![]() Its uses are very limited against "real" attackers. Historically this is why Chrom has been resisting introducing this feature. It would also mitigate against someone being able to dump your password db off your filesystem if they get physical access to your computer, but full disk encryption does that better, and also protects all the rest of your personal data that's stored on the device. read your passwords from memory, or keylog until the next time you input the password. Having a stronger hash would mitigate against exfiltration off the device by malware, but if malware can exfiltrate files off your device it's very likely they can e.g. For this scenario, having a stronger hash would do nothing. To me is seems that this feature of browsers is really only meant as a protection against non-advanced attackers accessing an unlocked computer. ![]() What attack vector would be mitigated by switching to a stronger hashing scheme for this specific use case? And are there other mitigations that exist for this attack vector that would be more appropriate? This tends to include book quotes, movie quotes, etc. Crackers crawl the internet and build databases of all the quotes they find online. Someone sent bitcoins to a brainwallet secured only by the phrase "it was the best of times" (24 characters). >Even just twenty characters is within spitting distance of 2^128 ![]() If Santosh83's password is regular English, then it would have ~105 bits of entropy. This article claims English has 1.46 bits of entropy per character. User-chosen data is rarely random, so it's safe to say that Santosh83's password is not random. >For what it’s worth, assuming an alphabet of 72 characters (52 letters, 10 digits, 10 symbols), this is ridiculously higher entropy than a 128-bit encryption key. Presumably the changes are not complicated or labour intensive, so the fact it is an open bug since almost a decade is unfortunate. The issue is someone gaining access to your password DB and then being able to brute-force within reasonable time, which the current key derivation allows and a stronger algorithm can plug that weakness. ![]() That's obviously a battle lost before its even begun. The issue is not protecting users whose systems have malware. Most won't), which is why the article is right that a resistant hashing algo like argon2 can only improve security. Do we really think a regular user will take this effort? Instead they will continue using their simple, short passwords (if they set a MP at all. It took me a week to memorise it flawlessly. As a sort of computer nerd, my master password is 46 characters from the full set of letters, numbers, symbols and in both cases. Everyone suggesting to use a bigger and/or more random string are missing the point that your average user won't do that. ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |