undefined | Better HN

0 pointsmstef4y ago0 comments

not sure, by looking at the sqrl wikipedia page it's not immediately obvious how this works. but yeah, "derived password generator" sounds correct, with one important detail. the there is (almost) no state at the client, and there is a mandatory online component where part of the derivation happens.

0 comments

3 comments · 1 top-level

paulryanrogers4y ago· 2 in thread

Is rotation supported? And if the main password is compromised doesn't that compromise all future derived passwords too?

It also means an attacker needs only the main password and knowledge of which derived system one uses. They don't need a vault file as well.

mstefOP4y ago

what does rotation mean? you can change your passwords, both the "master" which i rather call input, and the output password as well. i mean you can have a new output password without changing your input password.

and no although i can only guess what you mean with vaultfile, an attacker still needs access to the sphinx server, which has protections against bruteforce attacks.

mstefOP4y ago

you might want to read the whitepaper regarding bruteforce attacks: https://github.com/stef/pwdsphinx/blob/master/whitepaper.org...

j / k navigate · click thread line to collapse