Comments on: The Yubikey http://pthree.org/2012/10/30/the-yubikey/ Linux. GNU. Freedom. Fri, 17 May 2013 20:46:35 +0000 hourly 1 http://wordpress.org/?v=3.6-beta2-24176 By: Aaron Toponce http://pthree.org/2012/10/30/the-yubikey/#comment-117190 Aaron Toponce Mon, 26 Nov 2012 05:19:12 +0000 http://pthree.org/?p=2554#comment-117190 Alexandre Franke- Still, it’s on online password managar. It requires running software on an external server, whether you own the server or not. This isn’t something I’m interested in.

]]> By: Joseph Scott http://pthree.org/2012/10/30/the-yubikey/#comment-117164 Joseph Scott Tue, 13 Nov 2012 15:15:55 +0000 http://pthree.org/?p=2554#comment-117164 The reason for passing along bcrypt’s 72 character limit is password collisions. Here is an example: say Alice has a password that is 100 characters long and Bob has a password that is 80 characters long. If they both start with the same 72 characters then for your system those passwords are identical. I consider that a condition to be avoided.

I came up with a few methods for working around this limitation and discussed it with the author of phpass. Ultimately there were some work arounds that likely didn’t reduce the security of the hashes, but the safest stance was still to limit user password strings to 72 characters to ensure uniqueness.

]]> By: Alexandre Franke http://pthree.org/2012/10/30/the-yubikey/#comment-117163 Alexandre Franke Tue, 13 Nov 2012 08:59:44 +0000 http://pthree.org/?p=2554#comment-117163 It seems you didn’t pay enough attention when looking it up.

Clipperz:
* can be installed on your own server (or your desktop provided you have a local web server) as it’s free software
* doesn’t store your passwords as it uses a zero knowledge paradigm

]]> By: Aaron Toponce http://pthree.org/2012/10/30/the-yubikey/#comment-117115 Aaron Toponce Wed, 31 Oct 2012 12:51:30 +0000 http://pthree.org/?p=2554#comment-117115 Joseph- Even though bcrypt/blowfish imposes the limit internally, why bother with it externally?

Alexandre- No thanks. I don’t buy into the security of online password managers. I would much rather prefer to manage my passwords without the help of an online 3rd party.

]]> By: Alexandre Franke http://pthree.org/2012/10/30/the-yubikey/#comment-117091 Alexandre Franke Tue, 30 Oct 2012 20:41:25 +0000 http://pthree.org/?p=2554#comment-117091 You may want to look at Clipperz and consider it as a replacement to KeePassX.

]]> By: Joseph Scott http://pthree.org/2012/10/30/the-yubikey/#comment-117090 Joseph Scott Tue, 30 Oct 2012 18:53:35 +0000 http://pthree.org/?p=2554#comment-117090

This is to appease silly developers who think it’s funny to limit the length of passwords in their form fields.

I confess to having the same feelings about password length limits. Then I ran into bcrypt/blowfish only paying attention to the first 72 characters of a string. So now I’m looking at limiting password strings to 72 characters. Still a decent amount, but doesn’t quite feel the same as allowing passwords of any length.

]]>