A better way to think about passwords

Hauke Laging mailinglisten at hauke-laging.de
Mon Apr 18 13:21:07 CEST 2011

Am Montag 18 April 2011 12:53:12 schrieb Faramir:

>   Maybe we should just pick a "good password", hash it a couple of
> times, and use that hash as the real password... we could carry the
> hashing tool in a flash drive.

That does not make sense to me because you do not increase the key space by 
that. If you try to defend against somebody who knows what you do then it is 
no protection.

My wish is to have a secure, small, cheap smartcard-like device which stores a 
salt, takes a passwort and gives you a hash then. The salt makes this secure. 
Your "password" can even be the name of the organization to which the account 
belongs. "bank xy". Easy to remember and completely safe thus because the hash 
is created over
"OJD5jLP1L8Wa0a19qtgRH4dlzA7aeZTobank xy"
And if you are asked to change the password, over
"OJD5jLP1L8Wa0a19qtgRH4dlzA7aeZTobank xy2"
"OJD5jLP1L8Wa0a19qtgRH4dlzA7aeZTobank xy3"

Such an device would also allow easy but secure CRAM logins – even by phone.

PGP: D44C 6A5B 71B0 427C CED3 025C BD7D 6D27 ECCB 5814
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 555 bytes
Desc: This is a digitally signed message part.
URL: </pipermail/attachments/20110418/08d2d1b1/attachment.pgp>

More information about the Gnupg-users mailing list