
GRC's | Off The Grid   - billpg
https://www.grc.com/offthegrid.htm
======
Zarathust
I don't see how this is much more secure than a reusable one-time pad. Which
is not so secure.

In fact I'm a little weary of GRC since almost all of his posts have so many
extreme claims such as "This “Off The Grid” technology is the only known
system to provide secure encryption using nothing but a specially designed
piece of paper.", "create your own personal custom grid (which NO ONE ELSE
will ever have)". All of this makes it look like a scam to me.

~~~
eyah
AFAICT, this can be defeated with a suffixed domain that invites users to
register.

I.e., put a message board on a specialized domain (e.g. amazoncomplaints.com,
somerandombank-watchdog.com) and then harvest the target passwords as users
sign up...

------
cuu508
Sudoku solvers might take interest in breaking this. Given enough known
generated passwords, it should be possible to reconstruct the square, no?

~~~
rufibarbatus
In the Security Now podcast [1], Gibson asserted that every position in these
25x25 grids has so much entropy that even a hell of a lot of passwords
wouldn't give away the whole grid.

Now, I personally couldn't pull this off, but I'd actually love to see the
Math done here.

[1] Video: <http://twit.tv/show/security-now/315> Transcript:
<http://www.grc.com/sn/sn-315.htm>

~~~
bdonlan
The generator on this webpage is based on five samples from the Javascript
PRNG (all from the same state, so effectively only 32 bits of entropy or so),
plus the browser's window size and client viewport size, and mouse movements.
Prior to sampling mouse movements, we're talking about around 64 bits of
entropy here; probably less if your window is maximized (since there are a
small number of popular window sizes). I wouldn't trust the grid that's shown
on initial load, that's for sure.

Also note that it's frequently said that anyone can make a cryptosystem secure
enough that the creator themselves cannot break it. So I wouldn't fully trust
this without further analysis. I don't really like how much key material is
exposed to the sites, though...

But that's not really the point. The real problem is that this is a _lot of
work_. The real problem with passwords is not that generating them is hard.
There's no end to systems to generate passwords. Here's an easy one: Print out
a list of 6^4 common English words. Roll 4 dice to select one. Repeat four
times. There's your password.

No, the real problem is compliance. Remembering passwords is hard, so people
don't bother. Regenerating passwords each time with this "Off The Grid" system
is also hard. So people won't bother. It is _far better_ to have a password
management app than to halfheartedly use a system like this but eventually
give up and go back to using the same password everywhere.

~~~
rufibarbatus
Ah, thanks for the analysis.

You're absolutely right about its use for password generation & management. I
suppose the scheme might still have other uses where the proverbial "off the
grid" aspect indeed strengthens security? Are those relevant at all?

------
swaits
I still believe my system is better. Detailed description and source here:
<http://news.ycombinator.com/item?id=2431480>

