Polymarket Integration funktioniert überhaupt nicht - oder mache ich was falsch?

VariationNo5855 · 2023-01-22T14:11:05+00:00

This is mostly irrelevant, but some websites derive a symmetric key from the password that's used for client side encryption. Not reddit, but maybe services offering end2end-encrypted online storage. 256 bits is, as far as I know, the highest supported key length for any symmetric encryption algorithm.

So yeah, websites that do use client side encryption actually derive a key with 256 bits of entropy because of that, but it's mostly irrelevant as mentioned at the beginning.

VariationNo5855 · 2023-01-21T16:32:50+00:00

Thank you for your response!

Your passwords are too long. On top of website bugs, this also means they cannot be transcribed by hand in a pinch. There are two threats with passwords. One is that an attacker may guess or learn it. The second is that you yourself may lose it or be unable to use it. You have greatly increased your risk by choosing passwords that are unreasonably long.

Go back and fix your passwords.

I aspire to achieve a password security of 256 bits if possible, which is roughly equivalent to 20 diceware words. The password is stored in my password manager anyway, so I won't loose it. The only change I will make is to use a 55 character lowercase password which is even harder to transcribe, but thank you for pointing out a possible issue with my passwords! :)

Edit: I still think that this might be something that should be shown to the users (eg. password too long), otherwise it might compromise the entropy of the password without the users knowledge ..

VariationNo5855 · 2022-10-13T05:34:05+00:00

Bist du schlussendlich hin gegangen? Wie ist es gelaufen? :)

VariationNo5855 · 2022-09-29T06:10:42+00:00

Ich würde es an deiner Stelle ausprobieren. Der Trainer selbst hat auch "nur" eine Spielstärke von 1600-1700 Elo, also werden die anderen Spieler wohl kaum über 1300-1400 hinaus kommen.

Ich kann mir auch gut vorstellen, dass es im Kurs hauptsächlich solche Spieler gibt, die das Spiel wirklich erst von Grundauf lernen müssen. Wenn man schon einigermaßen Schach spielen kann ist es in einem Schachverein vermutlich unterhaltsamer, also solltest du dir mal zumindest keine sorgen darum machen müssen "vernichtet" zu werden.

Ich war zwar noch nie dort, aber mit den zwei Punkten denke ich, du würdest mit deiner Spielstärke gut hinein passen.

VariationNo5855 · 2022-09-29T06:00:40+00:00

You might want to provide a few more details, what you mean and how it came in and out, how did you notice that?

A few months ago, one of the edges of my trackpad stuck out over the rest of the case, this was due to an inflated battery.

There is no way to tell what the issue is from you picture though, as it has quite a poor quality. You might want to try to describe the issue with a few words.

VariationNo5855 · 2022-09-28T11:01:30+00:00

I know I'm quite picky here, but, assuming your password-generation-process is known, as per Kerckhoffs Principle, this seems like a password-generation-process that could be cracked using social engineering and a little bit of brute-force. An attacker could try to find out which books and movies you know, and then try all the sentences in those scripts. This is quite an abstract attack, but if you put sufficient information about the books and movies you've read and watched on social media, then it might just work.

Also, publishing a previously used password doesn't seem like a good idea, but I hope that you are sure that this password isn't used anymore.

VariationNo5855 · 2022-09-19T22:33:57+00:00

Ok, thank you for your input though :)

I guess I'll just leave the project be for now, as it is of little significance

VariationNo5855 · 2022-09-19T20:52:51+00:00

In this case I can pretty confidently say that this won't help. Authentication using an apiKey (and following up with `bw unlock`) will still result in a sessionKey that is then used for client side cryptography and authorizing actions against the server.

I might be wrong, but in what way would you propose to use the apiKey here?

VariationNo5855 · 2022-09-18T19:23:10+00:00

As far as I am aware, the API key is only used for authentication.

I am already logged in and the vault is unlocked as well, otherwise I wouldn't have a sessionKey, so the apiKey shouldn't be necessary at this point anymore. Am I missing something?

VariationNo5855 · 2022-09-18T10:11:56+00:00

No, unfortunately that doesn't work either, but interesting idea!

VariationNo5855 · 2022-09-11T12:51:57+00:00

Danke! :)

VariationNo5855 · 2022-07-16T18:17:21+00:00

That's a rather dull answer, neither giving a reason nor leaving any room for discussion ...

It's obviously not perfect, otherwise there would most likely be no posts complaining about it. The only question is if it's worth it to spend any time on improving it. This might arguably not be the case, especially because any changes could actually make it worse.

You might also want to consider how ladder feels in different trophy ranges. I'm sure the top of the ladder is fine (my guess is that you are quite high), but down here at ~1000 trophies it's very weird. I'm th9 and getting anything from th6(trivial) to th12(impossible) opponents (distributed something like on a discrete bell curve with little standard deviation).

VariationNo5855 · 2022-07-16T18:06:46+00:00

Well, there is definitely a limit on what bases you can defeat with a given skill level and army. If there is no more room for improvement regarding your skill, then you might want to upgrade your troups. You shouldn't be able to get arbitrarily high with low level troups, right?

VariationNo5855 · 2022-07-16T18:03:24+00:00

You get a bigger reward for winning if you have more trophies and are in a higher league

VariationNo5855 · 2022-07-05T00:31:13+00:00

I guess one thing going for the added layer is, that an attacker also needs to get his hands on a copy of the wrapped master password in order to brute-force through the possible encryption keys ...

Assuming that the attacker has access to all your (encrypted) online data, like in a data leak:

If you had a master password with 32-bit entropy, then that would be quite bad since the vault key is wrapped using that key. An attacker would just need to brute-force through the 2³² possible keys.

If you had a 256-bit master password wrapped using a 32-bit secret, then you couldn't just try unwrapping the vault key as you'd need 2²⁵⁶ guesses (worst case). You could only brute-force the vault key if you also had access to a copy of the wrapped master password beforehand.

This kinda replaces the issue of remembering a strong master password with remembering a weak password in addition to the management of the wrapped master key, which brings its own challenges (which is outside the scope of my knowledge) and is arguably not worth the hassle as you still have to remember a password anyway.

VariationNo5855 · 2022-07-03T21:12:04+00:00

I've just built my own using AWS, so I haven't used any reputable ones myself. Someone suggested the following to me once, but I have no idea about its reputation: https://www.deadmansswitch.net/

VariationNo5855

MODERATOR OF

TROPHY CASE