Boston Linux & Unix (BLU) Home | Calendar | Mail Lists | List Archives | Desktop SIG | Hardware Hacking SIG
Wiki | Flickr | PicasaWeb | Video | Maps & Directions | Installfests | Keysignings
Linux Cafe | Meeting Notes | Blog | Linux Links | Bling | About BLU

BLU Discuss list archive


[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Discuss] KeePassX



Most password-based offline encryption products don't give you any knowledge or control over the key derivation process.  They have some number of rounds, perhaps 16,000, hashing the salt...  which is very ineffective.  I was greatly pleased to see KeePass has a "one second" button to derive the number of rounds, and it turns out to be approx 10million for a typical PC.  Any product that uses a significantly smaller number of rounds in their key derivation process will not be effective in thwarting even an unsophisticated brute force password hack.  And even so, if your memorized password isn't randomly generated, long and complex, it's probably not effective anyway.

I find, it's tough enough, to type a long complex password on a computer.  It's far, far worse on a phone.

I am a great fan of BioWallet.  You "sign" the screen with your finger.  Your name, a random word, whatever.  It works best for handwritten words, and doesn't work so well for geometric shapes, drawings, patterns.  It performs bioinformatic analysis on your gesture, to either unlock or not unlock the encryption key.  

I have gone through the exercise before, of telling people my biowallet password, and have them try getting in.  They fail.  Because their handwriting doesn't match mine.  I write it on a piece of paper so they can attempt to forge my handwriting.  They fail because they're writing it too big, too small, too far off to one side or up or down, too fast, or too slow.  They only succeed if I show them myself signing the screen, then hand it to them to copy, and we pass it back and forth numerous times repeating and practicing copying my handwriting.

This is way more user friendly than typing a long complex random password on a phone keyboard.  Hence, IMHO, it's also much more secure.



BLU is a member of BostonUserGroups
BLU is a member of BostonUserGroups
We also thank MIT for the use of their facilities.

Valid HTML 4.01! Valid CSS!



Boston Linux & Unix / webmaster@blu.org