Hacks, Kludges & Other Such Tomfoolery

[P3nT4gR4m]

It's not for everyone, but I use hashapass.com which will take a word like "facebook" and master password I use everywhere like "horsebatterystaple" and give me a password with a combination of numbers, symbols and different cases. If I forget that password, I go to hashapass and enter "facebook", "horsebatterystaple" and it uses the same math to crunch those together and give me "dL;t8sDG" again.

If the service I'm using sucks at security, and HAXORS get my password, it only works for facebook and there is no way for them to turn it back into "horsebatterystaple" and figure out my password anywhere else.

Nice find. Been meaning to update my passwords for forever. This will do nicely. Probably write my own, right enough, imagine if hashapass.com was an NSA shill

[LMNO]

Doesn't that make hashapass.com a single point of failure?  The security there must be airtight.

[Pæs]

Doesn't that make hashapass.com a single point of failure?  The security there must be airtight.

They're not storing anything, just hosting javascript which securely hashes your password, using the parameter like "facebook" as a salt to influence the result. You can take their code and read it, host it yourself, make a command line tool which will always give the same results, if you like.

EDIT: This is the code for the bookmarklet http://pastebin.com/gwWstQka
Most of that is formatting a little UI for usability. I just have an offline version saved on my phone and because I'm becoming decreasingly paranoid, I have the master password weakly encrypted so I don't have to type my 50 char password every time. Just open the app, type "facebook", login. Makes my phone a point of failure for all of my logins, if people figure out what that button does, but if I lose the phone I disable it remotely anyway.

[Pæs]

The sophistication of the attack that would be needed to find a hash collision, where two strings turn into the same hash, are so excessive IMO as to render flying to my house and stealing my computer while I'm on it a more likely approach for anyone who wants to force me to like their page.

That's a less sophisticated attack than the one that would betray my master password, which is less likely.

The more paranoid of us can read hashapass's source every time, or host it and check it's hash regularly for tampering, because it *is* possible that someone hack hashapass and change the source temporarily. Which may be what you meant, LMNO?

[LMNO]

Let's chalk it up to me not fully understanding the process.  I think I have it now.

[Pæs]

It's not impossible to attack, but it's less likely and their FAQ does a good job of enumerating the risks and offering solutions.
I can remember random strings pretty well, so know most of my hashpasswords, so for me it's more a matter of using a totally unique password on every service.

[JBookup]

How effective would something like this be?

Bhijadrbo = adverbial = rbxtiavrf = encrypted

[Pæs]

What you're making there is a cryptogram which is a puzzle used alongside newspaper crosswords.

For either of those nonsense strings, a simple online cryptogram solver (http://rumkin.com/tools/cipher/cryptogram-solver.php) will generate the two words you chose along with the hundreds of other words that fit. With a larger sample, it would start to find words there which didn't allow for other words in the string to be created, rule those keys out and continue until it had the only viable key. Unless you have a way to preserve your intended word choice, your method would mask the intended message from your recipient, defeating the purpose.

[JBookup]

They would have the legend and know exactly what it translates to without using a program.

[Pæs]

If there's a legend, what is the purpose of the intermediate steps?

[JBookup]

To make it harder to decipher. You decipher once and get a noncoherent message that is readable but makes no sense.

[Pæs]

Okay, but it doesn't do that. You seem to be talking about a form of http://en.wikipedia.org/wiki/Deniable_encryption

But when you're making a simple cipher, rather than an encryption scheme based on factoring large primes or similarly mathematically complex systems, "bhijadrbo" and "rbxtiavrf" are identical. They look like "123456718", the individual letters don't matter, there are eight unique symbols and one is reused, that's the pattern you're cracking. So your decipherment scheme adds complexity for the intended recipient but doesn't add any for a cracker.

[JBookup]

Super easy no legend needed...

831331247748569838838296247655247

[Faust]

Super easy no legend needed...

831331247748569838838296247655247

Some kind of axial symmetry around the central character on the string,

831331247748569838838296247655247 Original
742556742692838838965847742133138 String reversed

111221505156331000133651505522111 differences between the two

Annnnd I'm out of time to look at that any further.

[JBookup]

I like how I say its super easy and you go and do something complicated. But I'm actually loving the idea of that and will probably make something that works like that. But as of right now it is really simple.