Password Generating Webpages02 Mar 2011 in Security
First off, let me say that I commend Steve Gibson's attempts to bring information security to the masses. I think it's important to educate the user base, and most of the time, he does a great job of it. Unfortunately, a lot of his advice also seems to be filled with either "marketing speak", or (worse) just plain incorrect information.
In February, the Atlanta Linux Enthusiasts mailing list had a long discussion about the merits of "CLOSED" vs "STEALTHED" ports as advocated by Steve Gibson of grc.com. I, for one, love spirited discussion, and thought it was good to discuss a variety of viewpoints and issues. I believe that >90% of the discussion was very professional and mature discussion, which is something I attribute largely to the membership of the ALE mailing list. Many other mailing lists would have resulted in a very quick flame war. During that discussion, I stated that I felt that much of his advice (though overall sound advice) was misleading to users, and I still believe that. Even if the end result is users taking corrective action, misleading them is not helpful in the long run.
Today, I saw a link to Steve's page password generation page. Looking at it, I had several concerns about the page.
Firstly, while the page asserts that the passwords being sent are not recorded anywhere, this is impossible to verify. We have to take Steve at his word that he has no malicious intent. Don't get me wrong; I'm firmly convinced that Steve his no malicious intent. The problem comes when one or more other entities begins to offer this service -- do we trust them as well? Teaching users to trust passwords generated by some website they may have never seen before is a BAD idea.
My additional concerns are with his "Techie Details" section. The page asserts that "The result of the combination [...] is 512-bits of secret data providing extremely high security" shortly after it displays 3 different 256-bit long random passwords. This means that 256 bits of his input are effectively discarded. He states that the only way to get one of the passwords is "'brute force' — which means trying each one of those many combinations of 512 bits". However, given the 256-bit output, an attacker only needs to try 256 bits (which is still well outside the capabilities of almost any attacker). If an encryption algorithm were weakened by a factor of 2^256, it would be considered quite broken.
Steve's RNG is essentially a CBC implementation of AES, where the plaintext is a monotonic counter. I'm sincerely hoping that he has a process running in the background that is being queried to generate passwords, rather than restarting the chain on each page invocation. IF the chain is restarted on each page invocation using a static IV and a static key (he doesn't state how either is generated/obtained) then the ONLY entropy being fed into the AES cipher is the incrementing clock. That would then make his RNG much closer to SHA-256(clock) than a true RNG.
To be clear, I think Steve's page generates perfectly usable passwords. Even if the implementation is flawed (I have no way of knowing this, and I suspect it is relatively well-designed) the passwords are obviously substantially stronger than what most people come up with off the top of their head. Perhaps I'm overly critical, coming from an information security background as opposed to the "average consumer" Steve targets.