From tianshuo at gmail.com Fri Mar 11 18:03:58 2005 From: tianshuo at gmail.com (Tianshuo Hu) Date: Fri Mar 11 20:54:59 2005 Subject: [passwordmaker] an error on your home page... Message-ID: <64c038c2050311020342871b42@mail.gmail.com> on the homepage is ... "If you are still hesitant, passwordmaker supports SHA-1. Collisions for the full version of SHA-1 have not been found. Additionally, HMAC-MD5 and HMAC-4 implementations are also provided. Neither hash collision nor pre-image attacks have been found for any HMAC implementation to our knowledge. See here." well, as matter of fact, it seems that sha-1 was cracked by those guys just recently... From grimholtz at yahoo.com Sat Mar 12 05:03:34 2005 From: grimholtz at yahoo.com (Eric Jung) Date: Sat Mar 12 08:09:50 2005 Subject: [passwordmaker] an error on your home page... In-Reply-To: 6667 Message-ID: <20050312130334.54385.qmail@web54501.mail.yahoo.com> Hi, Thanks for pointing out the error. I've updated the page. However, it's important to point out that hash collisions (unlike pre-image attacks) do not affect the one-way nature of SHA-1 and, therefore, does not affect the integrity of passwordmaker. --- Tianshuo Hu wrote: > on the homepage is ... > "If you are still hesitant, passwordmaker supports SHA-1. > Collisions > for the full version of SHA-1 have not been found. Additionally, > HMAC-MD5 and HMAC-4 implementations are also provided. Neither hash > collision nor pre-image attacks have been found for any HMAC > implementation to our knowledge. See here." > > well, as matter of fact, it seems that sha-1 was cracked by those > guys > just recently... > _______________________________________________ > passwordmaker mailing list > passwordmaker@mozdev.org > http://mozdev.org/mailman/listinfo/passwordmaker > __________________________________ Do you Yahoo!? Yahoo! Mail - Easier than ever with enhanced search. Learn more. http://info.mail.yahoo.com/mail_250 From clockworksaint at gmail.com Tue Mar 15 00:26:56 2005 From: clockworksaint at gmail.com (Weeble) Date: Mon Mar 14 19:33:12 2005 Subject: [passwordmaker] Failed auto-extraction of domain name Message-ID: <13e3f99305031416264c8c191a@mail.gmail.com> Hi, Password Maker doesn't seem to cope with domain names in countries where a second-level-domain is required for all domains. For example, foo.bar.co.uk is unhelpfully identified as being the co.uk domain, rather than the bar.co.uk domain. I would like Password Maker to handle co.uk and ac.uk domain names at the very least. I imagine this is probably also an issue for .au and .nz domains. I'm not sure which other countries make wide use of second-level-domains. Regards, Weeble. From notes at mozdev.org Wed Mar 16 01:05:59 2005 From: notes at mozdev.org (notes@mozdev.org) Date: Thu Mar 17 02:34:17 2005 Subject: [passwordmaker] Passwordmaker: feedback from Matthew Message-ID: <200503160605.j2G65x66041995@localhost.mozdev.org> http://passwordmaker.mozdev.org/notes.html#c1 Great extension. Some comments: -It would be nice if there was an option to mask the generated password so it can't be viewed by someone over your shoulder. -When you open the focus should already be on the "Master Password" field. -Ultimately it would be nice if you could just right-click in a password field on a web page, enter the master password into a dialog box which pops up, and have the created password automatically entered into the field on the webpage. Similar to what the bugmenot extension does. Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.6) Gecko/20050223 Firefox/1.0.1 From grimholtz at yahoo.com Wed Mar 16 23:31:47 2005 From: grimholtz at yahoo.com (Eric Jung) Date: Thu Mar 17 02:39:30 2005 Subject: [passwordmaker] Passwordmaker: feedback from Matthew In-Reply-To: 6667 Message-ID: <20050317073148.26554.qmail@web54508.mail.yahoo.com> Great ideas! I started working on them as soon as I read your post at http://passwordmaker.mozdev.org/notes.html. The first two are completed. The third is mostly finished, so they should all make it into 0.3 Thanks, eric --- notes@mozdev.org wrote: > > http://passwordmaker.mozdev.org/notes.html#c1 > > Great extension. > > Some comments: > -It would be nice if there was an option to mask the generated > password so it can't be viewed by someone over your shoulder. > -When you open the focus should already be on the "Master Password" > field. > > -Ultimately it would be nice if you could just right-click in a > password field on a web page, enter the master password into a > dialog box which pops up, and have the created password > automatically entered into the field on the webpage. Similar to > what the bugmenot extension does. > > Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.6) > Gecko/20050223 Firefox/1.0.1 > _______________________________________________ > passwordmaker mailing list > passwordmaker@mozdev.org > http://mozdev.org/mailman/listinfo/passwordmaker > __________________________________ Do you Yahoo!? Yahoo! Small Business - Try our new resources site! http://smallbusiness.yahoo.com/resources/ From grimholtz at yahoo.com Wed Mar 16 23:41:33 2005 From: grimholtz at yahoo.com (Eric Jung) Date: Thu Mar 17 02:48:25 2005 Subject: [passwordmaker] Failed auto-extraction of domain name In-Reply-To: 6667 Message-ID: <20050317074133.67596.qmail@web54503.mail.yahoo.com> Hi Weeble, Interesting. You are right; this is a bug. I'll have to give some thought as to how to fix this. It might be easiest to find a list of countries which require SLD (second-level domains), and code for these explicitly. -eric --- Weeble wrote: > Hi, > Password Maker doesn't seem to cope with domain names in > countries > where a second-level-domain is required for all domains. For > example, > foo.bar.co.uk is unhelpfully identified as being the co.uk domain, > rather than the bar.co.uk domain. I would like Password Maker to > handle co.uk and ac.uk domain names at the very least. I imagine > this > is probably also an issue for .au and .nz domains. I'm not sure > which > other countries make wide use of second-level-domains. > > Regards, > Weeble. > _______________________________________________ > passwordmaker mailing list > passwordmaker@mozdev.org > http://mozdev.org/mailman/listinfo/passwordmaker > __________________________________ Do you Yahoo!? Yahoo! Small Business - Try our new resources site! http://smallbusiness.yahoo.com/resources/ From clockworksaint at gmail.com Thu Mar 17 09:30:09 2005 From: clockworksaint at gmail.com (Weeble) Date: Thu Mar 17 04:37:50 2005 Subject: [passwordmaker] Failed auto-extraction of domain name In-Reply-To: <20050317074133.67596.qmail@web54503.mail.yahoo.com> References: <20050317074133.67596.qmail@web54503.mail.yahoo.com> Message-ID: <13e3f99305031701302e2f7bc8@mail.gmail.com> [Password Maker extracts too little of some domain names] > Interesting. You are right; this is a bug. I'll have to give some > thought as to how to fix this. It might be easiest to find a list of > countries which require SLD (second-level domains), and code for > these explicitly. I guess so. Unfortunately some countries are inconsistent - Japan has a number of SLDs, but their use is not mandatory. The UK still has some very old domains from before it enforced SLDs on new domains. It may be easiest to find some "mostly right" heuristic. Perhaps if the top level domain has two letters (and is therefore a country) and the second level domain has only one or two letters? That would catch any example I can think of. You could also check for common host names, to avoid picking them up in things of the form "www.zzz.jp" There is information here about administration of many countries' domain names: http://en.wikipedia.org/wiki/Country_code_top-level_domain Weeble. From notes at mozdev.org Sun Mar 20 22:59:08 2005 From: notes at mozdev.org (notes@mozdev.org) Date: Mon Mar 21 11:49:37 2005 Subject: [passwordmaker] Passwordmaker: feedback from Chris W Message-ID: <200503210359.j2L3x8Hp065194@localhost.mozdev.org> http://passwordmaker.mozdev.org/notes.html#c2 Handy extension, especially for sites that are adequately secured by an unchanging password. It would be handy if, for a given site, a series of passwords could be generated over time. This would be of use for sites that force password changes every month for example. I'm not sure the best way to achieve this; possibly a serial number in addition to the master password and site details (requires remembering what serial you are at for each site), or generating a series of passwords en masse for a given period of time and frequency (e.g. 1-Jan-2005 to 1-Jan-2006, monthly) and letting the user choose. Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.6) Gecko/20050228 Firefox/1.0.1 From notes at mozdev.org Mon Mar 21 02:13:43 2005 From: notes at mozdev.org (notes@mozdev.org) Date: Mon Mar 21 11:49:39 2005 Subject: [passwordmaker] Passwordmaker: feedback from Mook Message-ID: <200503210713.j2L7DhcS085342@localhost.mozdev.org> http://passwordmaker.mozdev.org/notes.html#c3 This should be very useful - now I no longer need a bunch of text files on my machine! The generated password is base 16 (or a leet version of base 16), right? Wouldn't that produce a limited set? Just wondering if something along the lines of Base64 would be better, since that means 64 possiblities per character, instead of the current 16. In fact, since some leet results in two characters, you get a even smaller keyspace in leet (given the same length). Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8b2) Gecko/20050315 Firefox/1.0+ From notes at mozdev.org Mon Mar 21 11:51:35 2005 From: notes at mozdev.org (notes@mozdev.org) Date: Tue Mar 22 11:30:48 2005 Subject: [passwordmaker] Passwordmaker: feedback from JJ Message-ID: <200503211651.j2LGpZTV063661@localhost.mozdev.org> http://passwordmaker.mozdev.org/notes.html#c5 The on-line version used to save settings with a cookie, now it seems not to work anymore. Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.6) Gecko/20050223 Firefox/1.0.1 From notes at mozdev.org Mon Mar 21 08:25:12 2005 From: notes at mozdev.org (notes@mozdev.org) Date: Tue Mar 22 11:30:53 2005 Subject: [passwordmaker] Passwordmaker: feedback from Tom Message-ID: <200503211325.j2LDPCBB032235@localhost.mozdev.org> http://passwordmaker.mozdev.org/notes.html#c4 Great tool. Once it works with .co.uk domains I'll be able to use it for all my passwords. I agree with Matthew that the master password on the online version should be masked though. I wouldn't want to use it in college if someone could look over my shoulder and see my password! Another thing that would be useful is if the online version remembered your settings (use l33t, hash algorithm, URL components etc) using a cookie. Mozilla/5.0 (Windows; U; Windows NT 5.1; en-GB; rv:1.7.6) Gecko/20050226 Firefox/1.0.1 From notes at mozdev.org Wed Mar 23 23:17:32 2005 From: notes at mozdev.org (notes@mozdev.org) Date: Fri Mar 25 10:31:22 2005 Subject: [passwordmaker] Passwordmaker: feedback from Eric H. Jung Message-ID: <200503240417.j2O4HWNf027199@localhost.mozdev.org> http://passwordmaker.mozdev.org/notes.html#c6 Thanks for the great suggestions! I've updated PasswordMaker On-Line with most of your ideas (masked master password, remembering settings with a cookie). I'm also in the process of incorporating many of the other ideas for the PasswordMaker Firefox Extension version 0.3, due out in the next week or two. Keep posting your ideas here... I read every one! Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.6) Gecko/20050223 Firefox/1.0.1