Slashdot Mirror

← Back to Stories (view on slashdot.org)

Let Your Theme Song be Your Password

Posted by ScuttleMonkey on from the just-pick-something-so-horrible-no-one-will-want-to-use-it dept.

An anonymous reader writes "The latest proposed solution to the fact humans suck at using passwords properly is to let people use digital objects, like mp3s, photos or videos instead. A file is hashed into a unique, secure string that acts as the real password. A paper on the idea was put forward in a recent Usenix conference on hot topics in security, and a Firefox extension that implements the idea is available too."

4 of 275 comments (clear)

  1. Done this for a while. by lattyware · · Score: 5, Informative

    TrueCrypt had an option like this. The best thing, in my opinion is to use a password and files. (Yes, multiple files).

    My favourite system was to set up a TrueCrypt volume with a hidden volume. You have two passwords, and a set of files on a CD. The normal volume is opened with a password and all the files on the CD. The hidden is with the passoword and a selection of the files (I called them 0-9 so it ended as a 'pin' of sorts).

    This means two things to know, and one to have, plus plausible deniablity, which isn't bad.

    --
    -- Lattyware (www.lattyware.co.uk)
    1. Re:Done this for a while. by blueg3 · · Score: 3, Informative

      Even if the software you use has a "tag" that would let you check the validity of the outer-layer decryption, such a thing isn't theoretically required.

      The problem is that you don't need to do one layer at a time in brute-forcing. If you encrypt with two keys, A and then B, what I do to brute force is try every possible pair of keys and check the validity of the resulting decrypted text. Now if my choice for key B is wrong, key A is decrypting garbage to garbage, but that's fine.

      Now, if keys A and B are each 128 bits, then I have to try every possible pair of two 128-bit keys. There are 2^128 choices for a single 128-bit key, and there are 2^128 * 2^128 possible two-key pairs. 2^128*2^128=2^256, which is the number of different 256-bit keys. Two 128-bit keys equals one 256-bit key.

      This is, incidentally, exactly what TripleDES does.

  2. Re:Hmmm.. by Kent+Recal · · Score: 3, Informative

    On a similar note: This futz about "the password problem" is getting really, really old.

    Firefox Password Hasher exists.
    And for everything else you can just drop a similar program onto your cellphone, PDA or whatever gadget you carry around with you.
    Yes, it's not "perfect" security but it's probably the best tradeoff between convenience and security that we'll see in a long while. It won't get much better as long as human brains are involved.

  3. Re:Hmmm.. by Kent+Recal · · Score: 3, Informative

    Ah I see what you mean, mozilla is behind the times again.
    The Firefox3 compatible version can be installed from the Password Hasher Homepage.