passwords, again
Locked
 
Administrator
|
Well, yet another scare today ... an email to me from the name of
someone I know but from a bogus email address. You know: "best friend" <[hidden email]>. So I've looked into cranking up the password security a bit. It seems that the two most important ideas are: 1 - Long passwords 2 - Unique passwords, different for each site I realize password managers (keepass, 1password, ..) can generate gibberish passwords, any length you'd like. But it'd be nice to be able to remember them yourself. Besides, password managers don't work everywhere in these days of the "app" because they are browser centric. So looking into common pw formulas, like http://healthypasswords.com/ & lifehacker http://goo.gl/hZ5rB propose, the site specific stunt is something like: az@xxxxx!yyy "sandwich" where I have a core xxxx or set of them, with prefix/postfix identifiers. In this case, az for amazon, and yyy for something else like b00ks. And yes you can scramble where az goes etc, but once a formula is seen, it's not going to be that hard to figure it out for google etc. Thus, even tho long and unique, it still could be fragile. So the choice does appear to be either a password manager and gibberish, or a nifty, human rememberable system that may be fragile. Has anyone tried the two-factor stunt? Google uses sms & your phone. I don't know what it would be like to use, but many sites lately allow you to login via google, facebook and others, so if the google login is 2-factor secure, maybe that's a good solution? Seems like it might be a pain and fail if your phone isn't working. -- Owen ============================================================ FRIAM Applied Complexity Group listserv Meets Fridays 9a-11:30 at cafe at St. John's College to unsubscribe http://redfish.com/mailman/listinfo/friam_redfish.com |
|
|
Owen,
Here's a gimmick I came up with last year. Seems to work - but who knows... I use a combination of two patterns - one for consistency (the "static"), the other for change (the "dynamic"). The key is that both are physical, geometric concepts relative to the keys on qwerty keyboard - rather than semantically-oriented patterns that everyone uses. Using physical, geometric keyboard shapes - like squares, triangles, etc. - makes the system easy to remember and use, but hard to explain in text. But here goes: I base the "static" pattern on some simple geometric shape - such as triangle or parallelogram. for example the keys AZCD form a parallelogram. I use this pattern as the "root" of my password. The remainder of my password, the "base", is something that I can remember easily, but with a capital and a special symbol - such as "fr!am3.14159". To generate my initial password I simply join the root and the base in some consistent way, such as AZCDfr!am3.14159. Of course, I can scramble this, but I would only do the scramble initially. Then, every month, or other period, I change this password in a consistent way. This is where the "dynamic" pattern comes in. The dynamic pattern is a rule for how I transform the "root" each month in a geometric way. For example, I may use the transform rule "move the 'root' up and to the right." This means that the "A" of the root becomes a "W", and all of the other root keys change accordingly. So, the second mont, the root becomes "WSFR". So, the second month's pword is "WSFRfr!am3.14159". Month 3's password would be "3ET5fr!am3.14159". For the fourth month, I "bounce" off of the top of the keyboard and head back down. After 16 months, I get to the right end of the keyboard. I usually develop a new root then and start all over again. Anyway, using these example patterns and base, the first five months of this set of passwords would be: AZCDfr!am3.14159 WSFRfr!am3.14159 3ET5fr!am3.14159 EDGTfr!am3.14159 DCBGfr!am3.14159 Of course, the permutations of this scheme are very large. And, you can change the base, the root and the dynamics at any time. And of course, you can site-specific symbols like "AN" for Amazon. Also, you can get creative with how you "slide" the dynamic pattern to make it harder to guess. The basic idea, though, is to use "keyboard geometry" for your root, rather than semantics. Anybody see any holes in this? Grant On 1/29/13 9:26 AM, Owen Densmore
wrote:
Well, yet another scare today ... an email to me from the name of someone I know but from a bogus email address. You know: "best friend" [hidden email]. So I've looked into cranking up the password security a bit. It seems that the two most important ideas are: 1 - Long passwords 2 - Unique passwords, different for each site I realize password managers (keepass, 1password, ..) can generate gibberish passwords, any length you'd like. But it'd be nice to be able to remember them yourself. Besides, password managers don't work everywhere in these days of the "app" because they are browser centric. So looking into common pw formulas, like http://healthypasswords.com/ & lifehacker http://goo.gl/hZ5rB propose, the site specific stunt is something like: az@xxxxx!yyy "sandwich" where I have a core xxxx or set of them, with prefix/postfix identifiers. In this case, az for amazon, and yyy for something else like b00ks. And yes you can scramble where az goes etc, but once a formula is seen, it's not going to be that hard to figure it out for google etc. Thus, even tho long and unique, it still could be fragile. So the choice does appear to be either a password manager and gibberish, or a nifty, human rememberable system that may be fragile. Has anyone tried the two-factor stunt? Google uses sms & your phone. I don't know what it would be like to use, but many sites lately allow you to login via google, facebook and others, so if the google login is 2-factor secure, maybe that's a good solution? Seems like it might be a pain and fail if your phone isn't working. -- Owen ============================================================ FRIAM Applied Complexity Group listserv Meets Fridays 9a-11:30 at cafe at St. John's College to unsubscribe http://redfish.com/mailman/listinfo/friam_redfish.com ============================================================ FRIAM Applied Complexity Group listserv Meets Fridays 9a-11:30 at cafe at St. John's College to unsubscribe http://redfish.com/mailman/listinfo/friam_redfish.com |
|
|
In reply to this post by Owen Densmore
For my home server I use a yubikey to connect via ssh. For everything else, I use lastpass. You can also use a yubikey for two-factor with lastpass.
I'd also like to point out that the entropy of a password isn't exactly the best metric. For example, it would take about 8.52 hundred-million centuries to guess the password "0wen............", but only 18.62 centuries to guess "B&ITu6rv^BF" (at about one-hundred billion guesses per second). You might want to consider picking a longer password, but one that's much easier to remember. -Jon On Jan 29, 2013, at 9:26 AM, Owen Densmore wrote: > Well, yet another scare today ... an email to me from the name of > someone I know but from a bogus email address. You know: "best > friend" <[hidden email]>. > > So I've looked into cranking up the password security a bit. > > It seems that the two most important ideas are: > 1 - Long passwords > 2 - Unique passwords, different for each site > > I realize password managers (keepass, 1password, ..) can generate > gibberish passwords, any length you'd like. But it'd be nice to be > able to remember them yourself. Besides, password managers don't work > everywhere in these days of the "app" because they are browser > centric. > > So looking into common pw formulas, like http://healthypasswords.com/ > & lifehacker http://goo.gl/hZ5rB propose, the site specific stunt is > something like: az@xxxxx!yyy "sandwich" where I have a core xxxx or > set of them, with prefix/postfix identifiers. In this case, az for > amazon, and yyy for something else like b00ks. And yes you can > scramble where az goes etc, but once a formula is seen, it's not going > to be that hard to figure it out for google etc. > > Thus, even tho long and unique, it still could be fragile. > > So the choice does appear to be either a password manager and > gibberish, or a nifty, human rememberable system that may be fragile. > > Has anyone tried the two-factor stunt? Google uses sms & your phone. > I don't know what it would be like to use, but many sites lately allow > you to login via google, facebook and others, so if the google login > is 2-factor secure, maybe that's a good solution? Seems like it might > be a pain and fail if your phone isn't working. > > -- Owen > > ============================================================ > FRIAM Applied Complexity Group listserv > Meets Fridays 9a-11:30 at cafe at St. John's College > to unsubscribe http://redfish.com/mailman/listinfo/friam_redfish.com ============================================================ FRIAM Applied Complexity Group listserv Meets Fridays 9a-11:30 at cafe at St. John's College to unsubscribe http://redfish.com/mailman/listinfo/friam_redfish.com |
|
Administrator
|
In reply to this post by Owen Densmore
On Wed, Jan 30, 2013 at 6:37 AM, Edward Angel <[hidden email]> wrote:
> Owen, > > How does a better password system prevent someone from using someone else's > name with a different email address? it seems you are mixing two problems. [BTW: this is long so a quick question to the list: does anyone use googles 2 factor authentication? If so, could you give us your experiences?] It doesn't, directly. The scam is to crack into someone's email account, grab their contacts, then send emails that look trustworthy but aren't. A popular example washed over Italy, and I think most of Europe last year. Email from a friend to you (in contacts list) asking for some money because the friend is stuck traveling with a problem and needs cash fast. We actually saw it working. The one I received a few days ago was really novice: didn't forge the "from" address which can be done trivially. The europe attack actually used the hacked account with the pw changed. > The first one, using someone else's name, is a constant problem. I get a > couple a day that have done things like copy my bank's homepage. I don't how > that one can be stopped easily other than by some legal method that > introduces other problems. The main thing is to consider your mail account as important as your bank! The trove of info available is surprising. And like everyone else, I've been lax. So I thought there might be the possibility that my gmail had been compromised. This is why I ask about 2-factor authentication (TFA) .. gmail allows it and it got a lot of press from the Mat Honan (wired magazine) complete hack destroying a huge part of his digital ecology. Here's some info: http://the-gadgeteer.com/2012/01/02/google-2-step-authentication-review/ http://www.mattcutts.com/blog/google-two-step-authentication/ Apparently my gmail was OK, and the favorite way people get this info is via facebook scraping. I do have a link with the "sender" on fb so likely the source. But I do plan to try TFA even though the couple of sites that use have no common protocol. Even google's "war on the password" http://www.wired.com/wiredenterprise/2013/01/google-password/all/ indicates that their current mode will be migrated to a physical device. We hope to avoid a pocket full of them! Should be interesting to see if any of us use gmail's TFA. Please: anyone of us using it give us a summary. It does seem to be annoying if you have lots of devices. ============================================================ FRIAM Applied Complexity Group listserv Meets Fridays 9a-11:30 at cafe at St. John's College to unsubscribe http://redfish.com/mailman/listinfo/friam_redfish.com |
|
Administrator
|
In reply to this post by Grant Holland
PWs are a near religious conversation on the web now, due to the
famous cracks being made. In terms of PWs, there are really two issues in terms of ease of cracking them algorithmically: - Their length - Unique per site. Believe it or not, the pw cracker software is way smart. Yes it does have combinatorics. But it also include a huge number of heuristics like dictionary names, paired with numeric/character substitution. Well I knew that but the big surprise yesterday for me while searching was keyboard geometry has been added. I doubt yours would be caught but many simple shapes are. The fact is that passwords are approaching being obsolete. And all the crazy stunts are useless. Only length and unique matter, and adding in separaters (spaces, dashes and so on). This got a lot of press: http://www.baekdal.com/insights/the-usability-of-passwords-faq and naturally the daddy of them all, xkcd's http://xkcd.com/936/ (which did not include unique, just length) To be fair, the brute force methods require having the hash/salted pw file to begin with, which is no simple feat. And social hacks are pretty successful .. Apple and Amazon gave up account information in the Mat Honan case: http://www.wired.com/gadgetlab/2012/11/ff-mat-honan-password-hacker/all/ http://www.wired.com/gadgetlab/2012/08/apple-amazon-mat-honan-hacking/all/ On the other hand, the linkedin hack was successful because linkedin apparently did not salt the password files! Unbelievable. But really, we should at least move on from our current logins. Two factor is good but annoying, but some interesting social solutions are sprouting. Toopher uses you phone and GPS: http://venturebeat.com/2012/04/18/toopher-demo/ -- Owen On Wed, Jan 30, 2013 at 8:57 AM, Grant Holland <[hidden email]> wrote: > Owen, > > Here's a gimmick I came up with last year. Seems to work - but who knows... > > I use a combination of two patterns - one for consistency (the "static"), > the other for change (the "dynamic"). > > The key is that both are physical, geometric concepts relative to the keys > on qwerty keyboard - rather than semantically-oriented patterns that > everyone uses. > > Using physical, geometric keyboard shapes - like squares, triangles, etc. - > makes the system easy to remember and use, but hard to explain in text. But > here goes: > > I base the "static" pattern on some simple geometric shape - such as > triangle or parallelogram. for example the keys AZCD form a parallelogram. I > use this pattern as the "root" of my password. The remainder of my password, > the "base", is something that I can remember easily, but with a capital and > a special symbol - such as "fr!am3.14159". To generate my initial password I > simply join the root and the base in some consistent way, such as > AZCDfr!am3.14159. Of course, I can scramble this, but I would only do the > scramble initially. > > Then, every month, or other period, I change this password in a consistent > way. This is where the "dynamic" pattern comes in. The dynamic pattern is a > rule for how I transform the "root" each month in a geometric way. For > example, I may use the transform rule "move the 'root' up and to the right." > This means that the "A" of the root becomes a "W", and all of the other root > keys change accordingly. So, the second mont, the root becomes "WSFR". So, > the second month's pword is "WSFRfr!am3.14159". Month 3's password would be > "3ET5fr!am3.14159". For the fourth month, I "bounce" off of the top of the > keyboard and head back down. After 16 months, I get to the right end of the > keyboard. I usually develop a new root then and start all over again. > > Anyway, using these example patterns and base, the first five months of this > set of passwords would be: > AZCDfr!am3.14159 > WSFRfr!am3.14159 > 3ET5fr!am3.14159 > EDGTfr!am3.14159 > DCBGfr!am3.14159 > > Of course, the permutations of this scheme are very large. And, you can > change the base, the root and the dynamics at any time. And of course, you > can site-specific symbols like "AN" for Amazon. Also, you can get creative > with how you "slide" the dynamic pattern to make it harder to guess. > > The basic idea, though, is to use "keyboard geometry" for your root, rather > than semantics. > > Anybody see any holes in this? > > Grant > > > On 1/29/13 9:26 AM, Owen Densmore wrote: > > Well, yet another scare today ... an email to me from the name of > someone I know but from a bogus email address. You know: "best > friend" <[hidden email]>. > > So I've looked into cranking up the password security a bit. > > It seems that the two most important ideas are: > 1 - Long passwords > 2 - Unique passwords, different for each site > > I realize password managers (keepass, 1password, ..) can generate > gibberish passwords, any length you'd like. But it'd be nice to be > able to remember them yourself. Besides, password managers don't work > everywhere in these days of the "app" because they are browser > centric. > > So looking into common pw formulas, like http://healthypasswords.com/ > & lifehacker http://goo.gl/hZ5rB propose, the site specific stunt is > something like: az@xxxxx > !yyy "sandwich" where I have a core xxxx or > set of them, with prefix/postfix identifiers. In this case, az for > amazon, and yyy for something else like b00ks. And yes you can > scramble where az goes etc, but once a formula is seen, it's not going > to be that hard to figure it out for google etc. > > Thus, even tho long and unique, it still could be fragile. > > So the choice does appear to be either a password manager and > gibberish, or a nifty, human rememberable system that may be fragile. > > Has anyone tried the two-factor stunt? Google uses sms & your phone. > I don't know what it would be like to use, but many sites lately allow > you to login via google, facebook and others, so if the google login > is 2-factor secure, maybe that's a good solution? Seems like it might > be a pain and fail if your phone isn't working. > > -- Owen > > ============================================================ > FRIAM Applied Complexity Group listserv > Meets Fridays 9a-11:30 at cafe at St. John's College > to unsubscribe http://redfish.com/mailman/listinfo/friam_redfish.com > > ============================================================ FRIAM Applied Complexity Group listserv Meets Fridays 9a-11:30 at cafe at St. John's College to unsubscribe http://redfish.com/mailman/listinfo/friam_redfish.com |
|
|
In reply to this post by Owen Densmore
I'll provide a data point, FWIW.
We are moving our companies' servers to Amazon, and generally we have only the ssh port open in addition to any public-facing ports necessary for that particular machine, such as http and https. All ssh authentication is done by public keys. I have passphrases on any private keys that are on machines that I take out of the office -- my iPhone and iPad and laptop. I love 1Password. I have about 208 passwords stored in it. There's no way I could remember a fraction of them, so this is what makes having a separate password for every site possible. The 1Password database is encrypted and on Dropbox, so all my devices and PCs share the same database. I also have a handful of "rememberable" passwords for my laptop login, my Apple ID, and my DropBox password. There was a famous hack last summer where a hacker got control of a person's iCloud mail account. Once he had that, he was able to change passwords on a number of other accounts by using the "Forgot password?" links. Then he remotely wiped the user's laptop, phone, and iPad. The moral there was that the Dropbox account, holding the remaining copy of the 1Password database, needs to be accessible without 1Password. One of my employees has a program that will generate memorizable 11 character passwords; it knows enough about word structure that it makes nonsense words that can be pronounced. Very useful. My one password to open 1Password is memorized, 27 characters long, and generated by the "roll 6 dice, map the result to a word from this dictionary, and repeat 5 times" algorithm. --B On Jan 29, 2013, at 9:26 AM, Owen Densmore wrote: I realize password managers (keepass, 1password, ..) can generate ============================================================ FRIAM Applied Complexity Group listserv Meets Fridays 9a-11:30 at cafe at St. John's College to unsubscribe http://redfish.com/mailman/listinfo/friam_redfish.com |
Re: [EXTERNAL] passwords, again
|
|
In reply to this post by Owen Densmore
I use the one and a half factor authentication mechanism for gmail. I say 1 and 1/2 because it really isn't two-factor. A cell phone is not sufficiently unique and protected to actually be "something you have" in the sense of two-factor authentication. Since
gmail and other sites are aware of my cell-phone I would have to presume an adversary would be aware of it and, if they didn't target it first, they would target it along with my on-line identities.
I use a formulaic mechanism that involves the site name (always the same) and leet-speak filler. The filler varies - sometimes I derive it from an on-line identity, sometimes I derive it from a vehicle that I used to own, and frequently it involves non-English
words. The primary goal is to have a password that uses the full ASCII character set and exceeds 15 characters in length. The biggest problem is that many sites have stupid rules that prevent me from doing exactly that. Sometimes they have length limits,
sometimes they have character set limits, and sometimes they have limits they don't tell me (I have to derive what is acceptable through a repeated process of trial and error - I still don't know what is acceptable on my mortgage company's web-site). I'm
not terribly worried that someone will derive my formula from a hacked site that stores passwords in poorly encrypted form - if the site uses poor encryption it's probably one of the ones that won't let me use my full formula. Thus, an adversary who gets
my password on one of those sites will not be able to derive the full formula. My eleven character password on LinkedIn was compromised but probably not cracked - but I changed it to a 16 character password with a differently derived filler.
Ray Parks
Consilient Heuristician/IDART Program Manager
V: 505-844-4024 M: 505-238-9359 P: 505-951-6084
NIPR: [hidden email]
SIPR: [hidden email] (send NIPR reminder)
JWICS: [hidden email] (send NIPR reminder)
On Jan 29, 2013, at 9:26 AM, Owen Densmore wrote:
============================================================ FRIAM Applied Complexity Group listserv Meets Fridays 9a-11:30 at cafe at St. John's College to unsubscribe http://redfish.com/mailman/listinfo/friam_redfish.com |
|
Administrator
|
In reply to this post by Jon Bringhurst
On Wed, Jan 30, 2013 at 8:59 AM, Jon Bringhurst <[hidden email]> wrote:
For my home server I use a yubikey to connect via ssh. Way cool, I had heard of yubikey and possible acquisition/partnering with google. It was in the "google declares war on passwords" article:
I'll give it a try. For everything else, I use lastpass. You can also use a yubikey for two-factor with lastpass. Lastpass, 1password, keepass et al make sense. I've used one of them for a little over a year simply to remember *where* I have accounts. I don't yet trust the idea of a unique random string for all my logins. I really want a human rememberable password, again unique but with a formula. The problem is making sure if one pw is seen in the clear, all can't be generated by discovering the formula.
Do you use long random strings, non-human memorable? I'd also like to point out that the entropy of a password isn't exactly the best metric. For example, it would take about 8.52 hundred-million centuries to guess the password "0wen............", but only 18.62 centuries to guess "B&ITu6rv^BF" (at about one-hundred billion guesses per second). Agreed, certainly the idea of obscurity with letters etc is becoming less effective. But alas, the heuristics now being used would certainly discover 0wen............ in less than combinatoric time.
You might want to consider picking a longer password, but one that's much easier to remember. Yup, I'm doing that. Thanks for the details, nice to know.
-- Owen ============================================================ FRIAM Applied Complexity Group listserv Meets Fridays 9a-11:30 at cafe at St. John's College to unsubscribe http://redfish.com/mailman/listinfo/friam_redfish.com |
|
Administrator
|
In reply to this post by Barry MacKichan
On Wed, Jan 30, 2013 at 10:27 AM, Barry MacKichan <[hidden email]> wrote:
This is great, thanks.
I'm using pub key crypto for my hosting service and my home "server" .. mac mini. My pass phrase is in italian but not very long.
1P is the manager I chose too, and also with DB. DB is offering 2-factor so I may try it but 1P warns of some difficulties.
OK, so you mix 1P generated pws along with your own? Interesting idea .. that may be good for banks, cards etc.
Mat Honan's amazing story, yeah. I included two links in earlier mail and was amazed at his after-story: meeting Paranoid and becoming expert enough that for $4 he could steal any ones ID and wreak their digital world. Interesting that he placed a LOT of emphasis on backup strategies.
That sounds interesting. Do you remember its name? Possibly the black hats have incorporated a heuristic for that too.
That's a lot of typing! Even on a phone?
============================================================ FRIAM Applied Complexity Group listserv Meets Fridays 9a-11:30 at cafe at St. John's College to unsubscribe http://redfish.com/mailman/listinfo/friam_redfish.com |
|
|
In reply to this post by Owen Densmore
If you can't remember where all your accounts are, why bother to have memorable passwords for them? There was a consolidated stolen password file going around at some point in the last year -- that or a clever password harvester -- you type your password into a web page and it tells you if the password appears in the consolidated file. I believe I believed that the web page was computing the hash and sending that to a server. The point being that it doesn't matter much if the villains know your password or not, if anything close to your memorable password appears in the consolidated file then they will find your password by a simple random walk away from the examples in the file. Ditto if you're going to use a pattern involving the target host and user name, you're just making life easy for the villains for reasons which don't hold up.
The other problem here is that you end up using the same user identifier everywhere. You should be generating 64 character random user names for every web site account, too, along with the 64 character random passwords. You're trading off your personal convenience against your security, and you're only winning so far because the villains have been too stupid and too slow to take advantage of you, yet.
Then, again, maybe that web site is using this security auditor: http://serverfault.com/questions/293217/our-security-auditor-is-an-idiot-how-do-i-give-him-the-information-he-wants in which case you're totally screwed.
-- rec -- On Thu, Jan 31, 2013 at 9:48 AM, Owen Densmore <[hidden email]> wrote:
============================================================ FRIAM Applied Complexity Group listserv Meets Fridays 9a-11:30 at cafe at St. John's College to unsubscribe http://redfish.com/mailman/listinfo/friam_redfish.com |
Re: [EXTERNAL] passwords, again
|
Administrator
|
In reply to this post by Parks, Raymond
On Wed, Jan 30, 2013 at 11:45 AM, Parks, Raymond <[hidden email]> wrote:
Agreed. I believe its already happened in europe. And also google has "trusted" computers and "Application Specific Codes" all of which weaken its security.
Two opinions: - What about typing ease? .. especially on phones? Would you consider LastPass or similar? - What about yubikeys? It seems to be where Google is going next.
Thanks .. very useful info, -- Owen ============================================================ FRIAM Applied Complexity Group listserv Meets Fridays 9a-11:30 at cafe at St. John's College to unsubscribe http://redfish.com/mailman/listinfo/friam_redfish.com |
|
Administrator
|
In reply to this post by Roger Critchlow-2
On Thu, Jan 31, 2013 at 10:08 AM, Roger Critchlow <[hidden email]> wrote:
So you might as well as use a password manager or hash generator with random, long strings, right?
But in terms of the accounts .. I haven't a list kept from The Beginning. I often beam into forums that I try a login and if it works, add it to my growing 1P list. I'm over 125 now .. after also including google's "remember this password" keychain.
I liked that they made the hashes available so that you could get them, compute your hash, and find it in the file (251.9MB). Spooky. But the site itself seemed secure .. using a local hash generator. That there was no salt was a surprise.
Can you reset your "username" on sites once you create it? I think not, in general.
Err.. but it *was* impossible. I'm glad the author persevered.
============================================================ FRIAM Applied Complexity Group listserv Meets Fridays 9a-11:30 at cafe at St. John's College to unsubscribe http://redfish.com/mailman/listinfo/friam_redfish.com |
«
Return to Friam
|
1 view|%1 views
| Free forum by Nabble | Edit this page |