undefined | Better HN

0 pointsmicrotonal9y ago0 comments

That is an interesting idea. echo URL + password | sha/md5

There are 'stateless' password managers that work that way. It does not really protect against malware. If your user account is compromised by malware, what holds them from reading out your password and applying the same procedure to obtain password for interesting sites? You'll still be updating your password everywhere.

What you want is a second factor that uses a challenge-response mechanism with user interaction (e.g. U2F Yubikeys that require a finger press to start the challenge-response).

0 comments

5 comments · 2 top-level

rdslw9y ago· 2 in thread

They can't. Prove me otherwise.

Even if they have plaintext password (which is often not case), this is just shasum. Feel free to guess which password (and which exactly scheme) I used to generate my password for news.ycombinator.com, if (of course it's now not like that :) it is:

bb05f766a74e6bf722136eaca97d9beb1fcc8f59d47c2d9e6eb1667d57c4cb82

You have now (after hacking whole hackernews db) access to my password ONLY for the hackersnews. Which was the original goal of the method: to use different passwords at different sites, which if compromised (password), do not reveal scheme used to generate it for different sites.

microtonalOP9y ago

bb05f766a74e6bf722136eaca97d9beb1fcc8f59d47c2d9e6eb1667d57c4cb82

That's not the point. The malware would have access to your complete machine, possibly with root privileges, what holds them from reading your master password with a keylogger when you type it in?

It does not provide more security against trojans than a password manager.

rdslw9y ago

You didnt read my reply nor the parent thread.

I was replying solely and only to the acusation that after revealing plain text password on one site (which was generated using said scheme) you disclose every one.

This is simply not true.

In addition (but I didnt address that), there is no single keychain/password store to steal by the trojan. I can use it anywhere, using only my head as a 'storage' machine.

tambourine_man9y ago· 1 in thread

The “password” in that command would be stored in your memory only, that's the benefit of this idea.

mikeash9y ago

You'd have to enter it into your computer fairly frequently, and malware could capture it then.

j / k navigate · click thread line to collapse