Educause Security Discussion mailing list archives
Re: Passwords and Secure SSO
From: Eric Pancer <epancer () SECURITY DEPAUL EDU>
Date: Tue, 21 Dec 2004 01:25:08 -0600
Eric Pancer wrote on Tue, 2004-12-21 at 00:29:04 -0600...
Secure passwords continue to a challenge. Has anybody looked at using PasswordScrambler as an approach to secure SSO? PasswordScrambler is a bookmarklet or chunk of Java code wired to a button on the browser's linkbar. It is activated when the user is on a page that's displaying a password field. The script prompts for a master pass phrase and then combines it with the domain name of the site being visited, hashes the combination to produce a scrambled string and puts that into the password field. The user can use the same master pass phrase on a different site and it produces a different password. It uses nothing but local JavaScript code. So the user only has to remember one secret, derives many storng passwords from it and never stores or transmits the secret.Interesting, but if a machine has a kernel-space keystroke logger, this isn't going to prevent much of anything.
[snip] Yea....I was reading the wrong thing when I replied. Sorry about that. -- Eric Pancer :.: Computer Security Response Team :.: DePaul University http://security.depaul.edu/ .:`:.:':.:`:. epancer () security depaul edu pgp: 1024D/7ACBCFF3 C022 4991 41E5 51E7 683C F765 62F7 7F8E 7ACB CFF3 ********** Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at http://www.educause.edu/groups/.
Current thread:
- Passwords and Secure SSO Kay Sommers (Dec 20)
- <Possible follow-ups>
- Re: Passwords and Secure SSO Eric Pancer (Dec 20)
- Re: Passwords and Secure SSO Eric Pancer (Dec 20)
- Re: Passwords and Secure SSO Gary Dobbins (Dec 21)
- Re: Passwords and Secure SSO Cal Frye (Dec 21)
- Re: Passwords and Secure SSO Alan Amesbury (Dec 21)