Administrator
|
I recently added a mac mini to my digital ecology, and it got me bustling about tidying up a bit.
One area is logins. I fixed the mini so that I can ssh to it, but only via crypto (ssh-keygen) keys. I had a port-scan within 2 hours of forwarding port 22 from my airport, so feel that passwords simply are a Bad Idea in this day and age. My ISP also lets me use key pairs so that got me thinking about alternatives to name/password logins. Now, I *do* believe passwords can be made reasonably secure: http://goo.gl/jqV7w .. maybe even more secure than key/pairs which can be compromised stealing my laptop. So a few questions about your experiences: - Can I use public keys for heavily used sites (gmail, amazon, ...)? - Is openID a reasonable alternative? http://openid.net http://goo.gl/BOpg - Do you have a name/password strategy that you like? - Any other alternatives? -- Owen ============================================================ FRIAM Applied Complexity Group listserv Meets Fridays 9a-11:30 at cafe at St. John's College lectures, archives, unsubscribe, maps at http://www.friam.org |
I use lastpass.com , but I can't swear to how secure it is.
-tom On Wed, Dec 22, 2010 at 9:57 AM, Owen Densmore <[hidden email]> wrote: I recently added a mac mini to my digital ecology, and it got me bustling about tidying up a bit. -- ========================================== J. T. Johnson Institute for Analytic Journalism -- Santa Fe, NM USA www.analyticjournalism.com 505.577.6482(c) 505.473.9646(h) http://www.jtjohnson.com [hidden email] ========================================== ============================================================ FRIAM Applied Complexity Group listserv Meets Fridays 9a-11:30 at cafe at St. John's College lectures, archives, unsubscribe, maps at http://www.friam.org |
In reply to this post by Owen Densmore
I just moved my keepassx password vault onto my dropbox folder, and installed the android keepassx client on my phone.
Seems that every few days I get an email from some online account that noticed my email address in the compromised gawker data and wonders if I should change my password. But the bulk of the accounts, which all used the same email address, haven't been heard from.
-- rec --
On Wed, Dec 22, 2010 at 9:57 AM, Owen Densmore <[hidden email]> wrote: I recently added a mac mini to my digital ecology, and it got me bustling about tidying up a bit. ============================================================ FRIAM Applied Complexity Group listserv Meets Fridays 9a-11:30 at cafe at St. John's College lectures, archives, unsubscribe, maps at http://www.friam.org |
The whole Gawker thing was quite ridiculous. I'd never heard of Gawker
until this breach occurred, and now sites like LinkedIn (which I am a member of) require me to change my password, just because my email was amongst those stolen from Gawker. One would have to assume that my "Gawker" password was invalid since I'd never signed up to it. Do social websites really need to "pad" their membership lists with email addresses harvested off the web? I'm continuously spammed by Plaxo even though as far as I can tell you need to have a Windows computer to use it, so never bothered with that either. Cheers On Wed, Dec 22, 2010 at 12:44:02PM -0700, Douglas Roberts wrote: > I use dropbox to keep an encrypted document of all my passwords too. Good > old gpg. Now, if I could just remember my pass phrase... > > --Doug > > On Wed, Dec 22, 2010 at 12:25 PM, Roger Critchlow <[hidden email]> wrote: > > > I just moved my keepassx password vault onto my dropbox folder, and > > installed the android keepassx client on my phone. > > > > Seems that every few days I get an email from some online account that > > noticed my email address in the compromised gawker data and wonders if I > > should change my password. But the bulk of the accounts, which all used the > > same email address, haven't been heard from. > > > > -- rec -- > > > > On Wed, Dec 22, 2010 at 9:57 AM, Owen Densmore <[hidden email]>wrote: > > > >> I recently added a mac mini to my digital ecology, and it got me bustling > >> about tidying up a bit. > >> > >> One area is logins. I fixed the mini so that I can ssh to it, but only > >> via crypto (ssh-keygen) keys. I had a port-scan within 2 hours of > >> forwarding port 22 from my airport, so feel that passwords simply are a Bad > >> Idea in this day and age. > >> > >> My ISP also lets me use key pairs so that got me thinking about > >> alternatives to name/password logins. > >> > >> Now, I *do* believe passwords can be made reasonably secure: > >> http://goo.gl/jqV7w .. maybe even more secure than key/pairs which can be > >> compromised stealing my laptop. > >> > >> So a few questions about your experiences: > >> - Can I use public keys for heavily used sites (gmail, amazon, ...)? > >> - Is openID a reasonable alternative? http://openid.net > >> http://goo.gl/BOpg > >> - Do you have a name/password strategy that you like? > >> - Any other alternatives? > >> > >> -- Owen > >> > >> > >> > >> ============================================================ > >> FRIAM Applied Complexity Group listserv > >> Meets Fridays 9a-11:30 at cafe at St. John's College > >> lectures, archives, unsubscribe, maps at http://www.friam.org > >> > > > > > > ============================================================ > > FRIAM Applied Complexity Group listserv > > Meets Fridays 9a-11:30 at cafe at St. John's College > > lectures, archives, unsubscribe, maps at http://www.friam.org > > > > > > -- > Doug Roberts > [hidden email] > [hidden email] > 505-455-7333 - Office > 505-670-8195 - Cell > ============================================================ > FRIAM Applied Complexity Group listserv > Meets Fridays 9a-11:30 at cafe at St. John's College > lectures, archives, unsubscribe, maps at http://www.friam.org -- ---------------------------------------------------------------------------- Prof Russell Standish Phone 0425 253119 (mobile) Mathematics UNSW SYDNEY 2052 [hidden email] Australia http://www.hpcoders.com.au ---------------------------------------------------------------------------- ============================================================ FRIAM Applied Complexity Group listserv Meets Fridays 9a-11:30 at cafe at St. John's College lectures, archives, unsubscribe, maps at http://www.friam.org |
In reply to this post by Owen Densmore
Folks,
I decided to put my advice about securing home networks in this message, along with password advice. To secure your home network - 1. Use a firewall - either build one or buy one. Most broadband routers include a firewall. 2. Configure the firewall to deny all incoming traffic and only allow minimal outgoing traffic (http and pop3/imap is a good starting set). Note that I did not include DNS or ICMP - these have long been used for exfiltration. 3. If you have wireless - A. Use the best authentication/encryption you can - WPA2 not WEP. We can break the latter in minutes if you are generating traffic. B. Find a way to treat that traffic as untrusted - route it into your home network as if it's from the Internet. This will require setting up a VPN (IPSEC comes with all modern OSes) and sending traffic directly out to the Internet. The VPN would be used to access the internal wired network, if you insist. 3. If you really want to expose a service to the Internet - don't. Use a port-knocking solution (google it) that only opens the relevant port for a brief time after you have hit the right sequence of ports. Consider using a non-standard port when it opens - many hotels and Internet cafes only allow http (port 80) so you might run your ssh on that port to bypass filtering. Passwords are only marginally secure. The problem with the idea that Owen cited is that many web-sites don't allow certain characters (usually a subset or the full set of special characters) and/or restrict password length. One site I have to regularly fight with cuts off the password I set without any indication. Password length is important. Most winders boxen store and forward NTLM password hashes. I just bought, off Newegg, three systems with Invidia GPUs that can each brute force 4-6 billion 8 character NTLM passwords per minute. You can rent GPUs off the cloud and folks have demonstrated using that for MD5 hash cracking. If you have the patience, you can double performance with ATI GPUs. Most websites use MD5 password hashes - which are usually weaker than NTLM. I use a password formula which I mix up and customize to fit each web-site's peculiarities. This method can be frustrating - but I get by. Ray Parks ----- Original Message ----- From: Owen Densmore [mailto:[hidden email]] Sent: Wednesday, December 22, 2010 09:57 AM To: The Friday Morning Applied Complexity Coffee Group <[hidden email]> Subject: [FRIAM] Passwords I recently added a mac mini to my digital ecology, and it got me bustling about tidying up a bit. One area is logins. I fixed the mini so that I can ssh to it, but only via crypto (ssh-keygen) keys. I had a port-scan within 2 hours of forwarding port 22 from my airport, so feel that passwords simply are a Bad Idea in this day and age. My ISP also lets me use key pairs so that got me thinking about alternatives to name/password logins. Now, I *do* believe passwords can be made reasonably secure: http://goo.gl/jqV7w .. maybe even more secure than key/pairs which can be compromised stealing my laptop. So a few questions about your experiences: - Can I use public keys for heavily used sites (gmail, amazon, ...)? - Is openID a reasonable alternative? http://openid.net http://goo.gl/BOpg - Do you have a name/password strategy that you like? - Any other alternatives? -- Owen ============================================================ FRIAM Applied Complexity Group listserv Meets Fridays 9a-11:30 at cafe at St. John's College lectures, archives, unsubscribe, maps at http://www.friam.org ============================================================ FRIAM Applied Complexity Group listserv Meets Fridays 9a-11:30 at cafe at St. John's College lectures, archives, unsubscribe, maps at http://www.friam.org |
Oh, Gosh!
This reminds me of those printed instructions on aluminum ladders: "Under no circumstances use this ladder for CLIMBING." We ordinary mortals are screwed. Nick -----Original Message----- From: [hidden email] [mailto:[hidden email]] On Behalf Of Parks, Raymond Sent: Thursday, December 23, 2010 8:52 PM To: '[hidden email]' Subject: Re: [FRIAM] Passwords Folks, I decided to put my advice about securing home networks in this message, along with password advice. To secure your home network - 1. Use a firewall - either build one or buy one. Most broadband routers include a firewall. 2. Configure the firewall to deny all incoming traffic and only allow minimal outgoing traffic (http and pop3/imap is a good starting set). Note that I did not include DNS or ICMP - these have long been used for exfiltration. 3. If you have wireless - A. Use the best authentication/encryption you can - WPA2 not WEP. We can break the latter in minutes if you are generating traffic. B. Find a way to treat that traffic as untrusted - route it into your home network as if it's from the Internet. This will require setting up a VPN (IPSEC comes with all modern OSes) and sending traffic directly out to the Internet. The VPN would be used to access the internal wired network, if you insist. 3. If you really want to expose a service to the Internet - don't. Use a port-knocking solution (google it) that only opens the relevant port for a brief time after you have hit the right sequence of ports. Consider using a non-standard port when it opens - many hotels and Internet cafes only allow http (port 80) so you might run your ssh on that port to bypass filtering. Passwords are only marginally secure. The problem with the idea that Owen cited is that many web-sites don't allow certain characters (usually a subset or the full set of special characters) and/or restrict password length. One site I have to regularly fight with cuts off the password I set without any indication. Password length is important. Most winders boxen store and forward NTLM password hashes. I just bought, off Newegg, three systems with Invidia GPUs that can each brute force 4-6 billion 8 character NTLM passwords per minute. You can rent GPUs off the cloud and folks have demonstrated using that for MD5 hash cracking. If you have the patience, you can double performance with ATI GPUs. Most websites use MD5 password hashes - which are usually weaker than NTLM. I use a password formula which I mix up and customize to fit each web-site's peculiarities. This method can be frustrating - but I get by. Ray Parks ----- Original Message ----- From: Owen Densmore [mailto:[hidden email]] Sent: Wednesday, December 22, 2010 09:57 AM To: The Friday Morning Applied Complexity Coffee Group <[hidden email]> Subject: [FRIAM] Passwords I recently added a mac mini to my digital ecology, and it got me bustling about tidying up a bit. One area is logins. I fixed the mini so that I can ssh to it, but only via crypto (ssh-keygen) keys. I had a port-scan within 2 hours of forwarding port 22 from my airport, so feel that passwords simply are a Bad Idea in this day and age. My ISP also lets me use key pairs so that got me thinking about alternatives to name/password logins. Now, I *do* believe passwords can be made reasonably secure: http://goo.gl/jqV7w .. maybe even more secure than key/pairs which can be compromised stealing my laptop. So a few questions about your experiences: - Can I use public keys for heavily used sites (gmail, amazon, ...)? - Is openID a reasonable alternative? http://openid.net http://goo.gl/BOpg - Do you have a name/password strategy that you like? - Any other alternatives? -- Owen ============================================================ FRIAM Applied Complexity Group listserv Meets Fridays 9a-11:30 at cafe at St. John's College lectures, archives, unsubscribe, maps at http://www.friam.org ============================================================ FRIAM Applied Complexity Group listserv Meets Fridays 9a-11:30 at cafe at St. John's College lectures, archives, unsubscribe, maps at http://www.friam.org ============================================================ FRIAM Applied Complexity Group listserv Meets Fridays 9a-11:30 at cafe at St. John's College lectures, archives, unsubscribe, maps at http://www.friam.org |
I think I'm saying that home computers aren't yet appliances. I just found and rewatched two. Tony Curtis films - "Those Daring Young Men in their Jaunty Jalopies" and "The Great Race". They portray autos in their early days, when anyone could get one but only a few could make the cars work over great distances. I think we're still at that level of development - you never quite lknow what you get when you "Push the button, Max".
Ray Parks P.S. Once you do this stuff you realize it's not as mysterious as it sounds - much of mystery is in the jargon. ----- Original Message ----- From: Nicholas Thompson [mailto:[hidden email]] Sent: Thursday, December 23, 2010 10:27 PM To: 'The Friday Morning Applied Complexity Coffee Group' <[hidden email]> Subject: Re: [FRIAM] Passwords Oh, Gosh! This reminds me of those printed instructions on aluminum ladders: "Under no circumstances use this ladder for CLIMBING." We ordinary mortals are screwed. Nick -----Original Message----- From: [hidden email] [mailto:[hidden email]] On Behalf Of Parks, Raymond Sent: Thursday, December 23, 2010 8:52 PM To: '[hidden email]' Subject: Re: [FRIAM] Passwords Folks, I decided to put my advice about securing home networks in this message, along with password advice. To secure your home network - 1. Use a firewall - either build one or buy one. Most broadband routers include a firewall. 2. Configure the firewall to deny all incoming traffic and only allow minimal outgoing traffic (http and pop3/imap is a good starting set). Note that I did not include DNS or ICMP - these have long been used for exfiltration. 3. If you have wireless - A. Use the best authentication/encryption you can - WPA2 not WEP. We can break the latter in minutes if you are generating traffic. B. Find a way to treat that traffic as untrusted - route it into your home network as if it's from the Internet. This will require setting up a VPN (IPSEC comes with all modern OSes) and sending traffic directly out to the Internet. The VPN would be used to access the internal wired network, if you insist. 3. If you really want to expose a service to the Internet - don't. Use a port-knocking solution (google it) that only opens the relevant port for a brief time after you have hit the right sequence of ports. Consider using a non-standard port when it opens - many hotels and Internet cafes only allow http (port 80) so you might run your ssh on that port to bypass filtering. Passwords are only marginally secure. The problem with the idea that Owen cited is that many web-sites don't allow certain characters (usually a subset or the full set of special characters) and/or restrict password length. One site I have to regularly fight with cuts off the password I set without any indication. Password length is important. Most winders boxen store and forward NTLM password hashes. I just bought, off Newegg, three systems with Invidia GPUs that can each brute force 4-6 billion 8 character NTLM passwords per minute. You can rent GPUs off the cloud and folks have demonstrated using that for MD5 hash cracking. If you have the patience, you can double performance with ATI GPUs. Most websites use MD5 password hashes - which are usually weaker than NTLM. I use a password formula which I mix up and customize to fit each web-site's peculiarities. This method can be frustrating - but I get by. Ray Parks ----- Original Message ----- From: Owen Densmore [mailto:[hidden email]] Sent: Wednesday, December 22, 2010 09:57 AM To: The Friday Morning Applied Complexity Coffee Group <[hidden email]> Subject: [FRIAM] Passwords I recently added a mac mini to my digital ecology, and it got me bustling about tidying up a bit. One area is logins. I fixed the mini so that I can ssh to it, but only via crypto (ssh-keygen) keys. I had a port-scan within 2 hours of forwarding port 22 from my airport, so feel that passwords simply are a Bad Idea in this day and age. My ISP also lets me use key pairs so that got me thinking about alternatives to name/password logins. Now, I *do* believe passwords can be made reasonably secure: http://goo.gl/jqV7w .. maybe even more secure than key/pairs which can be compromised stealing my laptop. So a few questions about your experiences: - Can I use public keys for heavily used sites (gmail, amazon, ...)? - Is openID a reasonable alternative? http://openid.net http://goo.gl/BOpg - Do you have a name/password strategy that you like? - Any other alternatives? -- Owen ============================================================ FRIAM Applied Complexity Group listserv Meets Fridays 9a-11:30 at cafe at St. John's College lectures, archives, unsubscribe, maps at http://www.friam.org ============================================================ FRIAM Applied Complexity Group listserv Meets Fridays 9a-11:30 at cafe at St. John's College lectures, archives, unsubscribe, maps at http://www.friam.org ============================================================ FRIAM Applied Complexity Group listserv Meets Fridays 9a-11:30 at cafe at St. John's College lectures, archives, unsubscribe, maps at http://www.friam.org ============================================================ FRIAM Applied Complexity Group listserv Meets Fridays 9a-11:30 at cafe at St. John's College lectures, archives, unsubscribe, maps at http://www.friam.org |
Administrator
|
In reply to this post by Parks, Raymond
> From: "Parks, Raymond" <[hidden email]>
> Subject: Re: [FRIAM] Passwords > > Folks, > > I decided to put my advice about securing home networks in this message, along with password advice. .... Ray: Would not trust a PKI system (openssh) with passwords disabled? What sort of vulnerability would it face .. other than someone stealing the private key? I had naively assumed it would be secure, and planned a set of tunnels for screen sharing, file sharing, and ssh. That's basically my goal: having lots of devices share resources like screen (VNC) and data (ftp/ssh). The port-knocking scheme seems very interesting and there is a command-line client/daemon for several OSs: http://www.zeroflux.org/projects/knock I completely agree the limited password symbols/length of many sites make things a lot harder. Given some reasonable pass-phrase with unique modification for each site makes a lot of sense, but unfortunately the differing passwords allowed makes this impossible. -- Owen ============================================================ FRIAM Applied Complexity Group listserv Meets Fridays 9a-11:30 at cafe at St. John's College lectures, archives, unsubscribe, maps at http://www.friam.org |
Owen,
Openssh with PKI will frustrate all but a high-level attacker targeting you, specifically (try not to annoy Hu Jin Tao or Vladimir Putin :-). Leaving the ssh well-known port open to the Internet means your system will constantly receive attempts to connect. It's annoying and uses up cycles and bandwidth. Port-knocking and using an alternate port reduce that annoyance considerably. If you've got ssh working the scp is a better alternative than ftp. If you're feeling mean, you can set up a scheme that answers all ports but, with the exception of the ones you're using, returns a TCP window length of 0. This is a perfectly valid response when a server can't handle further requests. It basically puts scanning and portmapping programs into an infinite loop, however. What's scary is that most web-sites hash your password without salt using md5. The dual-GPU systems I purchased earlier can brute force 2.4 billion md5 hashes per minute per GPU. More specialized systems with more GPUs or using the cloud GPUs can do proportionately better. Using rainbow tables makes mass password guessing (as in the leaked Gawker info) possible. I use a formula that includes an element of the web-site with one of several standard salts. I can usually find the right password within the try count. Ray Parks ----- Original Message ----- From: Owen Densmore [mailto:[hidden email]] Sent: Friday, December 24, 2010 09:05 AM To: The Friday Morning Applied Complexity Coffee Group <[hidden email]> Subject: Re: [FRIAM] Passwords > From: "Parks, Raymond" <[hidden email]> > Subject: Re: [FRIAM] Passwords > > Folks, > > I decided to put my advice about securing home networks in this message, along with password advice. .... Ray: Would not trust a PKI system (openssh) with passwords disabled? What sort of vulnerability would it face .. other than someone stealing the private key? I had naively assumed it would be secure, and planned a set of tunnels for screen sharing, file sharing, and ssh. That's basically my goal: having lots of devices share resources like screen (VNC) and data (ftp/ssh). The port-knocking scheme seems very interesting and there is a command-line client/daemon for several OSs: http://www.zeroflux.org/projects/knock I completely agree the limited password symbols/length of many sites make things a lot harder. Given some reasonable pass-phrase with unique modification for each site makes a lot of sense, but unfortunately the differing passwords allowed makes this impossible. -- Owen ============================================================ FRIAM Applied Complexity Group listserv Meets Fridays 9a-11:30 at cafe at St. John's College lectures, archives, unsubscribe, maps at http://www.friam.org ============================================================ FRIAM Applied Complexity Group listserv Meets Fridays 9a-11:30 at cafe at St. John's College lectures, archives, unsubscribe, maps at http://www.friam.org |
Administrator
|
Whew, thanks!
I think I can eliminate passwords on my webhost (joyent, pretty sophisticated) using just PKI/ssh. And all my macs allow turning off passwords, using keys only. And my iPad has a ssh/vnc app that should let me use keys too. My phone may have problems, but it is jailbroken and has ssh built in so probably can work fine too. That sounds like I'm getting there .. and I'll definitely not annoy The Big Guys. One question I've puzzled over is use of keys. Some folks claim you should have one private key for yourself and use it everywhere. If you think it gets stolen, then you remove the corresponding public key on the servers. The other approach is to have a key-pair per device as well as one for yourself. So if your phone is stolen, you remove its public key from the services you use, but everything else works fine. I'm not quite sure which way to go, but am tending to key-pair per device, as well as one "global" pair for "me" used for signing and similar things. Any advice? -- Owen On Dec 24, 2010, at 1:46 PM, Parks, Raymond wrote: > Owen, > > Openssh with PKI will frustrate all but a high-level attacker targeting you, specifically (try not to annoy Hu Jin Tao or Vladimir Putin :-). Leaving the ssh well-known port open to the Internet means your system will constantly receive attempts to connect. It's annoying and uses up cycles and bandwidth. Port-knocking and using an alternate port reduce that annoyance considerably. > > If you've got ssh working the scp is a better alternative than ftp. > > If you're feeling mean, you can set up a scheme that answers all ports but, with the exception of the ones you're using, returns a TCP window length of 0. This is a perfectly valid response when a server can't handle further requests. It basically puts scanning and portmapping programs into an infinite loop, however. > > What's scary is that most web-sites hash your password without salt using md5. The dual-GPU systems I purchased earlier can brute force 2.4 billion md5 hashes per minute per GPU. More specialized systems with more GPUs or using the cloud GPUs can do proportionately better. Using rainbow tables makes mass password guessing (as in the leaked Gawker info) possible. > > I use a formula that includes an element of the web-site with one of several standard salts. I can usually find the right password within the try count. > > Ray Parks > > > ----- Original Message ----- > From: Owen Densmore [mailto:[hidden email]] > Sent: Friday, December 24, 2010 09:05 AM > To: The Friday Morning Applied Complexity Coffee Group <[hidden email]> > Subject: Re: [FRIAM] Passwords > >> From: "Parks, Raymond" <[hidden email]> >> Subject: Re: [FRIAM] Passwords >> >> Folks, >> >> I decided to put my advice about securing home networks in this message, along with password advice. .... > > Ray: Would not trust a PKI system (openssh) with passwords disabled? What sort of vulnerability would it face .. other than someone stealing the private key? I had naively assumed it would be secure, and planned a set of tunnels for screen sharing, file sharing, and ssh. That's basically my goal: having lots of devices share resources like screen (VNC) and data (ftp/ssh). > > The port-knocking scheme seems very interesting and there is a command-line client/daemon for several OSs: http://www.zeroflux.org/projects/knock > > I completely agree the limited password symbols/length of many sites make things a lot harder. Given some reasonable pass-phrase with unique modification for each site makes a lot of sense, but unfortunately the differing passwords allowed makes this impossible. > > -- Owen > > > ============================================================ > FRIAM Applied Complexity Group listserv > Meets Fridays 9a-11:30 at cafe at St. John's College > lectures, archives, unsubscribe, maps at http://www.friam.org > > > > ============================================================ > FRIAM Applied Complexity Group listserv > Meets Fridays 9a-11:30 at cafe at St. John's College > lectures, archives, unsubscribe, maps at http://www.friam.org ============================================================ FRIAM Applied Complexity Group listserv Meets Fridays 9a-11:30 at cafe at St. John's College lectures, archives, unsubscribe, maps at http://www.friam.org |
Free forum by Nabble | Edit this page |