Domain: pajhome.org.uk
Stories and comments across the archive that link to pajhome.org.uk.
Comments · 11
-
Re: For work I use really bad passwords
That's fair, but its also slightly different from your original proposal as it now explicitly requires custom dedicated hardware. You originally just stipulated "hardware assist" and allowed for "trusted desktop" or other otherware (e.g. smartphone/tablet/etc..)
It doesn't require the dedicated hardware, it's just an option (that doesn't exist yet...). I think it's likely a better option than products like the Mooltipass.
I use this approach currently, since I basically trust my desktops. I can also ssh to a server I trust, which is capable of doing it. You could do it now on a smartphone, but that's a tough platform to lock down. If you're desperate, you could find a website that can do it for you (googled quickly): http://pajhome.org.uk/crypt/md.... Regardless of full desktop, smartphone, or keyfob, the general characteristics are always the same: never storing secret, never directly performing authentication, no storing secure keys (although they could be added as another layer).
You definitely never need to worry about compromised sites:
hashlib.sha256('PrivateSimplePass+OnlinePoker.com'.encode('utf-8')).hexdigest[:16] = '2afd111a2ddde285'
When their site gets compromised, your password needs to change:
hashlib.sha256('PrivateSimplePass+YourSecuritySucks'.encode('utf-8')).hexdigest[:16] = 'fead5a3bbde90be3'I do agree that a password safe combo would be the best option, since it's just not important to really lock down every password.
-
Re:The torrent file...
Someone uploaded the database to Google's Fusiontable's for you to search for your info against:
http://www.google.com/fusiontables/DataSource?dsrcid=350662
Instructions for use:
1. Get the MD5 of your email address (lowercase)
- Online: http://pajhome.org.uk/crypt/md5/
- Shell: $ echo -n mylowercase@email.com|md5sum
2. Search for the hash (via Show Options)
3. Change your passwordBy the way for Mac users like me that command won't work. Try md5 -r instead of md5sum
-
Re:Password Hashing (pwdhash)
That's why I made my own JS Bookmarklet that hashes the domain + my_password + static_salt.
When I need to access the site from somewhere else I can easily perform the computation on the command line (md5sum, sha1sum), or online using client side javascript.
If I can't get online to use the online tool, and the computer doesn't have a hashing tool then I really don't need to be entering my password in the first place.
-
Re:Sounds good, but MD5 et al. still have a place
Umm, do you know of a free (pref. BSD-style without ad. clause licensed) JavaScript implementation of Whirlpool? Because I know of one for MD5. Namely Paul Johnston's JavaScript MD5 .
From that site:
The use of MD5 or SHA-1 for most JavaScript purposes (e.g. challenge-response login) does not rely on the collision resistance property. These weaknesses do not create any vulnerability in such web sites and there is no need to panic. If these weaknesses do concern you, there are alternative algorithms available:
Wait, that's what I said!
(Oh, and while on the subject, Building a CHAP Login System.)
-
Re:Make people think to figure out your e-mail
-
SSL not needed for loginsActually, it's not strictly necessary to enable SSL for secure logins provided the user has javascript enabled (Javascript, yes I know, urgh).
The easiest way to do it securely with Javascript would be to send a challenge to the client over regular HTTP, request the user's password, combine the challenge and password and run it through a hashing algo like MD5 or SHA to produce the respone.
The server then takes the challenge and the stored password, hashes them and if the hash matches that sent by the client, the client is authenticated. Voila', secure authentication without SSL, and the unencrypted password never went over the wire.
Actually, this guy called Paul Johnson did exactly this, and you can get JS implementations of a lot of crypto algorithms from his site.
Could be useful if you don't want to buy an SSL cert for a small personal site or something, but obviously is not a replacement for SSL, which provides other really Good Stuff (tm) such as the authentication of the server to the client.
PS: I'm in no way connected to this Paul Johnson guy, nor have I tested his code. Caveat lector.
-
Re:damn
I thought there was even a JavaScript implementation somewhere, though I can't seem to find it.
FWIW...
http://www.alltheweb.com/search?q=javascript+SHA-1
http://www.pajhome.org.uk/crypt/md5/sha1src.html -
Re:monolithic network management tool
SSH uses an algorithm called RSA to protect the keys used for encrypting data. Each party has a private key and a public key (a key pair). Anyone can get the public keys.
If data is encrypted with a private key, it can only be decrypted using the public key from the same key pair. Likewise if it is encrypted with the public key, it can only be decrypted with the matching private key.
if A wants to send data to B, it first is encrypted with B's public key, then with A's private key.
B uses A's public key to decrypt it (guaranteeing it is from A) and then uses its own private key to decrypt it back to the original message.
Because it's a slow and complex process RSA is usually only used to exchange and agree on keys for a normal symetric encryption method (eg 3DES).
Read more here
Rob
:) -
Re:Similar techniques are in use already
-
Re:Use MD5
But I would argue that javascript downloaded from Joe Random's geocities page is not trusted code
Just get a Javascript MD5 program from a trusted source, for example from here, or review an untrusted one, and put it in a web page of your own. Bonus point if your web page is hosted on a server that supports SSL. Then you'll be able to access trusted MD5 checksuming anytime you're on the web.
Problem solved! Thanks, Anthony, for the checksuming password generation/recovery idea (which should have been modded up).
-
RSA too much? Here's just MD5 in JavaScript
http://pajhome.org.uk/crypt/md5/ is a simple page that will return the MD5 hash of a string. It stays on one page, so your plaintext never goes over the wire. Useful if you want to send someone the hash of a password, for example, rather than the password itself, and all you've got handy is a web terminal.