Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

The main "problem" seems to be, that increased GPU power and tools just make it easier to brute force the master passphrase. AgileBits will improve the situation in the future.

Please take care and pick a strong master phassphrase!



That was the one of the take aways when I first reviewed the password keychain services- use a strong master password.


No matter what the construction being used is, you always have to use a strong master password. Nothing can help you if your password is in the dictionary.


Really it is unrealistic to expect users to have a sufficiently long password entered on every operation on iOS to provide adequate protection.

There should be some iOS-specific system with a key in protected keystore/keybag on the phone, combined with your encrypted password db potentially living in dropbox/icloud/etc., and then a user passphrase or biometric or whatever to unlock the file. Then you at least are protected against brute force once someone steals the encrypted keyfile from dropbox or some other service.

I've suggested this to them ~10 times. A keyfile format that doesn't rely on the crazy Apple resource forks and works with a user-self-hostable sync server would also be nice.


Why not just turn on the emoji keyboard and use unicode symbols instead of regular characters the standard keyboard.

An emoji password like happyface heart pizza devil hospital trafficlight cow moon is probably going to be more secure than any word/number combination that could be dictionary attacked.

This obviously assumes the site properly encodes Unicode, but also somewhat limits use for most people to devices with the keyboard.


Interesting idea, but it would be harder for me to remember 30 characters of emoji on a keyboard I don't routinely use than 30 characters of text and symbols which have, to me, some internal order, on keyboards I have used for the past...18 years?

I don't know how you get to the emoji keyboard on iOS. It would also be a little annoying having to do this on multiple platforms (I have considered using 1p on Windows at some point; no real argument that a well configured win 7 or 8 is worse than OSX, now).


It's not that hard to remember a 10+ char password, just use a long phrase, a rhythmical combination or anything that makes sense.


It's trivial to remember a very long password.

It's obnoxious to have to enter it on an iPhone keyboard with one hand while trying to drive or whatever on every login to anything. Particularly bad since I'm on a platform with a secure element, protected by tamper-resistant hardware, and relatively decent OS provided APIs to handle this exact problem.

There are good rumors that iOS 7/iPhone 5++ is going to have at least a fingerprint sensor, too, which would then automatically give biometric protection to the keybag as well.


While driving!? Why write that? Have you no shame?


Specifically, it is while at a gate, potentially blocking traffic (because I don't remember all the gate codes, I keep them in 1Password). It's not while actually driving, but close.


The implication of:

  > with one hand while trying to drive
is that your other hand is on the steering wheel actively driving. It sounds odd to say that one is "trying" to idle while parked at a gate.


Give him a break! Commenting on HN using an iPhone while driving is hard enough and now you want him to proofread?


Gate codes might be more appropriately stored on a piece of paper that you keep in your car or with your keychain.


And they don't explicitly warn their users in the App about how critical a strong master password is.

When I asked them to allow me to use a key along with my passphrase they said it would confuse their users, and then acknowledge their users aren't going to pick good passwords and would be at risk:

http://discussions.agilebits.com/discussion/comment/25737/#C...

> A master password constructed with diceware of three or four words should be both strong and memorable, but I have to acknowledge that most users aren't going to use diceware to construct a master password. So I suppose that your point stands.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: