Autor: Rémi Datum: To: intrigeri, The Tails public development discussion list Betreff: Re: [Tails-dev] Goldfish the ephemeral password manager.
Good suggestion.
I added the following text to the repository:
Goldfish is unlocked using 1.000.000 rounds of sha512, which takes ~1.5
seconds in python. The hash rounds are not meant to replace an actual
strong password, so the password should be about as strong as your
truecrypt password.
A danger is that the root password would be guessed. It is also not
obvious how to change a password. If a service provider has the
username/password pair this does not give away anything about other
credentials.
Obfuscation.
The usernames are designed to 'look real'. They are derived from common
western names with an added suffix. The service passwords and username
suffixes vary in length to further obfuscate that Goldfish is used.
If someone really wants to they could figure out that a set of
credentials was likely generated using Goldfish. This should not
directly be obvious, certainly not by just looking at the username.
R.
On 13/05/14 12:09, intrigeri wrote: > Hi Rémi,
>
> Rémi wrote (12 May 2014 09:48:13 GMT) :
>> I wrote an ephemeral password manager, for privacy and anonymity.
>> The idea is that you use a root password to deterministically generate
>> credentials, so no need to store the credentials.
>
> Thanks for this suggestion.
>
> Just curious: is there any threat model description, and security
> analysis of the underlying password generation algorithm, to be
> found somewhere?
>
> Cheers,
>