Cryptosmith

Another chuckle:

Someone picked up the domain ‘highsecuritypasswordgenerator.com‘ and has proceeded to implement a password generator on it. The generator applies a common technique (I described it in my book Authentication) wherein you choose two words from long lists and separate them with a special character of some sort.

The down side should be obvious to anyone who thinks about web security: the password is shared with the password generating site and with anyone who sniffs the web page as it travels across the Internet.

To be fair, I have to point out that the site says “Trust us, we won’t cache your passwords!” and there is an SSL encryption option buried on the page somewhere. But the whole point of strong security is to reduce how much you need to trust others.

I can also pick some nits with how it’s done: the site lets you choose two words from lists of types of words - this artificially reduces the number of words comprising a password. Thus, it’s not hard to create passwords with only a few tens of thousands of possible values.

As I pointed out in my page on Picking Passwords, it’s better to aim for millions or even billions of possible values. The now-obsolete Department of Defense standard on passwords suggested that one in a million was a minimum value.  That was in 1985, almost a quarter century ago.

For example, if you choose three words from a list of at least a thousand words, then you’re on your way to choosing one password out of a billion.

A better way to do this is to upload Javascript to the browser. The javascript can generate and display the passwords on the browser’s screen and never transfer them across the Internet. The down side is that you have to rely on browser security - remember, that’s a piece of software whose default behavior is to send stuff across the Internet.

Posted under Information Security |