Feb 2013 22:24:00 +0000

Yeah, that would be a lot safer.

By: terrycojones

terrycojones — Sun, 03 Feb 2013 22:08:00 +0000

Hi Richard. Thanks. I originally wrote the code using hmac but then thought I didn’t need to worry about length extensions. I guess you’re right to be concerned though, and also I later thought that I might want to use service names like “gmail” and “gmail-work” or whatever. So, I should probably revert :-)

By: Richard Moore

Richard Moore — Sun, 03 Feb 2013 21:26:00 +0000

Looking at the ‘how it works’ page for this tool it looks like this is broken too.

By: Pekka Klärck

Pekka Klärck — Sun, 03 Feb 2013 21:22:00 +0000

You might also consider running `pip install oplop` and/or visiting https://oplop.appspot.com/.

By: Richard Moore

Richard Moore — Sun, 03 Feb 2013 20:49:00 +0000

With your scheme if you ever sign into a local service say for the sake of example ‘www’ then you will be generating a password that can be used to workout all passwords for sites that start with www. The hash output can be used as input for a length extensions attack (due to the way these hashes work). The risk is mitigated to an extent by the fact that the password is a truncated form of the hash as you only take the first 32 bytes of the digest, but that means that the remaining search space for a brute force attack is tiny. If you want to look into doing something like this, take a look at things like HMAC which are designed to prevent this kind of extension attack.

By: terrycojones

terrycojones — Sun, 03 Feb 2013 20:15:00 +0000

Hi Petter. Yes, that’s the same thing, pretty much, thanks for the pointer! I’m going to edit the text above to point people to SGP.

By: Petter Häggholm

Petter Häggholm — Sun, 03 Feb 2013 19:49:00 +0000

Have you looked into SuperGenPass? [http://supergenpass.com/]

By: Tigors

Tigors — Sun, 03 Feb 2013 19:38:00 +0000

Great idea! Have to think about the problem solution. At least i’ll do it for myself .
Thanks :)