I thought the article was gonna be about "Shamir's Secret Sharing" [1], "where a secret is divided into parts, giving each participant its own unique part. To reconstruct the original secret, a minimum number of parts is required.". Sounds horcruxy to me :-p. I learnt about it from the PIM book [2].
I thought that algorithm was crazy magic when I first heard of it.
The method behind it is pretty fascinating.
A nth degree polynomial is uniquely identified by n+1 points.
So the algorithm interprets your secret to a binary numeric value, sets that as the value at x=0 (i.e. the constant term of the polynomial), picks random coefficients for all the polynomial degrees, then computes coordinate pairs for however many shards you need the secret split into.
Then you give one of the shards to anyone who is sharing the secret.
When enough of the points are input at the same time, the x=0 value can be calculated and the secret is revealed.
The really neat thing about that is if you have something like "There are 500 people in the organization and 6 of them need to be present to perform this procedure", you generate 500 unique points, and any six of those points will let you compute the original secret.
There is some added math bit that gets added on top to make the polynomial less easy to guess, but the concept remains the same.
When the method finally clicked for me, I was left feeling like "that is so obvious, anyone could come up with it", and I feel like those are some of the best discoveries.
That was my initial thought as well. I wrote about how to use Shamir's Secret Sharing (with a similar Horcrux analogy) to reset master passwords for end-to-end encrypted applications (such as password managers):
Is this related to that one algorithm where 3 people can find out who makes the most money without any of them knowing what the other makes, and without consulting a 4th person? That one always felt like black magic to me.
It's more horcrux-y than TFA in that you need N of M shards to reconstruct. TFA isn't really a horcrux, since there's a 100% dependency on each part of the full password.
Canon doesn't specify how many horcruxes he needs to be reanimated, but we know there is some redundancy due to the loss of the diary.
I saw this post a while ago in a different forum. My note for it hasn't changed: This is called peppering[0]. It's a counterpart to salting, in that you add a random value to a password to make it harder to reverse the password hash, but unlike the salt, it's not stored in the password database.
This is very different from peppering. Salt/pepper is all about server storage/verification. The "path" is plain, hash, salted hash, peppered hash.
Plain:server stores the password, client sends the password - matching is simple. When server is breached, all passwords are known.
Hash:server stores a hash of the password, the type of hash. Client sends the plain password, server hashes and compares. When server is breached, most passwords are known, by way of rainbowtables/brute force.
Salted hash: same as hash, servers additionally stores random salt pr account. Hash is over plain password and hash. When server is compromised, weak/dictionary passwords are compromised via brute force.
Pepered passwords: an additional secret is used for salting. The stored hash now depends on plaintext password, plain salt, "secret" pepper. When server is compromised, most likely pepper is compromised too. If not (eg: only database/backups are exposed), pepper needs to be recovered before brute force of passwords is viable. If the attacker has an account (know a password) it's straightforward to attempt to brute force the pepper, but unless it's weak (eg not a 128 bit random number) - it should not be feasible.
Finally, horcruxing - has nothing to do with server side. Has nothing to do with hashing. Is a simple suffix appended to any given password stored in a password manager, in a INMHO misguided attempt at improved security.
Server sees full password on account creation and login. Seems to suggested to share "horcqrux" cross accounts.
An attacker compromising the passwords stored in the password manager, only gets ~half the password. Need to get the other half via brute force, through compromising another account sharing the same suffix/horcrux, via keyboard logger etc.
A physical compromise of a device with a password manager seem to likely open up for a lot of these attacks.
Note that bitwarden uses 2fa to authenticate a client - but AFAIK if you have a copy of the data/vault - the passphrase is sufficient to get the decryption key.
Horcruxing defends against some odd threats, and otherwise adds more complexity than security IMNHO.
If there's generic malware that's targeting your password manager, then yes this provides protection against that. But it doesn't provide protection against a targeted attack, because the malware can just keylog your horcrux.
Another weakness that doesn't require a keylogger, is the attacker might be able to find some stolen database of a website that stored passwords in plaintext, then deduce your horcrux from the difference between what was in your password manager and what was in the database. And if the site did hash passwords, the attacker can try cracking the horcrux. The 5-character example horcrux probably wouldn't be too hard. The article somewhat covers this by saying only use the horcrux on important sites. This is good, but it still has weaknesses because an important site can still get its database stolen, and some people also want to protect less important sites.
And if no password databases are available, the attacker can create a website and ask you to join it under the hope you'll reuse your horcrux on the attacker's site. I've actually had an attacker contact me personally (that is, actually chatting with me live) and ask me to sign up for his forum under the hope that I would reuse my valuable account's password on the forum.
>And if no password databases are available, the attacker can create a website and ask you to join it under the hope you'll reuse your horcrux on the attacker's site.
True but all of the methods you mention to determine the horcrux are also ways to get someone's typical password, so password manager + horcrux is still much stronger as you need both (besides obviously the keylogger/malware).
You could also just have a horcrux for a couple sites and make them all distinct obviously.
> I've actually had an attacker contact me personally (that is, actually chatting with me live) and ask me to sign up for his forum under the hope that I would reuse my valuable account's password on the forum.
How did you eventually find out their true motivation?
For important logins, I don't even write the password in my password manager, as I assume it's already compromised. Instead, I write there notes about how the password should be derived, e.g. contoso.com|x4|s1. Even if someone gets to see this and even they guess the exact structure of this algorithm, they'd have to know the salt, which would take long time to bruteforce. Otherwise they'd have to wonder if x4 means "4 times hashing" or "repeated 4 times" or it's something to do with the salt.
Oh, my... I can imagine quite a few obscene and anatomically impossible pass phrases that would be generated for that forum. However, I supposed you would still give up some knowledge/deniability in that case.
I wrote a program to generate passwords based on user input about 10 years ago. I still use it today and a few teams I have worked with still use it. I called it DPG. Deterministic Password Generator. It is a similar concept. I have implemented it in Go, C++, Java and Python.
I wish the idea of generating passwords when needed rather than storing and retrieving them was more popular. Traditional password Managers are just flawed.
Around 5 years ago I wrote something very similar, for the same reasons as you. It was never intended to be more than a proof of concept, but I've ended up using it most every day.
Mine is web based, but all implemented in the front-end; no data is ever sent to the server.
I was debating whether to post the URL, because I don't really want a bunch of people to start depending on it the way I do (I have zero plans to maintain/improve it). But I feel like there may be sufficient interest. So the URL is in my profile for the next 48 hours.
>I wish the idea of generating passwords when needed rather than storing and retrieving them was more popular. Traditional password Managers are just flawed.
Can it cope with services that disallow certain characters? Can it cope with services that require e.g. at least one digit, symbol, and capital letter?
This would be too hard for the average computer user. I love the concept and could see it working for more technical users, though. There are definitely some risk trade offs over traditional password managers, though. To start: Humans have biases. Randomly generated passwords don’t have any biases. I would have to think more on this from a cryptography perspective as well, but I think it’s a cool idea :)
This is not an improvement over just using the click-to-login features of modern password managers.
Modern password managers generate strong random passwords and integrate with login forms in your desktop browser and on your mobile device. There are some exceptions with sites or applications that don't behave well, but as a general rule: you should not ever need to know any of your passwords anyway.
You should be clicking on whatever little icon is attached to login forms so that your password manager can autofill it for you. There shouldn't be an opportunity to add something to a password during login; you're just adding friction to a process that should be as frictionless as possible, because friction causes people to make bad decisions.
If the concern is that someone might be able to access your password manager, you should think harder about what it would mean for someone to have that level of access to your devices or data.
> [What if] your master password (the password to your password manager) is compromised...
Remote access for cloud-sync'd password managers should all have 2FA enabled anyway. You shouldn't be using anything even remotely simple for your master password. Local access to your password manager means you're screwed.
> [What if] someone gained temporary access to your unlocked system (computer or phone) when you stepped away
This is weird. Is this a thing? Are there people with private data in public environments who don't have the presence of mind to take their devices with them in to the bathroom but do have the presence of mind to dick about with their passwords every time they have to sign in to something? I'd pretty comfortably wager there's a much larger real risk from skilled phishing than from somebody in a hoodie rushing over while you're on the can regretting last night's last-minute Taco Bell trip.
> you're just adding friction to a process that should be as frictionless as possible, because friction causes people to make bad decisions
Integrating a password manager with a browser is too fragile and risky way of using both. It is best to have them fully separated so they can't communicate. They should communicate exclusively via the user.
The login process should have some friction and should not be fully automated. Adding a secret domain-specific suffix to the password is very little friction for the user a gives obvious benefits: password manager does not know the password, it can't send it to other application (intentionally or by chance), it won't login the user by accident.
If you hash the concatenated string result, and use the hash as your password, it also means your horcrux wouldn't be at all visible to services. That's a lot of extra work though.
Older and weaker hashing algorithms are probably better for this, sha384 and upwards produce large hashes that might be too big for passwords for some websites. Protonmail trims anything more than 72 characters.
See - https://www.reddit.com/r/ProtonMail/comments/khrzhe/pm_ignor...
It is much better to use a password manager than trying to remember poorly crafted passwords in your head. But also really/truly remember not to really put all your eggs in one proverbial basket.
Password managers are not without dangers:
1. If you forget your master password or secret key (you need both to setup a new device), you are screwed.
2. If the password manager cloud sync service (like 1password) decides to cancel your account for whatever reason, you are screwed.
3. If the password manager allows silently keeping replicas on devices you don't know about, you are screwed.
4. If your password manager logs your sign-in access patterns along with your IP addresses (even from behind your fancy VPNs), you are screwed.
5. If you are storing your password, your 2FA secret, and your recovery keys - all in the same password manager, you are royally screwed when that password manager is compromised.
6. If you lose your device, or device gets damaged etc and you don't have a copy of your vault, you are screwed.
Remember – supply chain attacks (example: password manager company's office gets hacked, and their signing key gets stolen and a trojan update is delivered to your machine) will happen some day (may have already happened) and all your passwords will be stolen. Just assume that and behave accordingly.
I somewhat recently made my personal disaster recovery plan, and the password manager features prominently into it. If I lose all of my electronic devices in a sudden accident, how can I recover my online life? To address your questions specifically:
1. I used Shamir's secret sharing to send out a copy of my secret key to a few loved ones. The master password is in my memory only. If I forget the master password, I lose.
2. I use 1Password, and they say they make accounts read-only once you stop paying. If they did actively delete my account, my devices have a local copy. If I lose my devices and they delete my account at the same time, I lose.
3. I don't know what you're imagining, but you need the data, secret key, and master password to have this be a concern.
4. This has nothing to do with my threat model, I'm afraid. I can't imagine a world in which knowing my IP address leads to decrypting my password vault.
5. I am and this is correct. If there's a vulnerability in the cryptography used by 1Password, I lose. As you said, if there's a trojan update, I lose.
6. This is the same as 1 and 2.
All things considered, as a regular person who is concerned about protection from thieves and not especially concerned about being a target of governments, I am OK with these risks.
This doesn't address the key issue of how many "in head" horcruxes you want to have. Is it one and the same for all passwords? Then two broken passwords reveals it (if someone's clever maybe even 1, not sure here). If it's different for different passwords, you now need to memorize (or store elsewhere) a list of many, many such horcruxes. Not 7... but maybe a 100 or 200 to be practical for a heavy user of internet apps. Which basically means you need 2 password managers.
So where do I store the 100 horcruxes?
What's your take on this?
A 2nd password manager for the 2nd part of the password breaks maybe the key advantage of this mechanism by putting the "something you know" into a decryptable by design storage space that is most likely duplicated in the cloud.
You could take this a step further and make your "horcrux" a short & simple cipher code based on some attributes of the organization instead.
It takes a bit longer to construct for sites you don't log into often, but when appended to a password/passphrase, it appears to be random across each site. If multiple logins get leaked it's not immediately obvious you're are using the double-blind approach.
My bank uses some kind of mandatory javascript malware to make it impossible to paste or password-manage the password they demand. I'm beginning to see this on an increasing number of sites.
Even if I could find out which banks don't make this particular offering to Satan, what would prevent the bank I switch to from adopting this malfeasance next week?
This can be a useful idea, requiring a checkbox on password managers, e.g., "[ ] Pause for additional input".
No one ever answers how often security breaks are from: passwords being guessed, brute forced, or shared; client side compromise from malware, keyloggers, and first-hop IP session takeover; or server side compromise from poor custom code and poor infrastructure choices. Anecdotally, the chart leans to the server side security breaches.
In the absence of knowledge, we get two security talks repeated over and over. This is the first: do a better job with passwords. The second is "You are irrovacably insecure because of [some issue], but update your passwords regularly."
Security has not developed a reputation for being a craft or science.
> No one ever answers how often security breaks are from: passwords being guessed, brute forced, or shared; client side compromise from malware, keyloggers, and first-hop IP session takeover; or server side compromise from poor custom code and poor infrastructure choices.
It's really hard to get those guys to fill out questionnaires.
It seems to me that this does not add a lot of security if you use the same extra word for all passwords.
It probably does add a lot of security if you use a different extra word for each password, but then you can't remember them anymore and you need to write them down somewhere.
Not if you use some obscure pattern for these added words. Yeah if a hacker saw a bunch of them then maybe it could be deciphered, but wayy better than reusing the same one.
Although this seems cool, there are at least two downsides:
1. You have to copy/type the password manually, instead of relying on your password manager to recognize the website, leaving you more vulnerable to phishing.
2. More manual entry... I a world where I use passwords around a hundred times per day, I don't want to type them.
Also, it's easy to avoid the two risks he mentions:
1. Don't write your master password on a post-it, duh.
2. Don't leave your session open when getting a coffee.
> use a horcrux only for the most important logins - your social media, bank accounts etc.
Am I the only person who does a huge double take on this? If someone hacks a facebook or a twitter - what precisely am I scared of? My bank accounts are literally my net worth. If they get hacked I'm broke.
Why would I want a particularly strong password on Twitter or Facebook or Linkedin for that matter
I wonder if it's implicitly acknowledging that social media (at least Google and Facebook) are authentication providers for thousands/millions of other services. So it's more of a "protect the keys to the kingdom" suggestion for those that use Facebook/Google to sign in to everything (not that I recommend doing that often).
Because they are your public face online and the quickest route to your contacts. It is trivial to do immense reputation damage with access to that. Would you rather go through the hassle of getting money back after you were the victim of bank fraud, or getting respect back after someone posted hardcore porn to all your contacts or used your social media as a vector to spread a scam link?
I think there are a couple of problems in practice with this:
1) I don't leave my password manager open overnight, but I do during the day. My master password is long and I enter a lot of passwords. The most obvious attack vector is getting onto my computer while I'm working, not cracking the master password.
2) Losing my master password would be a _big fucking problem_. Once I'm confident I've learned it I destroy whatever it's on, but I can't risk having no backup before then.
Both of these points could be addressed if I were safeguarding nuclear launch codes. But I think it's silly to treat my passwords as national secrets. I'm not willing to abandon all convenience for the sake of safety.
This concept has been around for forever but referred to as "something I have" (password manager, yubikey, etc) and "something I know" (the one in your head).
Isn’t the effect the same as having a second layer of encryption, i.e. a second master password that you enter on the client only, to unlock each password?
The best password manager would be a physical device which requires a tap to unlock a password.
Trezor password manager got close, but it seems like they abandoned it and they never supported local (sd card) storage.
Basically, It would be a yubikey style device, secured by a master password. You could have nice browser plugins for listing all your available passwords and single click logins, etc.. Everything that lastpass/1password does from a UI standpoint.
The difference would be that decrypting/unlocking passwords would require you to physically tap on the device each time to approve the unlock- and the screen would say "Unlock password for github.com?". Basically, this system makes it impossible for some trojan remote-control virus to be able to get your passwords, even if they have your master password. The BEST they can hope for is just to sit quietly on your PC for months, slowly storing all the passwords you decide to unlock.
Alas, doesnt seem like this device is going to exist any time soon. As I said, the best bet was trezor but they dont seem to care about it anymore. Too bad, they were so close.
Or just use federated authentication ala log-in-with-X with non-SMS 2FA protecting the identity account. SAML, OIDC, and friends are immune to dictionary attacks, leaks, rainbow tables, cross-site re-use, and all the other password problems.
If you can trust X enough to not allow social engineering for password resets then it provides at least as much security as a memorized passphrase. Google provides Advanced Account Protection for people who really need it.
Hopefully most sites start allowing multiple federated identities per account so that anyone worried about keeping all their eggs in one basket can maintain and attach more than one identity.
For any X meeting the above criteria they're going to be a much harder target than any random online service accepting the federated credentials (this applies to insider threats and external attackers alike).
X doesn't exist for you? Help build it. There's no specific reason that Facebook, Apple, and Google should be the only trusted identity providers on the web, but they do invest significant effort in minimizing account theft and hardening their infrastructure, and most eat their own dogfood to protect their corporate assets. The big advantage that Apple and Google have is that they can tie identity to biometric and physical factors in a way that's hard for anyone else to achieve.
Once computing implants are widely in use identity can move to that but until then we have cell phones that, paired with U2F hardware, can be the root of trusted identity and (with a passphrase and lock screen timeouts) are practically immune to anything below state-level actors. 0-day exploits exist but they're sold to state actors and held in reserve.
Note: This only applies to online services. Memorize your device encryption keys for local data security; there's no way around that.
The problem is trust. What would you do if e.g. Google closed your account?
Something like easy to install on prem X speaking standard API with pluggable 2FA could be a winner.
If a site is using bcrypt and it allows users to set passwords longer than 72 chars, the operator of the site is the problem not the use of a password manager + in-my-head-secret
I do't really agree with the long passphrase thing.. I leave my passwords at 12 characters max (and 8 for less important sites)
Reason: You still have to type it sometimes. Like on a device you don't have the password manager on. That makes it really annoying. And because it's only used on one site it doesn't really matter how long it is. If a hacker gets hold of the password file they already own that site anyway. Doesn't really matter whether they can bruteforce the hash. It won't give them more access than they already have.
I do agree with the horcrux thing though.. Really important passwords I only store on paper and I already add a memorised thing to them. But be aware it's not perfect either. A compromised endpoint could have a keylogger installed. Totally passwordless with Fido2 for example would be even better.
> won't give him access to more then he already has.
That is very incorrect. A lot of hash leaks happen when an attacker can read data. but he can't necessarily edit it or even make sense of it. Also, the attacker usually does a quick download, then _sells_ the data.
So, imagine your Twitter password was leaked. The original attacker a) likely doesn't have write access, and 2, is just going to sell the password hashes.
The real worry is the buyer, who buys the hashes, to log in as you and do anything.
This is how youvebeenpwned works. He actually finds leaks of hashes on the dark web.
> Reason: You still have to type it sometimes. Like on a device you don't have the password manager on.
Assuming a standard typeable character set (letters upper/lower, numbers, symbols you can type on a standard US keyboard), you've got 92 characters. (Safe assumption given you're planning on typing this on all sorts of devices.)
Your randomized eight character password has 52 bits of entropy. Twelve characters takes it it to 78 bits. Not really enough if you're up against an offline attack.
Assuming you choose 5 random English words (which will probably take you about two seconds to type on something like a phone), you'll have a more secure password.
I agree typing on devices that don't have your password manager is annoying, but in my experience it _really_ doesn't come up that often. Yours is the exact reason I use 32 character passwords rather than the 64/128/etc some people I know use.
But 12 is.. short. The trade-off between the added security and the inconvenience makes it a pretty obvious choice for me. (And you're wrong--having a database dump full of password hashes does not "already owning that site" make.)
Typing 32 characters on a game console to log into Netflix taking an extra minute every few years is really not that inconvenient relative to the added security. And it's something like 2^130 times more secure than your 12 character password for the inconvenience it brings. Or about 1,361,129,500,000,000,000,000,000,000,000,000,000,000 times (I can't actually find the SI prefix for how big this is) stronger.
While not being a bad idea, I think that any advantage of this method and double/triple locking your password manager (by an additional encryption layer) falls into the category of warm-fuzzy-feeling-of-security.
Also, while unlikely to pose a real threat, since this method literally breaks the 3rd rule introduced in the article ("Have a significantly different password for each account") and not only that, it does so by _appending_ a constant string to all your passwords, it introduces the potential risk in case a vulnerability is found in the cipher that's used to encrypt your passwords database.
Is there any reason why something like bitwarden couldn't prompt you with an in-browser prompt() dialog for your horcrux right before you enter your password and append it the one they auto-inject into the form?
> NOTE: process-cancel-stingy-garnet is technically a passphrase - basically an easy-to-remember password in comparison to randomized strings like B6fSpxMj&f6DU@5^k
Doesn't scale. To do it correctly, you would want a different secret in each case, and our inability to remember so many secrets is exactly why we use password manager in the first place.
When sites let users use asymmetric cryptography, like RSA or ECDSA? It's far more superior because of invulnerability against server hacks or phishing.
emmanueloga_|5 years ago
I thought the article was gonna be about "Shamir's Secret Sharing" [1], "where a secret is divided into parts, giving each participant its own unique part. To reconstruct the original secret, a minimum number of parts is required.". Sounds horcruxy to me :-p. I learnt about it from the PIM book [2].
1: https://en.wikipedia.org/wiki/Shamir%27s_Secret_Sharing
2: https://pimbook.org/
war1025|5 years ago
The method behind it is pretty fascinating.
A nth degree polynomial is uniquely identified by n+1 points.
So the algorithm interprets your secret to a binary numeric value, sets that as the value at x=0 (i.e. the constant term of the polynomial), picks random coefficients for all the polynomial degrees, then computes coordinate pairs for however many shards you need the secret split into.
Then you give one of the shards to anyone who is sharing the secret.
When enough of the points are input at the same time, the x=0 value can be calculated and the secret is revealed.
The really neat thing about that is if you have something like "There are 500 people in the organization and 6 of them need to be present to perform this procedure", you generate 500 unique points, and any six of those points will let you compute the original secret.
There is some added math bit that gets added on top to make the polynomial less easy to guess, but the concept remains the same.
When the method finally clicked for me, I was left feeling like "that is so obvious, anyone could come up with it", and I feel like those are some of the best discoveries.
franky47|5 years ago
https://francoisbest.com/posts/2020/password-reset-for-e2ee-...
busfahrer|5 years ago
kortex|5 years ago
https://github.com/xkortex/passcrux
It's more horcrux-y than TFA in that you need N of M shards to reconstruct. TFA isn't really a horcrux, since there's a 100% dependency on each part of the full password.
Canon doesn't specify how many horcruxes he needs to be reanimated, but we know there is some redundancy due to the loss of the diary.
rozab|5 years ago
https://github.com/jesseduffield/horcrux
This is basically a low tech (and much more unsecure) version of the n=2 case.
chipsa|5 years ago
0: https://en.wikipedia.org/wiki/Pepper_(cryptography)
e12e|5 years ago
Plain:server stores the password, client sends the password - matching is simple. When server is breached, all passwords are known.
Hash:server stores a hash of the password, the type of hash. Client sends the plain password, server hashes and compares. When server is breached, most passwords are known, by way of rainbowtables/brute force.
Salted hash: same as hash, servers additionally stores random salt pr account. Hash is over plain password and hash. When server is compromised, weak/dictionary passwords are compromised via brute force.
Pepered passwords: an additional secret is used for salting. The stored hash now depends on plaintext password, plain salt, "secret" pepper. When server is compromised, most likely pepper is compromised too. If not (eg: only database/backups are exposed), pepper needs to be recovered before brute force of passwords is viable. If the attacker has an account (know a password) it's straightforward to attempt to brute force the pepper, but unless it's weak (eg not a 128 bit random number) - it should not be feasible.
Finally, horcruxing - has nothing to do with server side. Has nothing to do with hashing. Is a simple suffix appended to any given password stored in a password manager, in a INMHO misguided attempt at improved security.
Server sees full password on account creation and login. Seems to suggested to share "horcqrux" cross accounts.
An attacker compromising the passwords stored in the password manager, only gets ~half the password. Need to get the other half via brute force, through compromising another account sharing the same suffix/horcrux, via keyboard logger etc.
A physical compromise of a device with a password manager seem to likely open up for a lot of these attacks.
Note that bitwarden uses 2fa to authenticate a client - but AFAIK if you have a copy of the data/vault - the passphrase is sufficient to get the decryption key.
Horcruxing defends against some odd threats, and otherwise adds more complexity than security IMNHO.
vmarquet|5 years ago
It would be very confusing to reuse this term for what is described in this article, so a new term like "Horcruxing" can be relevant. I like it.
Thorrez|5 years ago
Another weakness that doesn't require a keylogger, is the attacker might be able to find some stolen database of a website that stored passwords in plaintext, then deduce your horcrux from the difference between what was in your password manager and what was in the database. And if the site did hash passwords, the attacker can try cracking the horcrux. The 5-character example horcrux probably wouldn't be too hard. The article somewhat covers this by saying only use the horcrux on important sites. This is good, but it still has weaknesses because an important site can still get its database stolen, and some people also want to protect less important sites.
And if no password databases are available, the attacker can create a website and ask you to join it under the hope you'll reuse your horcrux on the attacker's site. I've actually had an attacker contact me personally (that is, actually chatting with me live) and ask me to sign up for his forum under the hope that I would reuse my valuable account's password on the forum.
GoblinSlayer|5 years ago
Some sites email your password to you: https://plaintextoffenders.com/
upbeat_general|5 years ago
You could also just have a horcrux for a couple sites and make them all distinct obviously.
Hackbraten|5 years ago
How did you eventually find out their true motivation?
gbh444g|5 years ago
TwoBit|5 years ago
I don't think that reusing the same pepper (horcrux string) for all sites would be best practice.
kurthr|5 years ago
_wldu|5 years ago
I wish the idea of generating passwords when needed rather than storing and retrieving them was more popular. Traditional password Managers are just flawed.
https://github.com/62726164/dpg
melonkidney|5 years ago
Mine is web based, but all implemented in the front-end; no data is ever sent to the server.
I was debating whether to post the URL, because I don't really want a bunch of people to start depending on it the way I do (I have zero plans to maintain/improve it). But I feel like there may be sufficient interest. So the URL is in my profile for the next 48 hours.
gruez|5 years ago
Why?
Password generators have flaws of their own and have been discussed extensively on hn eg. https://news.ycombinator.com/item?id=13016132 or https://news.ycombinator.com/item?id=22580719
meribold|5 years ago
rich_sasha|5 years ago
bitexploder|5 years ago
SpaethCo|5 years ago
Summershard|5 years ago
https://masterpassword.app/
thaumaturgy|5 years ago
Modern password managers generate strong random passwords and integrate with login forms in your desktop browser and on your mobile device. There are some exceptions with sites or applications that don't behave well, but as a general rule: you should not ever need to know any of your passwords anyway.
You should be clicking on whatever little icon is attached to login forms so that your password manager can autofill it for you. There shouldn't be an opportunity to add something to a password during login; you're just adding friction to a process that should be as frictionless as possible, because friction causes people to make bad decisions.
If the concern is that someone might be able to access your password manager, you should think harder about what it would mean for someone to have that level of access to your devices or data.
> [What if] your master password (the password to your password manager) is compromised...
Remote access for cloud-sync'd password managers should all have 2FA enabled anyway. You shouldn't be using anything even remotely simple for your master password. Local access to your password manager means you're screwed.
> [What if] someone gained temporary access to your unlocked system (computer or phone) when you stepped away
This is weird. Is this a thing? Are there people with private data in public environments who don't have the presence of mind to take their devices with them in to the bathroom but do have the presence of mind to dick about with their passwords every time they have to sign in to something? I'd pretty comfortably wager there's a much larger real risk from skilled phishing than from somebody in a hoodie rushing over while you're on the can regretting last night's last-minute Taco Bell trip.
posix_me_less|5 years ago
Integrating a password manager with a browser is too fragile and risky way of using both. It is best to have them fully separated so they can't communicate. They should communicate exclusively via the user.
The login process should have some friction and should not be fully automated. Adding a secret domain-specific suffix to the password is very little friction for the user a gives obvious benefits: password manager does not know the password, it can't send it to other application (intentionally or by chance), it won't login the user by accident.
bootlooped|5 years ago
meribold|5 years ago
phantom_rehan|5 years ago
vinay_ys|5 years ago
Password managers are not without dangers:
1. If you forget your master password or secret key (you need both to setup a new device), you are screwed.
2. If the password manager cloud sync service (like 1password) decides to cancel your account for whatever reason, you are screwed.
3. If the password manager allows silently keeping replicas on devices you don't know about, you are screwed.
4. If your password manager logs your sign-in access patterns along with your IP addresses (even from behind your fancy VPNs), you are screwed.
5. If you are storing your password, your 2FA secret, and your recovery keys - all in the same password manager, you are royally screwed when that password manager is compromised.
6. If you lose your device, or device gets damaged etc and you don't have a copy of your vault, you are screwed.
Remember – supply chain attacks (example: password manager company's office gets hacked, and their signing key gets stolen and a trojan update is delivered to your machine) will happen some day (may have already happened) and all your passwords will be stolen. Just assume that and behave accordingly.
CGamesPlay|5 years ago
1. I used Shamir's secret sharing to send out a copy of my secret key to a few loved ones. The master password is in my memory only. If I forget the master password, I lose.
2. I use 1Password, and they say they make accounts read-only once you stop paying. If they did actively delete my account, my devices have a local copy. If I lose my devices and they delete my account at the same time, I lose.
3. I don't know what you're imagining, but you need the data, secret key, and master password to have this be a concern.
4. This has nothing to do with my threat model, I'm afraid. I can't imagine a world in which knowing my IP address leads to decrypting my password vault.
5. I am and this is correct. If there's a vulnerability in the cryptography used by 1Password, I lose. As you said, if there's a trojan update, I lose.
6. This is the same as 1 and 2.
All things considered, as a regular person who is concerned about protection from thieves and not especially concerned about being a target of governments, I am OK with these risks.
tobib|5 years ago
Can you explain why one would be screwed in this case?
GekkePrutser|5 years ago
Others are mitigated by good opsec and backup strategies.
gpvos|5 years ago
jakubp|5 years ago
So where do I store the 100 horcruxes? What's your take on this?
methodsignature|5 years ago
_wldu|5 years ago
https://github.com/62726164/dpg
posix_me_less|5 years ago
cjonas|5 years ago
It takes a bit longer to construct for sites you don't log into often, but when appended to a password/passphrase, it appears to be random across each site. If multiple logins get leaked it's not immediately obvious you're are using the double-blind approach.
thyrsus|5 years ago
Even if I could find out which banks don't make this particular offering to Satan, what would prevent the bank I switch to from adopting this malfeasance next week?
warmwaffles|5 years ago
[0] https://chrome.google.com/webstore/detail/dont-fuck-with-pas...
[1] https://addons.mozilla.org/en-US/firefox/addon/don-t-fuck-wi...
CharlesMerriam2|5 years ago
No one ever answers how often security breaks are from: passwords being guessed, brute forced, or shared; client side compromise from malware, keyloggers, and first-hop IP session takeover; or server side compromise from poor custom code and poor infrastructure choices. Anecdotally, the chart leans to the server side security breaches.
In the absence of knowledge, we get two security talks repeated over and over. This is the first: do a better job with passwords. The second is "You are irrovacably insecure because of [some issue], but update your passwords regularly."
Security has not developed a reputation for being a craft or science.
heleninboodler|5 years ago
It's really hard to get those guys to fill out questionnaires.
TacoSteemers|5 years ago
It probably does add a lot of security if you use a different extra word for each password, but then you can't remember them anymore and you need to write them down somewhere.
harg|5 years ago
But if your pw manager gets compromised then that’s a pretty big problem so probably best to focus efforts on that not happening.
It could make sense for sensitive accounts like email, valuable social media etc
Blikkentrekker|5 years ago
When I was 12 years old, everyone around me could easily remember up to 50 different 10 digit phone numbers, I still remember those.
TwoBit|5 years ago
nullc|5 years ago
anonymouse008|5 years ago
aspyct|5 years ago
1. You have to copy/type the password manually, instead of relying on your password manager to recognize the website, leaving you more vulnerable to phishing.
2. More manual entry... I a world where I use passwords around a hundred times per day, I don't want to type them.
Also, it's easy to avoid the two risks he mentions:
1. Don't write your master password on a post-it, duh.
2. Don't leave your session open when getting a coffee.
I'll stick with the standard practice.
dataking|5 years ago
Ntrails|5 years ago
Am I the only person who does a huge double take on this? If someone hacks a facebook or a twitter - what precisely am I scared of? My bank accounts are literally my net worth. If they get hacked I'm broke.
Why would I want a particularly strong password on Twitter or Facebook or Linkedin for that matter
peeters|5 years ago
aetherson|5 years ago
And I'll echo another comment that if you login with Facebook or Google, that increases the value of that password.
On a similar note, your very strongest password should be whatever controls the email where your password resets get sent to.
v01dlight|5 years ago
nicwolff|5 years ago
l1am0|5 years ago
1) Choose a good master password for you password manager
2) Remember it
3) !!! Don't write it down anywhere !!!
wyattpeak|5 years ago
1) I don't leave my password manager open overnight, but I do during the day. My master password is long and I enter a lot of passwords. The most obvious attack vector is getting onto my computer while I'm working, not cracking the master password.
2) Losing my master password would be a _big fucking problem_. Once I'm confident I've learned it I destroy whatever it's on, but I can't risk having no backup before then.
Both of these points could be addressed if I were safeguarding nuclear launch codes. But I think it's silly to treat my passwords as national secrets. I'm not willing to abandon all convenience for the sake of safety.
curiousllama|5 years ago
The solution to murder is “don’t kill anybody,” but that’s not helpful in a discussion about preventing crime
ancientworldnow|5 years ago
ignoramous|5 years ago
OPAQUE + Horcux sounds pretty close to what Signal did for its app passwords [1].
[0] https://news.ycombinator.com/item?id=25346632
[1] https://news.ycombinator.com/item?id=21839117
jiofih|5 years ago
meribold|5 years ago
ds|5 years ago
Trezor password manager got close, but it seems like they abandoned it and they never supported local (sd card) storage.
Basically, It would be a yubikey style device, secured by a master password. You could have nice browser plugins for listing all your available passwords and single click logins, etc.. Everything that lastpass/1password does from a UI standpoint.
The difference would be that decrypting/unlocking passwords would require you to physically tap on the device each time to approve the unlock- and the screen would say "Unlock password for github.com?". Basically, this system makes it impossible for some trojan remote-control virus to be able to get your passwords, even if they have your master password. The BEST they can hope for is just to sit quietly on your PC for months, slowly storing all the passwords you decide to unlock.
Alas, doesnt seem like this device is going to exist any time soon. As I said, the best bet was trezor but they dont seem to care about it anymore. Too bad, they were so close.
jonahrd|5 years ago
Genuine questions. I want ease-of-use and security. Is it possible?
stevelosh|5 years ago
jiveturkey|5 years ago
Trevor is a joke, security-wise. I literally laffed.
benlivengood|5 years ago
If you can trust X enough to not allow social engineering for password resets then it provides at least as much security as a memorized passphrase. Google provides Advanced Account Protection for people who really need it.
Hopefully most sites start allowing multiple federated identities per account so that anyone worried about keeping all their eggs in one basket can maintain and attach more than one identity.
For any X meeting the above criteria they're going to be a much harder target than any random online service accepting the federated credentials (this applies to insider threats and external attackers alike).
X doesn't exist for you? Help build it. There's no specific reason that Facebook, Apple, and Google should be the only trusted identity providers on the web, but they do invest significant effort in minimizing account theft and hardening their infrastructure, and most eat their own dogfood to protect their corporate assets. The big advantage that Apple and Google have is that they can tie identity to biometric and physical factors in a way that's hard for anyone else to achieve.
Once computing implants are widely in use identity can move to that but until then we have cell phones that, paired with U2F hardware, can be the root of trusted identity and (with a passphrase and lock screen timeouts) are practically immune to anything below state-level actors. 0-day exploits exist but they're sold to state actors and held in reserve.
Note: This only applies to online services. Memorize your device encryption keys for local data security; there's no way around that.
intricatedetail|5 years ago
some_furry|5 years ago
https://paragonie.com/blog/2016/02/how-safely-store-password...
kennywinker|5 years ago
GekkePrutser|5 years ago
Reason: You still have to type it sometimes. Like on a device you don't have the password manager on. That makes it really annoying. And because it's only used on one site it doesn't really matter how long it is. If a hacker gets hold of the password file they already own that site anyway. Doesn't really matter whether they can bruteforce the hash. It won't give them more access than they already have.
I do agree with the horcrux thing though.. Really important passwords I only store on paper and I already add a memorised thing to them. But be aware it's not perfect either. A compromised endpoint could have a keylogger installed. Totally passwordless with Fido2 for example would be even better.
nhumrich|5 years ago
That is very incorrect. A lot of hash leaks happen when an attacker can read data. but he can't necessarily edit it or even make sense of it. Also, the attacker usually does a quick download, then _sells_ the data. So, imagine your Twitter password was leaked. The original attacker a) likely doesn't have write access, and 2, is just going to sell the password hashes. The real worry is the buyer, who buys the hashes, to log in as you and do anything.
This is how youvebeenpwned works. He actually finds leaks of hashes on the dark web.
nucleardog|5 years ago
Assuming a standard typeable character set (letters upper/lower, numbers, symbols you can type on a standard US keyboard), you've got 92 characters. (Safe assumption given you're planning on typing this on all sorts of devices.)
Your randomized eight character password has 52 bits of entropy. Twelve characters takes it it to 78 bits. Not really enough if you're up against an offline attack.
Assuming you choose 5 random English words (which will probably take you about two seconds to type on something like a phone), you'll have a more secure password.
I agree typing on devices that don't have your password manager is annoying, but in my experience it _really_ doesn't come up that often. Yours is the exact reason I use 32 character passwords rather than the 64/128/etc some people I know use.
But 12 is.. short. The trade-off between the added security and the inconvenience makes it a pretty obvious choice for me. (And you're wrong--having a database dump full of password hashes does not "already owning that site" make.)
Typing 32 characters on a game console to log into Netflix taking an extra minute every few years is really not that inconvenient relative to the added security. And it's something like 2^130 times more secure than your 12 character password for the inconvenience it brings. Or about 1,361,129,500,000,000,000,000,000,000,000,000,000,000 times (I can't actually find the SI prefix for how big this is) stronger.
almog|5 years ago
Also, while unlikely to pose a real threat, since this method literally breaks the 3rd rule introduced in the article ("Have a significantly different password for each account") and not only that, it does so by _appending_ a constant string to all your passwords, it introduces the potential risk in case a vulnerability is found in the cipher that's used to encrypt your passwords database.
ffpip|5 years ago
[1]- https://play.google.com/store/apps/details?id=com.beemdevelo...
[2]- https://old.reddit.com/r/androidapps/comments/b45zrj/dev_aeg...
deanclatworthy|5 years ago
kennywinker|5 years ago
lukasm|5 years ago
corv|5 years ago
jhvkjhk|5 years ago
[1]: https://github.com/jesseduffield/horcrux
war1025|5 years ago
Is occasionally a pain when doing things on a phone, but even then I just log in once to most things and am good to go.
29athrowaway|5 years ago
(Word dictionary size)^4 > (Alphabet size)^17
I don't think so
blueblisters|5 years ago
throwawayffffas|5 years ago
gergelykralik|5 years ago
In what world is my social media account more important than bank account?
unknown|5 years ago
[deleted]
kordlessagain|5 years ago
adamc|5 years ago
For a small number of key accounts, sure.
dandanua|5 years ago
mjevans|5 years ago
gulbrandr|5 years ago
Dylan16807|5 years ago
imhoguy|5 years ago
senden9|5 years ago
shuringai|5 years ago
unknown|5 years ago
[deleted]
ljlolel|5 years ago
rabbut|5 years ago
Better in what sense?
If you can’t remember it you have to store it, which increases surface of attack.
draw_down|5 years ago
[deleted]