←back to thread

Magic Wormhole: get things from one computer to another, safely

(github.com)
816 points tosh | 1 comments | 17 Aug 24 16:59 UTC | HN request time: 0.203s | source
Show context
HoyaSaxa ◴[18 Aug 24 03:36 UTC] No.41279958[source]
> The codes are short and human-pronounceable, using a phonetically-distinct wordlist. The receiving side offers tab-completion on the codewords, so usually only a few characters must be typed.

How does this work from a security perspective? Given the lack of apparent entropy can’t a malicious actor conceivably enter the correct phrase before the good actor?

replies(2): >>41280042 #>>41280321 #
1. bentley ◴[18 Aug 24 04:03 UTC] No.41280042[source]
https://en.wikipedia.org/wiki/Password-authenticated_key_agr...

“An important property is that an eavesdropper or man-in-the-middle cannot obtain enough information to be able to brute-force guess a password without further interactions with the parties for each (few) guesses. This means that strong security can be obtained using weak passwords.”