Experts warn of cloud snooping
Robert E. Seastrom
rs at seastrom.com
Sat Feb 2 08:14:54 CST 2013
Louis Mamakos <louie at transsys.com> writes:
> Accessing you stuff via their website requires you to login and
> provide a password, which is used to decrypt the layered encryption
> keys for your data. So don't do that. From one of their FAQs:
In other words they have a copy of your keys that are encrypted with a
password, subject to all the usual concerns about brute force and
dictionary attacks, right? Or am I missing something? I do see that
they're using PBKDF2 as opposed to a cheap and cheerful single round
salted SHA or MD5 (which is encouraging), but then they turn around
and suggest that you put in a "password hint", which is not just a
hint to you. :)
Hope people at least have the option of using a passphrase (couldn't
find their password length/composition policy but maybe I'm just a
lamer). I'm as guilty as the next guy of doing all ascii lower or
mixed case passwords with no special symbols mixed in (because the
pain in the ass factor exceeds the win factor), but at least with 20+
characters in things like my ssh keys and pgp unlock I'm north of 97
bits of entropy.
http://xkcd.com/936/ comes to mind.
-r
More information about the Tacos
mailing list