I think I’ve got one post on the old blog about a new password scheme. I haven’t really thought much of it since then, but considering how often passwords are getting leaked nowadays this is kinda important. You should already know I use a dictionary password. I don’t really give a shit because there’s nothing to my name and therefore there’s nothing to lose. That’s what I say now, but I think I’ll shit bricks if any of my accounts get broken into. (Figuratively of course.)
I currently can’t be arsed to find the old post, and I don’t really remember what’s in it because it’s been so damn long since I wrote it, so I’ll just go by memory. Currently, if you’re trying to log in to a web site you’ll have to give the web site your password. HTTPS provides authentication and encryption, so there isn’t much problem, until you realise that many sites also require your email address to sign up, and if you’re a lazy piece of shit you’ll probably be using the same password for both accounts, and the site you just signed up for can use that password to access your email.
Of course, being lazy, you want to use the same password everywhere, or something to that effect. What do you do? One way is to keep a file with proper cryptographically random passwords, and encrypt that with your favourite insecure password. Programs exist that do this for you. It’s still a suboptimal solution though, because you have to keep that file. It’s kind of like the issue I have with Bitcoins. Generally I don’t bother with backups (hurr durr), but these are actually worth something more valuable than my time. Also, those crypto-random passwords are completely unrelated to the master password, so if you lose the file somehow you lose everything.
Currently passwords are usually stored salted and hashed on the server (note: depending on how not-retarded the person coding the server is, this may or may not be the case)
(Last edited on July 19, 2011 at 12:10 pm. DRAFT QUEUE CLEARING.)
