Tiddlywiki lost password recovery...
431 views
Skip to first unread message
Nicholas Ratliff
Nov 9, 2014, 1:27:22 AM11/9/14
to tiddl...@googlegroups.com
I have a rather massive tiddlywiki that I have been working on for a number of years. I no longer possess the password, and am unable to update the wiki or augment it without the password. It is linked to a computer I use rather regularly, which has the password saved on it through firefox. Is there a way to recover this password? Please advise. Otherwise, is there a way I can rapidly make a copy of this wiki so that I may assign another password without hassle?
Stephan Hradek
Nov 9, 2014, 6:43:16 AM11/9/14
to tiddl...@googlegroups.com
I hope this helps: http://goo.gl/9hsd6u
Ed Dixon
Nov 9, 2014, 1:08:03 PM11/9/14
to tiddl...@googlegroups.com
Hi,
Recovering firefox passwords aside for the moment, this does bring up a very important question and one that I should have looked into on the onset. Of course any encryption mechanism can be cracked given enough time but, are there any known means to defeat our encryption as is or with the added functionality to encrypt individual tiddlers as provided by Danielo's plugin? What I am working towards relies on this functionality to be rock solid?
Thanks,
Daniel Baird
Nov 9, 2014, 8:31:19 PM11/9/14
to tiddlywiki
In general though, if a password to a tiddlyspot TiddlyWiki is lost, but the wiki itself is publicly accessible, it can be downloaded or imported from. And you can always contact one of the friendly staff in tiddlyspot's global* network* of support professionals* for further help.
Cheers
;Daniel
* = the interpretation of this word using its traditional English meaning may not result in a precisely truthful understanding of the situation being described.
On 9 November 2014 16:27, Nicholas Ratliff <dimagnu...@gmail.com> wrote:
I have a rather massive tiddlywiki that I have been working on for a number of years. I no longer possess the password, and am unable to update the wiki or augment it without the password. It is linked to a computer I use rather regularly, which has the password saved on it through firefox. Is there a way to recover this password? Please advise. Otherwise, is there a way I can rapidly make a copy of this wiki so that I may assign another password without hassle?
--
You received this message because you are subscribed to the Google Groups "TiddlyWiki" group.
To unsubscribe from this group and stop receiving emails from it, send an email to tiddlywiki+...@googlegroups.com.
To post to this group, send email to tiddl...@googlegroups.com.
Visit this group at http://groups.google.com/group/tiddlywiki.
For more options, visit https://groups.google.com/d/optout.
--
Daniel Baird
objoke: I had a problem and decided to solve it with threading. Now, have problems. two I
objoke: I had a problem and decided to solve it with threading. Now, have problems. two I
PMario
Nov 10, 2014, 7:11:38 AM11/10/14
to tiddl...@googlegroups.com
On Sunday, November 9, 2014 7:08:03 PM UTC+1, Ed Dixon wrote:
Of course any encryption mechanism can be cracked given enough time
That's a major topic for every encryption method. Encryption is used to protect valuable content.
As long as the cost (work + resources + time) to break the encryption, is much much higher than the cost to get the information over a different channel, we can say the encryption works.
As soon, as "a different channel" is much cheaper, it doesn't make sense to hack the encryption.
So imo at the moment the best way to break TWs encryption, is to attack the workflow.
eg: The node js version uses plain text passwords on the command line level. So every one, who has access to your computer just needs to do type
history | grep tiddlywiki
to get what's needed. You may say: "Me not using unix" . I may say: "That doesn't matter". Windows forgets the session history... but since that's super boring, there is a good chance that some additional software is installed at a power users PC, that persists command line session histories. .. So its an easy task so search for those profiles. .... there is a good chance, they are not protected very well ...
and so on, and so on.
but, are there any known means to defeat our encryption as is
TW uses the: Stanford Javascript Crypto Library
That's what they say: http://bitwiseshiftleft.github.io/sjcl/
Quote:
(Unforunately, this is not as great as in desktop applications because it is not feasible to completely protect against code injection, malicious servers and side-channel attacks.)
The important part here is: "code injections". ... IMO TiddlyWiki has a big attack vector here, with TW plugins.
Plugins can be easily installed using drag and drop.
So If I would want to attack your TW, I'd create a useful plugin that contains some additional functions + a little trojan, that is very well hidden.
or with the added functionality to encrypt individual tiddlers as provided by Danielo's plugin? What I am working towards relies on this functionality to be rock solid?
So imo "rock solid" at the moment is defined by your "code review" workflow and by your users workflow.
If the users aren't aware of the rock solid workflow, it's cheaper and saver, not using encryption at all :)
Since encryption may give your users the feeling of security. But there is no security if they are sloppy.
have fun!
mario
If the users aren't aware of the rock solid workflow, it's cheaper and saver, not using encryption at all :)
Since encryption may give your users the feeling of security. But there is no security if they are sloppy.
have fun!
mario
Ed Dixon
Nov 10, 2014, 11:05:36 AM11/10/14
to tiddl...@googlegroups.com
Thanks Mario!
I have been holding my breath on this one. I had forgotten but did look into the Stanford Javascript Crypto Library weeks ago and did decided it was sufficient for the task planned. When I saw this post the concern was more about backdoors or other designed mechanisms to allow access if the password was forgotten. Your points regarding plain text, code injection, ease of dropping a trojan using drag and drop functionality, and code review are well thought out and expertly explained. You obviously have some experience working with computer security. I have a current security+ certification but doubt if I had researched all this myself and worked with TW for much longer, I would have done as good a job providing this explanation.
I have assumed that Danielo's code also uses makes use of the library, while we are on the subject do you know if this is the case?
Thanks,
--
You received this message because you are subscribed to a topic in the Google Groups "TiddlyWiki" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/tiddlywiki/mbP52rti9RU/unsubscribe.
To unsubscribe from this group and all its topics, send an email to tiddlywiki+...@googlegroups.com.
PMario
Nov 10, 2014, 5:25:33 PM11/10/14
to tiddl...@googlegroups.com
On Monday, November 10, 2014 5:05:36 PM UTC+1, Ed Dixon wrote:
Your points regarding plain text, code injection, ease of dropping a trojan using drag and drop functionality, and code review are well thought out and expertly explained. You obviously have some experience working with computer security.
I'm very interested in computer security. I'm following the development of PGP since the `90s, when the first international version was available. ...
Anyway. What I found out for me is, that its much more fun to have a closer look at how users deal with sensible information.
I have assumed that Danielo's code also uses makes use of the library, while we are on the subject do you know if this is the case?
Yes. Danielos code uses the library but I didn't have a closer look at the implementation.
Danielos plugin leaves some fields of a tiddler untouched for convenience reasons.
For some usecases this may be no problem. For others it is.
eg:
created 20140828081424710
creator pmario
modified 20141103103734401
modifier pmario
tags plugins
title test tile
So if someone gets this info there are still some questions that can be answered very easily.
eg: Who did the last edit and when. ... So if you need "plausible deniable encryption" [2] some more changes may be needed.
-------------
There is a talk from Tim Taubert about the upcoming native browser "WebCrypto API" [1]. This mechanism is less vulnerable against code injection into the library, since javascript doesn't have access to the crypto functions. .... The mechanisms used in the video are the same as used by the tw crypto library. ... The problem at the moment is browser support.
But imo it is still an area to have a closer look.
have fun!
mario
[1] https://timtaubert.de/blog/2014/10/keeping-secrets-with-javascript/
[2] http://en.wikipedia.org/wiki/Deniable_encryption
Danielos plugin leaves some fields of a tiddler untouched for convenience reasons.
For some usecases this may be no problem. For others it is.
eg:
created 20140828081424710
creator pmario
modified 20141103103734401
modifier pmario
tags plugins
title test tile
So if someone gets this info there are still some questions that can be answered very easily.
eg: Who did the last edit and when. ... So if you need "plausible deniable encryption" [2] some more changes may be needed.
-------------
There is a talk from Tim Taubert about the upcoming native browser "WebCrypto API" [1]. This mechanism is less vulnerable against code injection into the library, since javascript doesn't have access to the crypto functions. .... The mechanisms used in the video are the same as used by the tw crypto library. ... The problem at the moment is browser support.
But imo it is still an area to have a closer look.
have fun!
mario
[1] https://timtaubert.de/blog/2014/10/keeping-secrets-with-javascript/
[2] http://en.wikipedia.org/wiki/Deniable_encryption
Reply all
Reply to author
Forward
0 new messages