|Yes and no, since I'm the only person that would know the initial state of the machine, they are still left guessing what that state is. The rotors will be seeded at random each time I open the program, and it would be up to me to re-seed to get to the original state. I really like the idea of a master string that would seed the machine for me, that would be a huge time-saver.|
Is the initial state hard-coded in the program, or do you have to manually
enter it every time?
Only in the latter case you can argue that the initial state is not
part of the algorithm, but is considered a "secret" key
But even then, the resulting password will always
be exactly the same
, for the same key (initial state).
It means that, instead of remembering the password itself, you now have to remember the initial state. What did you gain by this ???
IMHO, it only makes sense, if the resulting password depends on two
things: The initial state (secret key) plus
an additional per-site "id", so that the same
initial state (secret key) can be used to generate many different
passwords for different sites...
Also, as mentioned before, I think it's better to derive the initial state from a "master" password, as that's far easier to remember.
However, if we have a "master" password, I think it would be far
better to simply use PBKDF2
to derive a binary key (e.g. 256 bits) from the given "master" password, then use that key to seed a CSRNG (cryptographically secure pseudorandom number generator), and finally use the CSRNG output to generate the password(s) of arbitrary length - instead of using "Enigma" with all of its well-known flaws.
|My main weakness is going to be the security of my machine: who's to say that someone isn't taking snapshots of my screen every second and watching 8 hours of my day as a 8 minute video, or that a key-logger isn't logging my keyboard, or that someone isn't snooping on my network connection? How much do I trust the BIOS/hardware designer? ...And there's my paranoia setting in.|
It's a matter of the attack model
that you assume. If you assume that an attacker has already compromised your machine, so that the attacker can read your computer's memory or record all key strokes, then you are pretty much "doomed" anyways 😏
...except, maybe, by managing your passwords/key on a separate hardware security module
(e.g. YubiKey). Note that a YubiKey, or similar devices, also contain a unique "master" key, which is burnt into device and which never
leaves the device. This "master" key plus
a site-specific "credential id" (a random number that is generated the first time you visit a specific site) is used to derive the site-specific keys.