[tahoe-dev] [tahoe-lafs] #794: create DSA writecaps from a passphrase

[James A. Donald]

tahoe-lafs wrote:
 >  It might be nice to have a checksum of some sort, so
 >  people can tell the difference between misremembering
 >  their passphrase and searching for the directory on
 >  the wrong grid. Maybe the hashing process could also
 >  emit a 2 or 3 digit number, and users would be
 >  responsible for recognizing the number ("funny, it
 >  can't find my directory, oh but hey the computer
 >  usually tells me my checksum is 46 and this time it
 >  said 19, let me try retyping that"). Or the number
 >  could be expressed with a few goofy words, something
 >  easier to remember ("oh hey, it usually says
 >  FILIBUSTERING-NARWHAL but this time it said
 >  PACIFIST-JACKALOPE, let me try retyping that").

The absence of a "wrong password" prompt leads to
extremely painful user support problems.

The presence of a "wrong password" prompt leads to
extremely painful security holes, as scammers call up
and proceed to socially engineer high value passwords
out of underpaid and dimwitted password recovery minions
located in India.

If, however, the user conceives of it not as a password,
but has a secret human memorable url, as a hidden
filename that is magically guaranteed to not show up in
the directory listing, and the UI presents it as such,
maybe we will avoid the great password recovery security
hole and corresponding user support nightmare.

"Attempting to modify the file ************* codename
PACIFIST-JACKALOPE, read capability
yhLbNER0cAEFimGSqZozcEe8q3rvbSi9I3bNxcqR"

"File ************* codename PACIFIST-JACKALOPE, read
capability yhLbNER0cAEFimGSqZozcEe8q3rvbSi9I3bNxcqR not
found.

A tale of password recovery:  I own some high value
domain names.  A domain name is ultimately controlled by
an email address.  An email address is ultimately
controlled by a password.  You can see where this story
is going.