DrPhill
Cyber Heretic
- Joined
- 15 Feb 2012
- Messages
- 1,154
- Reaction score
- 314
Passwords
- Thread starter Kittyhawk
- Start date
Help Support UKworkshop.co.uk:
DrPhill
Cyber Heretic
- Joined
- 15 Feb 2012
- Messages
- 1,154
- Reaction score
- 314
If you use a smaller set of characters (upper and lower case plus numbers) you can achieve the same entropy with a longer pass-phrase. The pass phrase may be easier to remember.
I use fingerprint recognition where possible - very quick, secure and simple (except after I have been doing a lot of sanding when my fingerprints are unrecognisable!)
I am now 82 and I have been involved in IT stuff for 30+ years, (not my main employment I was an electrical engineer), but about 3 years ago I bought Roboform a very good password manager costs me about £30 a year. I had tried free ones but did not trust or get on with them very well. Roboform was recommended by the Malwarebytes newsletter. Sometimes free is good but thinking about your security £30 a year is not too much in my view.
AES
Established Member
Oh, Dr. Phil, YES YES YES! Brilliant (AND, unfortunately not far off the world these IT "people" live in)!
Thanks - best laugh I've had in a long while
Yojevol
Clocking on
niemeyjt
Established Member
Put together by a mathematician, not a security expert with a copy of hashcat or similar.
Let's say you use one of the larger wordlists with 2 million words - the above will generate 1.6 x 10^25 permutations to stick into hashcat or a similar tool.
My 16 character recommendation, just using the characters on a keyboard (no specials) will generate 1.2 x 10^31 permutations - roughly a million times as many.
As for 1000 guesses per second - what are they using - a Commodore 64?
Using Hashcat, on a 8 way 4090 GPU cracking rig - well withing the price reach of serious attackers - you are looking at millions, sometimes billions, per second - depending on the hash type (Obviously, this is on a previously obtained hash - not an interactive login which will lockout after a few failures).
DrPhill
Cyber Heretic
- Joined
- 15 Feb 2012
- Messages
- 1,154
- Reaction score
- 314
Yeah, proton password generator appends a number to the end of each word and recommends four words separated by your choice of spacer ( space, hyphen dot etc). Gives at least 1000 times the entropy. The ease of use (typing into phone keypad) beats the widened character set in my world. I get to use a different safer password on each platform visited.
Since I am not likely to be the target of a five-eyes attack I feel reasonably secure.....
I remember a professional discussion with a security expert.
Me: So you won't be happy until the hard drive with the data is encased in concrete and dropped to the bottom of the Mariana trench
Security Expert: Technically speaking the data is still there and accessible......
Unless you are worth the effort, the bigger the rewards then the more effort that someone will put in to get access. I have heard that gangs have even spent time putting shreded info back together to get what they want.
niemeyjt
Established Member
And electron microscopy to read the data off a hard disk that has been encased in concrete and dropped to the bottom of the Mariana trench !
I have all our ex-use SSDs/hard drives/USB sticks etc. shredded in front of us, I.e. the shredder comes to the office and we physically carry the equipment to the shredder and witness the process - we never let the stuff leave our sight. The result is like metallic kitty litter.
I'm responsible for organisations that have extremely sensitive information on disk that under various bits of UK & foreign legislation we are obliged to protect extensively. Being the legally responsible person for the data focusses your mind... I have worked for government agencies in the past.
As a CTO of hedge funds, I've used forensic data recovery services to get data from mobile phones that have been run over by many cars (dropped in a main road etc.) and dropped in deep lakes. Its not cheap, but they'll sweat the BGA memory chips off the boards and extract the silicon from inside them, then probe the physical chip itself & decode it. And that's the cheap stuff. Using magnetic force microscopy to read segments of data off shattered (or supposedly erased) disks and then reassemble the pieces is also possible. SSDs and Flash memory have their own attack vectors.
Everything depends on the value of the data, the time available and the resources that the attacker has. The data I was dealing with was potentially a) extremely valuable, and b) I could have ended up in court if it escaped from my care. So, we always shred disks - its cheap, the disks never leave your premises, and you get a certificate of destruction for each one. You also get a bag of very sharp kitty litter.
Don't believe for a minute that encrypted disks or so-called deniable encryption will get you out of trouble with the larger security agencies (UK, US, Israel, China, Russia etc.). As a basis, you enforce end-point security (no CD/W, USB keys/drives etc.), then use daemons to monitor every bit of h/w looking for changes (someone removing a drive etc.), RFID/GPS tracking, and then a whole bunch of other stuff. Then there's the pen testing (look it up) and a bazillion other things to do...
A big SAN may have 500 or 1000 drives in it - you will get continual failures here or there. Just because the SAN or a PC can't access the data (even after a head crash or fire), doesn't mean a suitably equipped agency couldn't.
You can even extract data from the DRAM in a PC that has been turned off, even if it wasn't in sleep mode...
Data security is a fun challenge...
I'm responsible for organisations that have extremely sensitive information on disk that under various bits of UK & foreign legislation we are obliged to protect extensively. Being the legally responsible person for the data focusses your mind... I have worked for government agencies in the past.
As a CTO of hedge funds, I've used forensic data recovery services to get data from mobile phones that have been run over by many cars (dropped in a main road etc.) and dropped in deep lakes. Its not cheap, but they'll sweat the BGA memory chips off the boards and extract the silicon from inside them, then probe the physical chip itself & decode it. And that's the cheap stuff. Using magnetic force microscopy to read segments of data off shattered (or supposedly erased) disks and then reassemble the pieces is also possible. SSDs and Flash memory have their own attack vectors.
Everything depends on the value of the data, the time available and the resources that the attacker has. The data I was dealing with was potentially a) extremely valuable, and b) I could have ended up in court if it escaped from my care. So, we always shred disks - its cheap, the disks never leave your premises, and you get a certificate of destruction for each one. You also get a bag of very sharp kitty litter.
Don't believe for a minute that encrypted disks or so-called deniable encryption will get you out of trouble with the larger security agencies (UK, US, Israel, China, Russia etc.). As a basis, you enforce end-point security (no CD/W, USB keys/drives etc.), then use daemons to monitor every bit of h/w looking for changes (someone removing a drive etc.), RFID/GPS tracking, and then a whole bunch of other stuff. Then there's the pen testing (look it up) and a bazillion other things to do...
A big SAN may have 500 or 1000 drives in it - you will get continual failures here or there. Just because the SAN or a PC can't access the data (even after a head crash or fire), doesn't mean a suitably equipped agency couldn't.
You can even extract data from the DRAM in a PC that has been turned off, even if it wasn't in sleep mode...
Data security is a fun challenge...
Last edited:
Interesting how all the examples assume unlimited attempts and knowing the set of valid characters. For example the iPhone will permanently lock if you get the passcode wrong 10 times.
For sure there are sophisticated ways to break in but you need to balance the risk of someone doing that with cost/benefit they would receive for doing it.
Even a relatively weak password is more secure that the experts would have you believe, barring of course the non-passwords like password and 1234. The bigger problem with passwords is phishing and lax security at service providers.
For sure there are sophisticated ways to break in but you need to balance the risk of someone doing that with cost/benefit they would receive for doing it.
Even a relatively weak password is more secure that the experts would have you believe, barring of course the non-passwords like password and 1234. The bigger problem with passwords is phishing and lax security at service providers.
HappyHacker
Established Member
Many years ago UNIX had and probably still has a process that increases the time you have to wait after each failed password login attempt up to the limit of password attempts allowed. It did not need many failed attempts to be over 30 minutes wait.
As Paul has pointed out it is much easier to get a password by asking, nicely, or getting a keylogger downloaded by a bit of trickery or a trusted person getting access to your system.
At a security conference the organisers ran a survey with a prize if people gave them their logon password so "they could analysis typical passwords" a large number of people actually gave their passwords and were rather embarrased when told what they had done.
Another issue is what happens if you die or are incapacitated, does anyone need access to your systems, bank accounts etc?
As Paul has pointed out it is much easier to get a password by asking, nicely, or getting a keylogger downloaded by a bit of trickery or a trusted person getting access to your system.
At a security conference the organisers ran a survey with a prize if people gave them their logon password so "they could analysis typical passwords" a large number of people actually gave their passwords and were rather embarrased when told what they had done.
Another issue is what happens if you die or are incapacitated, does anyone need access to your systems, bank accounts etc?
Robbo3
Established Member
One solution.
We Expire - https://weexpire.org/
Leave your critical details for loved ones after you die.
Interesting idea but has some subtle weaknesses. AES is a symmetric block cypher, so to decrypt the message, the original encryption key is required and therefore must be stored. The QR code contains a unique identification code - actually the initialisation vector (IV) used for the AES encryption - that the system uses to identify the correct stored key. A SHA256 hash of the message is also stored which is used to verify that a decrypted message is the same as the original.
They say that even if they're hacked, your message is safe, however if you have the QR code and gain access to the database or a database backup, you can decrypt the message. The site is not especially secure - it's PHP, relies on session data kept in local cookies and uses the notoriously vulnerable OpenSSL library, so the site and the virtual hosting environment are possibly vulnerable to a number of attack vectors.
I would still go for a safety deposit box or an established legal firm.
The newspaper I read had an article in summer 2022 about password managers and the crackability of most people's online life. It shook me out of my complacency and I signed up for a password manager (Lastpass) that I could use across Mac and Windows platforms. It took me three solid days to change every.single.password but I now have only three passwords I can remember all characterised by being a meaningful sentence that is long. I am glad I did it but cannot persuade wife to do the same so she is now our weakest link.
Widening the topic (hope that's OK), we're trying to work out how to provide emergency access to one another's bank accounts in the case of an unfortunate event. We both maintain our own finances and joint responsibility accounts. I'm thinking of getting a fingerprint usb drive that is registered to her fingerprints and storing the three passwords and key financial details on that so that in the event of my death she access resources as required. This seems the most burglar-proof solution. Any thoughts?
Widening the topic (hope that's OK), we're trying to work out how to provide emergency access to one another's bank accounts in the case of an unfortunate event. We both maintain our own finances and joint responsibility accounts. I'm thinking of getting a fingerprint usb drive that is registered to her fingerprints and storing the three passwords and key financial details on that so that in the event of my death she access resources as required. This seems the most burglar-proof solution. Any thoughts?
These days with the advances in medical science whilst death is still a risk, one also has to consider incapacity whether mental or physical as a potential outcome so I'd advise registering for Lasting Power of Attorney for both property and financial matters - two separate but similar documents -
https://www.gov.uk/power-of-attorney
It's a bit of a blunderbuss to execute if the event comes to pass but simple to put in place and ensures your chosen person can carry out legal and financial transactions on your behalf and hopefully in accordance with your wishes too.
Having those documents in place means that institutions are legally obliged to take instructions whether financial or property related by your chosen attorney who is acting on your behalf, and thus obviating the need for duplicate access/sharing of account details with a partner etc.
Whilst you might think otherwise it is the correct and legal way under UK Law to allow financial transactions upon a deceased or incapacitated persons accounts.
niemeyjt
Established Member
I clearly said "Obviously, this is on a previously obtained hash - not an interactive login which will lockout after a few failures".
I used LastPass but it's not "on" by default (see screenshot below). The browser plugin works by injecting several 100 KB of JavaScript (federated-login-content-script.js, inject-credentials.js,onloadwff.js,web-client-content-script.js) into every page you load, searching for username and password fields, then looking up the current URL to see if it has a candidate to auto fill.
The injected JavaScript can (and does) cause issues, e.g. with Chrome/Edge's developer tools (F12). I'm also unhappy with a browser plugin silently doing stuff with every page I load, so only run it when I specifically ask it. Plus, it uses a number of deprecated JavaScript features, e.g. unload event listeners.
One good thing about LastPass (apart from it being cross platform) is that it's a zero-knowledge system, i.e. the company (says it) has no access to your data - it's en/decrypted on your PC/tablet/phone. However that again opens up an attack vector, e.g. compromising another brower plugin so it can access LastPass' data in clear text. Another concern is that it's not open source, so is not subject to the scrutiny of the cryptographic community. Anyway, cryptography is as much about process, how the technology is implemented and used end to end, as it is about the encryption algorithm itself.
Two passwords that should never be in the password manager: the password manager password and your email password (they should only be in your head). Three un-obviously-related words with a punctuation mark or two and some digits and mixed case, e.g G0bl1n!Rab3itfish? - that has an entropy of 118 bits which qualifies as "Excellent" or "Very Strong"...
Note that blindly changing o => 0, i => 1 etc. is a well established mechanism and as such adds little to the real-world strength/entropy of a password.
Oh, and use multi-factor authentication (MFA) for ALL key sites that access financial or personal data, e.g. HMRC, banks, PayPal, eBay, email (webmail) etc. MFA requires two or more from these areas: something you know (e.g. password), something you have (e.g. a time-based code from an authenticator app) and/or something you are (fingerprint, facial recognition, retina scan...).
The injected JavaScript can (and does) cause issues, e.g. with Chrome/Edge's developer tools (F12). I'm also unhappy with a browser plugin silently doing stuff with every page I load, so only run it when I specifically ask it. Plus, it uses a number of deprecated JavaScript features, e.g. unload event listeners.
One good thing about LastPass (apart from it being cross platform) is that it's a zero-knowledge system, i.e. the company (says it) has no access to your data - it's en/decrypted on your PC/tablet/phone. However that again opens up an attack vector, e.g. compromising another brower plugin so it can access LastPass' data in clear text. Another concern is that it's not open source, so is not subject to the scrutiny of the cryptographic community. Anyway, cryptography is as much about process, how the technology is implemented and used end to end, as it is about the encryption algorithm itself.
Two passwords that should never be in the password manager: the password manager password and your email password (they should only be in your head). Three un-obviously-related words with a punctuation mark or two and some digits and mixed case, e.g G0bl1n!Rab3itfish? - that has an entropy of 118 bits which qualifies as "Excellent" or "Very Strong"...
Note that blindly changing o => 0, i => 1 etc. is a well established mechanism and as such adds little to the real-world strength/entropy of a password.
Oh, and use multi-factor authentication (MFA) for ALL key sites that access financial or personal data, e.g. HMRC, banks, PayPal, eBay, email (webmail) etc. MFA requires two or more from these areas: something you know (e.g. password), something you have (e.g. a time-based code from an authenticator app) and/or something you are (fingerprint, facial recognition, retina scan...).
Last edited:
stuart little
Established Member
--or using CA glue!
