[Cryptography] Password rules and salt ... or not
Ben Tasker
ben at bentasker.co.uk
Thu Jun 1 03:26:14 EDT 2017
On Sun, May 21, 2017 at 3:56 PM, John Denker via cryptography <
cryptography at metzdowd.com> wrote:
>
> This dilemma is exacerbated by the fact that users visit
> multiple sites. Re-using the same passphrase is a disaster
> waiting to happen, if the sites store things in the
> old-fashioned way.
>
> Zero-knowledge passphrase proofs escape this dilemma. You
> can safely have one master passphrase.
I'm not convinced that that's true.
Zero-knowledge passwords do mitigate the risk that your password will
become compromised because Site A accidentally leaked it. However, Phishing
is still very much a thing (and growing) and a phishing site would continue
to simply accept your password in the clear, then use that to generate a
ZKPP in order to try and log into your various services.
Phishing is continuing to get better and better, and with just one
password, it only takes a single mistake to potentially lose access to all
your things.
So, although ZKPP mitigates one risk, I think it's a bit strong to suggest
you could then safely have a single master passphrase. That, IMO, will
continue to be a risky proposition for quite some time.
--
Ben Tasker
https://www.bentasker.co.uk
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.metzdowd.com/pipermail/cryptography/attachments/20170601/7b51f277/attachment.html>
More information about the cryptography
mailing list