Fwd: Re: password safe / mouse (was Re: What's the real problem with wireless on the Ben?)

Werner Almesberger werner at almesberger.net
Fri Sep 16 14:05:02 EDT 2011


Bas Wijnen wrote:
> >Of course, this could easily encompass solutions that
> >include a password on top of something else, e.g., the kind of
> >challenge-response authentication with a "pocket calculator" better
> >banks use.
> 
> The Ben could well be used for that. Actually, it can be much
> better, because it can input a 200-character code instead of a
> 6-digit one.

Ah, but for this you'd have to get the bank or whatever to cooperate
on the authentication mechanism. Don't expect this to happen before
you've already sold a few tens of millions devices :)

> >Comfort removed an impediment to the use of longer and more cryptic
> >passwords (harder to brute-force, if Eve gets her hands on the
> >password hashes).
> 
> That makes things a bit safer indeed. And with cryptographically
> generated passwords, it even makes things real safe :-) But that
> requires (web)server-side support,

Naw, you can keep it simple. Say, integrate a password generator.
Pick length and structure. Since the Ben remembers the password for
you, it can be "nasty". If you combine this with atusb-as-keyboard,
you could even go as far as never intentionally revealing the
password the user. (The user could of course extract it easily.)

> Conclusion, if you want this, write a firefox-plugin to support
> public-key authentication and get big sites like facebook to use it
> for their login system. :-)

Hmm, step 1: get Mozilla to write a lot of press releases praising
your project and announcing they're betting all their money on it.
Step 2: see if anyone bites :)

> But that's a path that you control and can change to suit your
> needs. Also, this isn't a real issue. If you are worried about
> people with sniffing devices for such an obscure protocol, then you
> should definitely use something better than passwords for
> authentication.

You want to be success-proof. If the device catches on, then the
protection of obscurity would vanish rapidly. And you also want to
avoid bad press that you may get via curious security researchers
even before the crooks catch on.

> But also quite heavy for a controller that should record 3D movement
> (that is, must be held in the air).

You need a minimum size for comfortable handling anyway, e.g., the
buttons. I don't think a Ben-like battery would be much of an
encumbrance - your mouse would still be tiny.

- Werner




More information about the discussion mailing list


interactive