

Password security without a password manager - sucuri2
http://blog.sucuri.net/2009/10/password-security-without-password.html

======
mh_
if "unknown" + "known" | md5sum is your password recipe, then a single site
with a poor lockout policy allows me to launch a brute force attack to
determine "unknown", at which point you lose access to _

~~~
DanielStraight
Well, you have to consider that there's no way to determine the recipe.

If your recipe is known + url, then that's easily discoverable if you know one
password. With hashing, it's (sufficiently) impossible to guess what the
recipe was. This sounds like security through obscurity, but it really
isn't... at least no more so than a password is. It's just that instead of a
password or passphrase, you have a passrecipe. It's still a secret key that
only you know.

The problem I see in this is that you have to generate your password all the
time. That means it shows up in plain text on your screen all the time. May as
well just write it down somewhere.

~~~
ErrantX
except we now know that authors recipe.

if your attacking an individual you look for things like this as clues to help
you.

~~~
DanielStraight
Well that's a good point. I guess the author didn't realize his recipe was his
secret key.

~~~
sucuri2
Not really... the security is on the strong password I choose, not on the
recipe. That's the benefit of using a one way hash.

Now, I can choose one long, crazy pass (or pass phrase) and remember only that
instead of dozens of passwords for different sites.

