From 506a097328bc80fad12425f0486a42be89188da9 Mon Sep 17 00:00:00 2001
From: Rob van Son
-Note: not attempt is made to slow down the password hash, so bad
+Note: no attempt is made to slow down the password hash, so bad
passwords can be cracked by brute force
diff --git a/CGIscriptor.pl b/CGIscriptor.pl
index cddf43d..7de19a4 100755
--- a/CGIscriptor.pl
+++ b/CGIscriptor.pl
@@ -1874,7 +1874,7 @@ if(grep(/\-\-help/i, @ARGV))
# implementation of /dev/urandom on your platform is secure before
# relying on it. This might be a problem when running CGIscriptor under
# Cygwin on MS Windows.
-# Note: not attempt is made to slow down the password hash, so bad
+# Note: no attempt is made to slow down the password hash, so bad
# passwords can be cracked by brute force
#
# For the authentication and a change of password, the (old) password
diff --git a/Private/manual.html b/Private/manual.html
index f4b94b9..fc731fc 100644
--- a/Private/manual.html
+++ b/Private/manual.html
@@ -150,7 +150,7 @@ the salts are generated from /dev/urandom. You should check whether the
implementation of /dev/urandom on your platform is secure before
relying on it. This might be a problem when running CGIscriptor under
Cygwin on MS Windows.
-Note: not attempt is made to slow down the password hash, so bad
+Note: no attempt is made to slow down the password hash, so bad
passwords can be cracked by brute force
@@ -161,5 +161,30 @@ hash function (SHA256) is used to create a one-way hash sum "encryption". A new password must be decrypted. New passwords are encryped by XORing them with the old password.
+ +If you only could see what you are typing
+
+Your password might be vulnerable to
+
+brute force guessing. Protections against such attacks are
+costly in terms of code complexity, bugs, and execution time.
+However, there is a very simple and secure counter measure. See the
+XKCD comic. The phrase,
+There is no password like more password would
+be both much easier to remember, and still stronger than
+h4]D%@m:49, at least before this phrase was pasted as an example
+on the Internet.
+Please be so kind and add the name of your favorite flower, dish, or
+fictional character to your password. Say, Oleander, Curry,
+or Sherlock (each adds 20 bits or more according to Google Ngram
+viewer) or even the phrase Sherlock hates curry with oleander
+(adds ~ 94 bits, note that oleander is poisonous, so do not try
+this curry at home). That would be more effective than adding a million
+rounds of encryption.
+Typing long passwords without seeing what you are typing is problematic.
+So a button should be included to make password visible.
+