Terry Jones - Fluidinfo - Latest Comments

Re: Ten days in hospital

bambi — Thu, 23 May 2013 10:47:54 -0000

OMG! Riveting reading. Not unlike NYT Diagnosis column, only those don't worry me. Good time for a virtual hug.

Re: Graceful shutdown of a Twisted service with outstanding deferreds

John Popplewell — Sun, 14 Apr 2013 22:38:32 -0000

Hi,

useful class, thanks.

I'm using deferreds returned from maybeDeferred() and observed that when calling add(), an error was raised in _fired() because the deferred hadn't been added to the pool yet. I fixed this by swapping the two lines in add() so that if _fired() is called when executing addBoth() it will find and be able to remove the deferred,

best regards

Re: Alternate browsing realities

Emily Dickinson — Tue, 09 Apr 2013 01:26:42 -0000

I'd like a tab closer running in the background. If I haven't visited a tab in N minutes, close the tab, or maybe put it in a searchable queue. Give me the option to make certain tabs sticky so they don't autoclose.

Re: Daylight robbery: Barclays skims €170 off a 5K EUR -> GBP transfer

Juan Alvarez — Mon, 18 Mar 2013 07:25:41 -0000

Terry, I have used Transferwise for similar transactions and I love them. 100% transparent and cheap.

Re: Daylight robbery: Barclays skims €170 off a 5K EUR -> GBP transfer

Daniel — Wed, 06 Feb 2013 06:52:47 -0000

Another advertisement for bitcoin :)

Re: Daylight robbery: Barclays skims €170 off a 5K EUR -> GBP transfer

bambi vincent — Tue, 05 Feb 2013 12:16:45 -0000

Yet another daylight robbery with bank as perp, also related to wire transfers and intermediary banks: Bank of America advertises that, for "Platinum Privileges clients," "no fee for incoming wires [which are, for ordinary folk] ($12 domestic/$16 international)." So why is $27 missing from each of my incoming wires?

"The fee that was assessed and deducted from the incoming wire is a bank-negotiated wire fee from the International bank that’s sending the wire, the intermediary bank and us," BofA responded.

Uh, isn't that a "fee for incoming wires"? Fraud and false advertising! The mere mention of which got me a six-month reprieve from "intermediary bank wire fees," after which I will check the bank's current claims and quit Bank of America in a blizzard of public comments.

Re: Secure per-site passwords with no encrypted blob

terrycojones — Tue, 05 Feb 2013 08:24:40 -0000

Thanks Richard, I'll go look.

Re: Secure per-site passwords with no encrypted blob

terrycojones — Tue, 05 Feb 2013 08:24:08 -0000

Thanks Brandon, I'll have a look.

Re: Secure per-site passwords with no encrypted blob

terrycojones — Tue, 05 Feb 2013 08:23:52 -0000

Hi David. That's a good question :-) I guess the only answer is that you'd need to choose a different service name for that site (because, as you say, changing your master password would be bad). But that further highlights the need for some kind of management of the service names you've used for sites. I don't like that at all, as I guess is clear - that's why I say this is a good (hard) question.

Another thing which I find very impractical about this approach is that once you start using a version of this code, it's very hard to upgrade to another version. Again, you'd want metadata stored elsewhere to keep some idea of state.

Thanks for commenting!

Re: Secure per-site passwords with no encrypted blob

David Avraamides — Tue, 05 Feb 2013 08:09:46 -0000

What if your password expires on one site? How do you change one password without changing the "secret" and therefore changing all passwords?

Re: Secure per-site passwords with no encrypted blob

trendels — Tue, 05 Feb 2013 03:19:21 -0000

Good point. Unfortunately, that means you now have to save the salt between invocations, if I'm not mistaken. You'll also need the same salt value on every computer you want to generate passwords on (instead of only the same algorithm), and when you lose it, you lose access to all your passwords. I wonder if there's a better way?

Re: Secure per-site passwords with no encrypted blob

Brandon Rhodes — Mon, 04 Feb 2013 09:36:29 -0000

Note that http://passwordmaker.org/ implements this idea with several competing implementations for many different platforms, and with more secure cryptographic options than the simple hash(secret + message) that you do here. PasswordMaker Pro, the Chrome extension, is the particular implementation of its standard that I recommend that people use.

Re: Secure per-site passwords with no encrypted blob

terrycojones — Sun, 03 Feb 2013 21:01:23 -0000

Thanks Christian. I'd not heard of key stretching. I'll go look...

Re: Secure per-site passwords with no encrypted blob

Christian Heimes — Sun, 03 Feb 2013 19:56:18 -0000

Never ever do something like hashfunc(secret + message)! This is insecure and open to several attack vectors like length extension attacks. At least you want to use a

message authentication code algorithm like HMAC. If you want to reach a minimum level of security, than add a salt from a proper CPRNG and use a key stretching or key derivation algorithm like PBKDF2. The master passwords has most likely not enough entropy. A key stretching algorithms compensates it a bit.

Re: Secure per-site passwords with no encrypted blob

Richard Moore — Sun, 03 Feb 2013 17:24:59 -0000

Yeah, that would be a lot safer.

Re: Secure per-site passwords with no encrypted blob

terrycojones — Sun, 03 Feb 2013 17:08:43 -0000

Hi Richard. Thanks. I originally wrote the code using hmac but then thought I didn't need to worry about length extensions. I guess you're right to be concerned though, and also I later thought that I might want to use service names like "gmail" and "gmail-work" or whatever. So, I should probably revert :-)

Re: Secure per-site passwords with no encrypted blob

Richard Moore — Sun, 03 Feb 2013 16:26:39 -0000

Looking at the 'how it works' page for this tool it looks like this is broken too.

Re: Secure per-site passwords with no encrypted blob

Pekka Klärck — Sun, 03 Feb 2013 16:22:22 -0000

You might also consider running `pip install oplop` and/or visiting https://oplop.appspot.com/.

Re: Secure per-site passwords with no encrypted blob

Richard Moore — Sun, 03 Feb 2013 15:49:17 -0000

With your scheme if you ever sign into a local service say for the sake of example 'www' then you will be generating a password that can be used to workout all passwords for sites that start with www. The hash output can be used as input for a length extensions attack (due to the way these hashes work). The risk is mitigated to an extent by the fact that the password is a truncated form of the hash as you only take the first 32 bytes of the digest, but that means that the remaining search space for a brute force attack is tiny. If you want to look into doing something like this, take a look at things like HMAC which are designed to prevent this kind of extension attack.

Re: Secure per-site passwords with no encrypted blob

terrycojones — Sun, 03 Feb 2013 15:15:24 -0000

Hi Petter. Yes, that's the same thing, pretty much, thanks for the pointer! I'm going to edit the text above to point people to SGP.

Re: Secure per-site passwords with no encrypted blob

Petter Häggholm — Sun, 03 Feb 2013 14:49:05 -0000

Have you looked into SuperGenPass? [http://supergenpass.com/]

Re: Secure per-site passwords with no encrypted blob

Richard Wall — Sun, 03 Feb 2013 14:42:20 -0000

Terrry. There are some existing services. I use https://oplop.appspot.com/ but there's also https://www.pwdhash.com/ which has a nice Firefox extension.

Re: Secure per-site passwords with no encrypted blob

Tigors — Sun, 03 Feb 2013 14:38:20 -0000

Great idea! Have to think about the problem solution. At least i'll do it for myself .
Thanks :)

Re: 10,000 things: Andrew Hensel lives (on Twitter)

terrycojones — Thu, 10 Jan 2013 11:33:43 -0000

Sounds great, I've eaten at G in several cities, but never in London :-) I'm terry@jon.es Thanks!

Re: 10,000 things: Andrew Hensel lives (on Twitter)

samdutton — Thu, 10 Jan 2013 11:29:57 -0000

Ha! Just in time for the floods! If you fancy it, come and have lunch chez Google if you're in London. I'm samdutton@gmail.com.