Re: [dev] securiy guidance

From: fao_ <finnoleary_AT_inventati.org>
Date: Wed, 04 Apr 2018 10:47:43 +0000

> Any thoughts why this isn't the perfect solution? I thought about it
> for
> a while and all the cons that I could come up with were false.

If you change your master password you have to change every single one
of your accounts.

If one account gets broken into you either:
1) have to store metadata to generate a new password, i.e. a counter or
something
2) have to change your master password

(1) is a no-go since most of these advertise as being explicitly
one-knowledge ("You only remember the master password") tools. Having to
remember my master password plus fifty or so counters defeats the point.
(2) is _very_ irritating for the aforementioned reason that anyone with
more than 30 accounts has to manually change every single one of them
even though only one of them has been possibly broken. There might be
ways to automate that, but even that is putting a small band-aid over a
big flaw.

-- 
- fao_
PGP fingerprint: 739B 6C5C 3DE1 33FA
"Too enough is always not much!"
Received on Wed Apr 04 2018 - 12:47:43 CEST

This archive was generated by hypermail 2.3.0 : Wed Apr 04 2018 - 13:00:08 CEST