Score:0

Is it cryptographically secure to generate a ECDSA pair using username / password?

mx flag

I'm thinking let's say you have a smart contract that ensures no double usernames. What's if I generate an ECDSA pair like so:

  • Accept username and password
  • Validate username and password
  • Generate keypair using seed of <username> <some separator> <password>
  • Return keypair

Would this be cryptographically insecure? I'm sure there's something wrong with it but I'm curious as to what that would be.

Thanks!

Score:3
in flag

There are a few issues with this scheme:

  • if the password is not strong then the key won't be strong either;
  • it uses an unnamed key derivation routine, but since it doesn't take a salt or work factor, it's probably not a strengthening PBKDF (password based key derivation function) to counter weaknesses in passwords;
  • if the random number generator or key generator changes then the wrong key would be calculated;
  • it is not possible to change the password, something that should be possible for good password management;
  • it works for a single key but not for multiple keys (although it is easy to change the protocol to make that possible).

In the end, if the username is unique then you'd get unique keys presuming your key derivation method is any good. And if your password is secure enough then it would be tricky to derive the key. Note that this basically means that the password is required to very complex, which in turn means that a password manager is probably required to remember it. And there are more flexible and more secure options to secure a key if such a device is required anyway.

So it's not insecure in itself, but it's rather inflexible and easy to mess up. And then it is still required to remember a very strong password.

Jack avatar
mx flag
That definitely makes sense. Thanks a million! I’m just curious because private + public keys for authentication is definitely a paradigm shift these days and I found it odd that it was decided to not abstract the technicalities away from users
mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.