[Cryptography] Security weakness in iCloud keychain

[Ray Dillinger]

Okay, point:  high-entropy passwords are hard to remember.  I cheat with
both hands here.

I have a lockbox next to my desk in case I forget one of them, but
mostly I remember some relatively simple passwords (long-ish, but easy
phrases to remember).  One of them is special, and is not written down
even in the lockbox.

I wrote a password mangler (as opposed to a password manager) which does
not access the disk, at all.  I type the "special" password into it
(serves as an encryption key) then one of my "simple" passwords. It
coughs out a string of gobbledegook.  The string of gobbledegook is the
actual password as known to the site.

If it's not a very sensitive one, I cut/paste it into the password
dialog.  But cut/paste on a lot of desktop managers gets recorded, so if
it is sensitive, I retype it.

I can repeat the encryption process on a sheet of notebook paper if
necessary; it's just a pen-and-paper cipher.  But sometimes the ability
to get a mangled password is important when I don't have access to a
computer that I control.  Once in a great while, I want one of those on
my phone, or on someone else's wifi, even if I have to burn and replace
it afterwards.

But I can have that program on every computer I use.  It stores nothing
and doesn't stick a password into anything or transmit it anywhere
without my explicit and current permission.  I am quite happy with its
security.

I need a command-line argument for different cipher alphabets because
some sites don't allow some punctuation and others require it. But if I
ever forget which contexts require which command line arguments, the
error messages from the site remind me.


				Bear

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <http://www.metzdowd.com/pipermail/cryptography/attachments/20180507/224525c6/attachment.sig>