Email as salt! #52

Closed
wants to merge 3 commits into
from

Conversation

Projects
None yet
3 participants
Owner

kaepora commented Jul 25, 2014

See discussion at #45

@kaepora kaepora closed this Jul 25, 2014

@kaepora kaepora deleted the salt branch Jul 25, 2014

Only for understanding: The e-mail is like an additional password not like a salt, right?
So the used e-mail address is not ascertainable unless you know the correct passphrase + e-mail address?

Owner

kaepora commented Jul 25, 2014

@ovalseven8 I don't understand your question.

@ghost

ghost commented Jul 25, 2014

@kaepora I think he meant "So the user miniLock ID is not..."

Sorry for the unclear question.
What I mean: A salt is public normally and if I have understood, the origin suggestion was to create a random salt which is contained in the miniLockID (see #45).
The variant that you have implemented don't show the "salt", right? So it is like two passphrases combined to one.

Owner

kaepora commented Jul 25, 2014

@ovalseven8 The salt (email) you choose will be impossible for anyone else to obtain, so in that sense, it kind of is like a passphrase.

Still think that the e-mail address variant don't fit.
What if the user writes firstnamesurname@mail.com and next time FirstnameSurname@mail.com? Both are e-mail addresses and correct ones - but the »salt« is different. So a function is needed that converts all small letters to capital letters or conversely. (Sorry, if already implemented).

Note: If a rainbow table attack from a powerful organisation is successful (I know it's hard but we should be prepared for everything) they can also know your e-mail address from now on. So the anonymity is also damaged. And, as I said, it could be very confusing to many people if they have to use their e-mail address to use miniLock.

In this 'email as salt' situation, is it advise for people to use their real email adresse(s) or is it better to use a "created" on-purpose mail adress for miniLock ?

Sorry if my question is so low-level but I'm not sure the users will understand this nuance without explaining it on the UI. :)

@kaepora kaepora added this to the 0.0.1 milestone Jul 28, 2014

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment