Author Topic: Public computers  (Read 4195 times)

Offline TC

  • Normal Members
  • *
  • Posts: 1
Public computers
« on: December 09, 2009, 03:12:16 AM »
I use public computers at my university in addition to my personal computer at home.  How will I be able to access accounts on a public computer?  Obviously, I can't download or install software on a public computer, nor would I want to store any sensitive information on one. But I still need to be able to log in to my accounts to check my email, etc. while I'm at school.

Offline katala

  • Normal Members
  • *
  • Posts: 9
  • Amateur Cryptographer
Re: Public computers
« Reply #1 on: December 09, 2009, 06:47:12 PM »
I had the same problem.  I'm new to PWM too but love it.  However, I don't trust the RDF file needed to export settings.

While I doubt PWM's hashes can be reversed to decipher the main password, the RDF file contains a lot of unencrypted information regarding your accounts, if you fill it up to make it easy for you.  Try it yourself, copy it to wordpad or such to keep the formatting.

A problem I see is if PWM does indeed become popular, then it increases the incentive for a hacker to hack PWM, but less to try to decode the hash, but hack weaknesses within PWM itself such as the code libraries it uses, or even phish the user of the file.  

Methinks the more your keep secret the less likely important pw can be found.

That said, what I've done is I created a scheme of passwords that work on all my sites, then I go to the public website and either run javascript from there, or run a copy of it from your own website.

http://passwordmaker.org/passwordmaker.html

Just this n00bs 2c.


« Last Edit: December 09, 2009, 07:18:46 PM by katala »
Thank you.


Kq

Offline tanstaafl

  • Administrator
  • *****
  • Posts: 1363
Re: Public computers
« Reply #2 on: December 10, 2009, 11:26:52 AM »
Methinks the more your keep secret the less likely important pw can be found.

That's where the 'Super Security Trick' comes into play.

It is entirely possible to use PWM in such a way that you could literally give a hacker your RDF file (but no, I'm not suggesting you do that), and they wouldn't be able to get into any of your accounts.

Offline katala

  • Normal Members
  • *
  • Posts: 9
  • Amateur Cryptographer
Re: Public computers
« Reply #3 on: December 10, 2009, 02:48:32 PM »
Thanks for the link.  I do something very similar and its a reason I wish the RDF file encrypted if its to be used outside of a restricted location, like your PC at a secure site, at least.

There is no reason to have holes when holes can be fixed, as in making some portions of a users algorithm easily available to unauthorized eyes.

You may already know MD5 has been cracked, and many US Federal sources no longer recommend the use of many MD series hashes for use.  MD5 is default in PWM.

Not that cracking the algorithm will be easy to do, but given the availability of more secure forms of hashes, why settle for less, and PWM offers alternatives.

http://en.wikipedia.org/wiki/MD5


Also, PWM default generated pw are often more secure using best practices in pw generation compared to the more compact, and easy to use SuperGenPass.

http://supergenpass.com/customize/

And try inserting them here for testing:

http://www.passwordmeter.com/
Methinks the more your keep secret the less likely important pw can be found.

That's where the 'Super Security Trick' comes into play.

It is entirely possible to use PWM in such a way that you could literally give a hacker your RDF file (but no, I'm not suggesting you do that), and they wouldn't be able to get into any of your accounts.
Thank you.


Kq

Offline Miquel 'Fire' Burns

  • Administrator
  • *****
  • Posts: 1151
  • Programmer
    • http://www.miquelfire.com/
Re: Public computers
« Reply #4 on: December 11, 2009, 02:42:33 PM »
Note: Even though MD5 (and MD4) is cracked, the way they're used in PasswordMaker makes it REALLY hard to get the settings. One simple change is to edit the character set, like doubling some letters here and there.
"I'm not drunk, just sleep deprived."

Offline katala

  • Normal Members
  • *
  • Posts: 9
  • Amateur Cryptographer
Re: Public computers
« Reply #5 on: December 12, 2009, 04:44:56 PM »
Note: Even though MD5 (and MD4) is cracked, the way they're used in PasswordMaker makes it REALLY hard to get the settings. One simple change is to edit the character set, like doubling some letters here and there.

Thanks, I agree.  But I presume all but us noobs have heard this before:

  • PWM stores customizations in an RDF, so that edited character set is there

    open source code makes it easier to find encrypt variables, or even write a trojan version of PWM

    the location of the default RDF is known


One can manually add characters in the pw after PWM generates it, so its not stored.

In the end, I think, we are left with but one main source of security, knowing the hash is not reversible or not subject to collisions.

Everything else in PWM has been made open I guess thinking that it becomes a futile  'arms race' of one upping hackers [ who can break coding tricks, as in endless lists of keys available to unlock programs on warez sites] to hide either the true, or derived pw, using code obfuscation techniques to protect against attack.




Thank you.


Kq

PasswordMaker Forums

Re: Public computers
« Reply #5 on: December 12, 2009, 04:44:56 PM »

 

anything