News:

Your innocence proves nothing.

Main Menu

Hacks, Kludges & Other Such Tomfoolery

Started by Shibboleet The Annihilator, April 26, 2010, 02:12:45 PM

Previous topic - Next topic

P3nT4gR4m

Quote from: Pæs on February 13, 2014, 07:42:58 PM
It's not for everyone, but I use hashapass.com which will take a word like "facebook" and master password I use everywhere like "horsebatterystaple" and give me a password with a combination of numbers, symbols and different cases. If I forget that password, I go to hashapass and enter "facebook", "horsebatterystaple" and it uses the same math to crunch those together and give me "dL;t8sDG" again.

If the service I'm using sucks at security, and HAXORS get my password, it only works for facebook and there is no way for them to turn it back into "horsebatterystaple" and figure out my password anywhere else.

Nice find. Been meaning to update my passwords for forever. This will do nicely. Probably write my own, right enough, imagine if hashapass.com was an NSA shill :tinfoilhat:

I'm up to my arse in Brexit Numpties, but I want more.  Target-rich environments are the new sexy.
Not actually a meat product.
Ass-Kicking & Foot-Stomping Ancient Master of SHIT FUCK FUCK FUCK
Awful and Bent Behemothic Results of Last Night's Painful Squat.
High Altitude Haggis-Filled Sex Bucket From Beyond Time and Space.
Internet Monkey Person of Filthy and Immoral Pygmy-Porn Wart Contagion
Octomom Auxillary Heat Exchanger Repairman
walking the fine line line between genius and batshit fucking crazy

"computation is a pattern in the spacetime arrangement of particles, and it's not the particles but the pattern that really matters! Matter doesn't matter." -- Max Tegmark

LMNO

Doesn't that make hashapass.com a single point of failure?  The security there must be airtight.

Pæs

#92
Quote from: LMNO, PhD (life continues) on February 13, 2014, 07:56:06 PM
Doesn't that make hashapass.com a single point of failure?  The security there must be airtight.

They're not storing anything, just hosting javascript which securely hashes your password, using the parameter like "facebook" as a salt to influence the result. You can take their code and read it, host it yourself, make a command line tool which will always give the same results, if you like.

EDIT: This is the code for the bookmarklet http://pastebin.com/gwWstQka
Most of that is formatting a little UI for usability. I just have an offline version saved on my phone and because I'm becoming decreasingly paranoid, I have the master password weakly encrypted so I don't have to type my 50 char password every time. Just open the app, type "facebook", login. Makes my phone a point of failure for all of my logins, if people figure out what that button does, but if I lose the phone I disable it remotely anyway.

Pæs

The sophistication of the attack that would be needed to find a hash collision, where two strings turn into the same hash, are so excessive IMO as to render flying to my house and stealing my computer while I'm on it a more likely approach for anyone who wants to force me to like their page.

That's a less sophisticated attack than the one that would betray my master password, which is less likely.

The more paranoid of us can read hashapass's source every time, or host it and check it's hash regularly for tampering, because it *is* possible that someone hack hashapass and change the source temporarily. Which may be what you meant, LMNO?

LMNO

Let's chalk it up to me not fully understanding the process.  I think I have it now.

Pæs

It's not impossible to attack, but it's less likely and their FAQ does a good job of enumerating the risks and offering solutions.
I can remember random strings pretty well, so know most of my hashpasswords, so for me it's more a matter of using a totally unique password on every service.

JBookup

How effective would something like this be?

Bhijadrbo = adverbial = rbxtiavrf = encrypted

Pæs

What you're making there is a cryptogram which is a puzzle used alongside newspaper crosswords.

For either of those nonsense strings, a simple online cryptogram solver (http://rumkin.com/tools/cipher/cryptogram-solver.php) will generate the two words you chose along with the hundreds of other words that fit. With a larger sample, it would start to find words there which didn't allow for other words in the string to be created, rule those keys out and continue until it had the only viable key. Unless you have a way to preserve your intended word choice, your method would mask the intended message from your recipient, defeating the purpose.

JBookup

They would have the legend and know exactly what it translates to without using a program.

Pæs

If there's a legend, what is the purpose of the intermediate steps?

JBookup

To make it harder to decipher. You decipher once and get a noncoherent message that is readable but makes no sense.

Pæs

Okay, but it doesn't do that. You seem to be talking about a form of http://en.wikipedia.org/wiki/Deniable_encryption

But when you're making a simple cipher, rather than an encryption scheme based on factoring large primes or similarly mathematically complex systems, "bhijadrbo" and "rbxtiavrf" are identical. They look like "123456718", the individual letters don't matter, there are eight unique symbols and one is reused, that's the pattern you're cracking. So your decipherment scheme adds complexity for the intended recipient but doesn't add any for a cracker.

JBookup

Super easy no legend needed...

831331247748569838838296247655247

Faust

Quote from: JBookup on March 08, 2014, 07:04:28 PM
Super easy no legend needed...

831331247748569838838296247655247

Some kind of axial symmetry around the central character on the string,

831331247748569838838296247655247 Original
742556742692838838965847742133138 String reversed

111221505156331000133651505522111 differences between the two

Annnnd I'm out of time to look at that any further.
Sleepless nights at the chateau

JBookup

I like how I say its super easy and you go and do something complicated. But I'm actually loving the idea of that and will probably make something that works like that. But as of right now it is really simple.