Educause Security Discussion mailing list archives

Re: Passwords and Secure SSO

From: Eric Pancer <epancer () SECURITY DEPAUL EDU>
Date: Tue, 21 Dec 2004 01:25:08 -0600

Eric Pancer wrote on Tue, 2004-12-21 at 00:29:04 -0600...

Secure passwords continue to a challenge.    Has anybody looked at using
PasswordScrambler as an approach to secure SSO?
PasswordScrambler is a bookmarklet or chunk of Java code wired to a
button on the browser's linkbar.  It is activated when the user is on a
page that's displaying a password field.   The script prompts for a
master pass phrase and then combines it with the domain name of the site
being visited, hashes the combination to produce a scrambled string and
puts that into the password field.  The user can use the same master
pass phrase on a different site and it produces a different password.
It uses nothing but local JavaScript code.   So the user only has to
remember one secret, derives many storng passwords from it and never
stores or transmits the secret.


Interesting, but if a machine has a kernel-space keystroke logger,
this isn't going to prevent much of anything.


[snip]

Yea....I was reading the wrong thing when I replied. Sorry about
that.

--
Eric Pancer :.: Computer Security Response Team :.: DePaul University
http://security.depaul.edu/ .:`:.:':.:`:. epancer () security depaul edu
pgp: 1024D/7ACBCFF3 C022 4991 41E5 51E7 683C F765 62F7 7F8E 7ACB CFF3

**********
Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at 
http://www.educause.edu/groups/.

Current thread:

Passwords and Secure SSO Kay Sommers (Dec 20)
- <Possible follow-ups>
- Re: Passwords and Secure SSO Eric Pancer (Dec 20)
- Re: Passwords and Secure SSO Eric Pancer (Dec 20)
- Re: Passwords and Secure SSO Gary Dobbins (Dec 21)
- Re: Passwords and Secure SSO Cal Frye (Dec 21)
- Re: Passwords and Secure SSO Alan Amesbury (Dec 21)