PasswordMaker Forums
Firefox/SeaMonkey/Mozilla/Netscape/Flock Browser Extension => Feature Requests / Enhancements => Topic started by: billybob on February 23, 2006, 11:42:40 AM
-
I really like the idea of adding in some protection against keyloggers.
How about doing what TrueCrypt (http://www.truecrypt.org/) does? It gives users the option of locking with a password AND 1 or more keyfiles. The important point is that the keyfile is chosen through a GUI using the mouse. Even if your attacker got your password with a keylogger, he wouldn't know which keyfiles you used or even if you used keyfiles at all.
The keyfile only needs to be a few tens of bytes long so practically any old file you have lying around can be used. It does add a bit more risk. If the file ever gets corrupted, modified, or lost, it would be just like forgetting your password. You have to choose your keyfile wisely.
This is a pretty nice compromise between speed and security. It can be kind of slooow to hunt and peck your well chosen 20 character passphrase on a GUI keyboard. ;)
BTW, info on this aspect of True Crypt I only can find in the pdf (http://www.truecrypt.org/docs/TrueCrypt%20User%20Guide.pdf) pages 41-43. But there are no pictures of this feature so you really have to try it to see what I mean.
-
Hi Billybob,
I am familiar with TrueCrypt. Wonderful tool. Are you suggesting the ability to use a file as the key instead of a user-entered password?
-Eric
-
Hi Billybob,
I am familiar with TrueCrypt. Wonderful tool Are you suggesting the ability to use a file as the key instead of a user-entered password?
-Eric
Hi Eric,
Not instead of, in addition to. You would always have to enter the password. But a user could choose to add one or more keyfiles to the encryption key. My general thinking is that you are currently using 9 variables a user can choose to encrypt with, this would be a 10th. Everywhere you ask for the master password, you could add a check box: 'Use keyfile' and a button: 'Choose keyfile'.
I don't know the details of TrueCrypt's implementation, but I assume that are taking a hash of the first 1024 kB of the keyfile and using that as a key to be added in the mix. Is this possible with PasswordMaker?
-
I don't know the details of TrueCrypt's implementation, but I assume that are taking a hash of the first 1024 kB of the keyfile and using that as a key to be added in the mix. Is this possible with PasswordMaker?
Yes, this is definitely possible. However, I'm not sure why you'd use the hash the first x bytes as the key instead of using the first x bytes themselves?
Tanstaafl/Tyrantmizar: can you guys add this to the FRL, "Ability to specify a file as the master password or as a secondary password." FYI, I'm splitting this post from its original location here (http://forums.passwordmaker.org/index.php?showtopic=593) to foster discussion.
-Eric