reverse engineer this book

Slashdot is reporting that Ross Anderson's Security Engineering is now available for free online:

"Security Engineering" Is Now Online (slashdot.org)

Here's the home page:

www.cl.cam.ac.uk/~rja14/book.html

This is the book that helped inspire mushpup. Chapter 3 should be required reading for anyone using a password and mushpup tries to address the issues raised in Section 3.2.3: Difficulties with Remembering the Password.

Of course, if you have a philosophical objection to free, you can always buy it from Amazon:

amazon link

the mushpup open philosophy

One of the ideas central to mushpup and that distinguishes it from something like roboform or eWallet is its (free) decentralized model. It doesn't store anything and it isn't limited to your desktop computer. And thanks to the google subversion repository and javascript and browsers, it can easily be installed anywhere.

This is its beauty and also its vulnerability. If mushpup forms were to proliferate, as they now easily could, someone could maliciously put a doctored mushpup form up on their website, offer it as a mirror, and start stealing plaintext passwords. There would be ways I can imagine to programmatically address this risk. But it would be complicated (something also contrary to the mushpup keep-it-simple philosophy) and would inevitably be defeated.

The best solution, and perhaps the only one, is sunlight. Everything is and always should be open to inspection. The code is javascript meaning that it runs on the client -- that is, on a browser in your machine, not a server, where your data could be stored in a database or logged. That also means that you should be able to inspect the code you're running by viewing the source. And because the code is available at its googlecode repository, you'll always have a reference for comparison.

Just as important, we stress the fact that mushpup is designed specifically for low security site. Don't use it for your banking site (this is a situation for which something like roboform or passwordmaker might be better suited.) The neat thing is: by using mushpup on your low security sites, there's a good chance your making your visits to high security sites more secure by not using the same password there.

I've added a list of mushpup mirrors to the right here. These are the sites to which I've added the mushpup form myself. If you're not sure you trust me, feel free to inspect the code, grab it, and add it to your own site. Also keep in my that mushpup is designed to allow anyone -- even the bad guys -- to do that. Your best security is awareness. And that is what mushpup ultimately promotes.

mushpup mirrors

I created mushpup mirrors as a way to insure that anyone using mushpup (at present it's only me and a couple friends as far as I know) will always have access to a mushpup form. Thus, if mushpup.org is down, chances are this blog won't be. And the chances are even slimmer that my klenwell.net mirror will be down.

With the ability now for mushpup to be deployed by just about anyone, this will also provide a list of known trustworthy (at least so far as I am worthy of being trusted) mushpup forms.

new blog logo

the mushpup blog/mirror logo

mushpup home edition is released

now use mushpup in all the comfort of your own desktop or hard drive.

download the file by clicking here:
mushpup_home_v1_200608.zip

then, on windows, follow these simple steps:

1. unzip
2. right-click on the file mushpup_home.htm
3. click Open With and select your browser (as always, we recommend )

then use the home edition at home and mushpup.org on the road

note: javascript must be enabled for mushpup to work

claimed on technorati

by me

a second mirror site

a mushpup mirror form is now available at klenwell.net, too:

klenwell.net/mushpup.htm

in the event mushpup.org is unavailable, you may retrieve your password either from the page above or this one.

mushpup mirror form added

I've just added a fully functional mushpup password form using my new mushpup mirror function. Presently, all the javascript code is being served through the mushpup googlecode repository. More information on mirroring mushpup is available here:

mushpup mirror

how it works

To use mushpup, you need three things:

1. your msw (mushpup secret word)
This is your master password. It doesn't have to be super long or super complex. But it should be distinctive and use both numbers and letters. Don't write it down. Don't utter it. This is the one thing you absolutely have to remember. But with this one password and mushpup, you can create as many unique secure passwords as you need.

2. your mushpup number
This should be a number between 8 and 16. This will be the length of your passwords. Don't worry about how long it

3. your mushpup side
Are you a lefty? A righty? Or maybe you like to go straight down the middle. Pick a side and be loyal to it. When you enter your password, this is the side you'll copy

an example (click on image for larger view)



When you enter your msw into the mushpup form with the location, you'll get a hash back like the one above. If I was a righty and my mushpup number was 8, I would copy the 8 character at the right end of the password. So in this example, my password would be: "QlPQKawe"

With mushpup notation, you can even put a reminder right on your webpage. In this case, my reminder might be:

m{this.domain > msw}r8

click here for more information on how to use mushpup notation

disposable passwords?

Not exactly. You can't really have a disposable password. Passwords are meant to be re-used, after all.

But mushpup is the next best thing. You don't throw it away after you use it. You just forget about it until you need it again.

How it works: mushpup uses the form above, or on the mushpup.org home page, to create a strong secure site-specific password. When setting up a user account, just enter your info in the form, copy and paste your password, and then come back for it the next time you need it.

mushpup is not meant for high security sites. But it is perfect for casual sites like wikipedia, pbwiki, or blogger.

Using mushpup notation, you can even put a secure reminder for your password right on the page itself. Here's my password for this blog:

m{this.domain > mws}

Just mushpup it, notate it, and forget about it.

overview

mushpup sprung from by my growing annoyance with registration-required websites -- especially the ones you don't foresee using more than a handful of times or on a very infrequent basis. I'm sure many people have come up with their own systems for dealing this. I began outlining my own on my blog. Ross Anderson's book on security engineering provided a more theoretical grounding.

my goals
1. formalize a secure protocol according to the guidelines listed below
2. implement it for myself
3. make the tools necessary for it to work as simply as possible
4. make it easily available (in a word, put it on a web page)
5. try to help others understand why the concept is important, even if they have no use for mushpup itself

guidelines
1. Simple Passwords (as in you could use a common word -- though not recommended -- and not have it be vulnerable to a dictionary attack)

2. Unique Passwords (see #1 for the obvious paradox; consider: how to have a unique password for every website that you login to and not have to memorize them?)

3. Secure Passwords (see #1 and #2 for the obvious challenge implicit in this -- you should not need to write it down)

4. Universally Accessible (you should be able to derive your password securely from any internet-enable computer)