They say that the formula for Coca-Cola is split among the company’s executives, so that a certain number of them have to get together in order to reconstruct it. The same is true of the nuclear launch codes, which require several persons to agree. I just ran into a clever way to do this with pencil and paper, and couldn’t resist improving on it. Read More
This post is motivated by Aaron Toponce’s comment on my previous article on the release of SynthPass. Rather than giving a short reply, I decided this was the opportunity to explain certain features of my recently released SynthPass password generator. In essence, the comment said that password generators will never be appealing to consumers because of certain flaws emanating from their very nature, which are aptly described in this article, entitled “4 fatal flaws in deterministic password managers,” published November 2016 in Tony Arcieri’s blog.
September 2018. You see your user ID listed as having its login compromised in a recent hack. You know you need to change your password but don’t don’t want to (or just can’t) remember yet another different one. Everybody is talking about password managers as the way to go, but you also heard about password generators, which make passwords on the fly rather than store them. You suspect that’s better than a conventional password manager. Read More
Chances are you, like me, have a collection of logins, each with their separate requirements for password strength and lifetime, user ID, and so forth, and your memory has already reached the saturation point. Since writing them on a piece of paper is a no-no, you may have resorted to a password manager. There are many good ones, even free ones, but you still wonder if things could be a little easier. If you are thinking this, SynthPass is for you. It does not work like the other password managers, which store your logins more or less securely, but rather gets around the whole problem by not storing your passwords.
Intrigued? Read on… Read More
About a year ago, I added to PassLok and its derivatives a very secure algorithm for image steganography. It was presented at the ForenSecure 2017 conference on cybersecurity and forensics, but I just dawned on me that I didn’t post anything about it on this blog, for those who may not have attended that conference. I believe that, one year later, this method is still the reigning world champion for image steganography. This article explains how it works, hopefully in a form that is easy to understand, and includes a sample program and some sample results. Read More
This May 14th, a group of German security researchers revealed EFail, a successful attack against PGP (short for Pretty Good Privacy), and S/MIME, the leading methods for end-to-end encrypted email nowadays. You can read their shorter post here, and their full paper here. I’ve contacted a number of people who wrote about it to tell them about PassLok and its immunity to the EFail attack. This post adds more details to what you may shortly found printed elsewhere. Read More
All my crypto apps, with the exception of those meant to be performed also by hand, have been upgraded to include the powerful DOM Purify filter, which removes malicious content from web pages. This is in case you get an encrypted message with a malicious payload, which might execute and do something nasty as soon as you decrypt it. Apps involved: PassLok, PassLok for Email, SeeOnce, URSA.
PassLok did it first, and now SeeOnce and URSA have followed. Both are available as extension/addon at the Chrome and Firefox web stores. They are just one click away, and are protected from interference by other code running on the browser. These are the links for SeeOnce: Chrome, Firefox, and for URSA: Chrome, Firefox. And, for good measure, PassLok: Chrome, Firefox, and PassLok for Email: Chrome, Firefox. Read More
You suspected it all along, and now it’s official: the “experts” have been forcing us to use passwords the wrong way. Among those practices that actually decrease security: adding weird characters to your text-based password, forcing people to change their password after a certain number of days or logins. The revelation comes from a recent document from NIST. Now there’s only hope that Government websites will start adopting the new guidelines (they’re the worst perpetrators).
In this article, I am repeating much of what I already said in this other article, but with less technical jargon and a few more months available for testing.