LWN.net Logo

Not logged in

Log in now

Create an account

Subscribe to LWN

Recent Features

LWN.net Weekly Edition for May 23, 2013

An "enum" for Python 3

An unexpected perf feature

LWN.net Weekly Edition for May 16, 2013

A look at the PyPy 2.0 release

Printable page
Weekly edition Kernel Security Distributions Contact Us Search
Archives Calendar Subscribe Write for LWN LWN.net FAQ Sponsors

The Firefox password manager vulnerability

The Firefox password manager vulnerability

Posted Nov 30, 2006 21:05 UTC (Thu) by rriggs (subscriber, #11598)
In reply to: The Firefox password manager vulnerability by beejaybee
Parent article: The Firefox password manager vulnerability

Actually passwords are fine _provided they're used only once_. The point being that disclosing a password for any reason compromises it, even if the reason is to gain access to the password-protected service.

Unless I misunderstand what you are saying, your logic is flawed. One has to disclose the password to set it in the first place.

(Log in to post comments)

The Firefox password manager vulnerability

Posted Dec 3, 2006 16:02 UTC (Sun) by k8to (subscriber, #15413) [Link]

I believe your parent is referring to the idea of having a password which is never set, but it is merely pre-arranged.

That is, a one-time password system where both parties can generate an unending linear set of passwords, so each password is generated by, and known to both parties in advance, but is only disclosed the once to authenticate. Traditional passwords become less secure as they are used. One-time passwords are discarded on use, so there is no lessening of security.

The downside of one-time passwords of course is they take even more effort than regular passwords, and at the rate at which passwords (ab)use is multiplying, I think neither is sustainable.

Copyright © 2013, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds