This is a really good blog. Good work!…

It is ABSOLUTELY ridiculous that Amazon charges MORE for the Kindle version of Stephen Fry’s book than for the tree-killing HARDCOVER copy! http://www.amazon.co.uk/The-Fry-Chronicles/dp/B0042JTA56/ref=sr_1_9?ie=UTF8&m=A3TVV12T0I6NSM&s=digital-text&qid=1290172185&sr=1-9 Oh come ON, Amazon! You can do BETTER!

Stephen – clobber them!

“Hi Ken, as with traditional books, the RRP of each eBook title is dictated by the publisher of the eBook. Waterstone’s is working with all publishers to agree what is the appropriate price for an eBook and in the meantime, we discount as many eBook titles as possible to try and offer the best possible value to our customers. A long way from perfect, we know, but hopefully there will be changes in the near future. Kate”

Thanks, Kate. And Waterstone’s. I appreciate the time taken to reply. And good luck in your arm-wrestling with the publishers. Unless and until the powers-that-be have a serious pricing re-think, eBooks remain an interesting idea for slightly eccentric people. And that’s a great pity.

You may want to mention the web version and the other systems on the firefox page.

BTW, having studied theoretical computer science, the concepts discussed above seem very strong indeed. The only weakness that I can see is in the key (“general-purpose password and secret-number”)

If a cracker knows you are using this system, they could use that to run a dictionary or other brute force attack on the key entered this would be only slightly harder than doing it for a normal password. They could also set up a fraudulent site, and use your password there to run an off-line dictionary attack and discover your key.

As long as ONE of the following is true you are safe however: you use a secure key with sufficient entropy; noone knows or suspects that you use this system; noone is determined enough to jump through the extra couple of hoops just to attack you and other users of this system.

Definitely an interesting solution to what is a really tricky problem.

I don’t quite follow your Exceptions issue, though. PswGen doesn’t remember any passwords or auto-fill them for you, it only helps generate them.

Also please note that this post is pretty historical by now, PswGen has its own project page (links in the main post) which is a lot more current.

Thanks for your comments, they are appreciated.

You don’t have to enter the static data at the start of a session. The toolbar just quietly sits there waiting for you, feel free to ignore it! This will become clear when you start using it.

I agree with your “good enough” sentiment, and will consider adding to a future version.

I wasn’t suggesting that the static data should persist across sessions. What I meant was that it should be entered the first time in a session where a password is required, not at the very start of the session. I think it’d be an improvement in usability that wouldn’t compromise security.

Finally, I think that maybe two of the three static fields (name, secret word, secret number) should be optional, and users should be warned about the security implications of using just one. I believe that it’s better to have “good enough” security that people use 90% of the time, than having excellent security that people use 20% of the time.

Thanks for you reply and keep up the good work.