[gentoo-user] Coming up with a password that is very strong.

[gentoo-user] Coming up with a password that is very strong.

[Dale]

Howdy,

Some may recall me mentioning using LastPass to manage my passwords. 
Obviously, it can generate very strong passwords that are different for
each site.  It can also remember them as well which makes things more
secure than using just a few passwords for all sites.  One for things
like financial sites, maybe a less secure one for some site you still
want reasonably secure and a even weaker one for sites you don't care
about hacking, and hackers likely won't either.  I know some people who
do this even today.  Heck, ages ago, I was one of them.  Things change
tho.  Some passwords can be hacked in seconds by a desktop computer,
including my own if I had the software and knowledge to do it. 

The one thing about most all password managers, they have a master
password.  That one password unlocks the rest.  Trick is, having that
one be a good one that is easy to remember, type on a keyboard and be
secure, virtually unhackable but also unforgettable.  I've had what used
to be a strong password for a while.  Thing is, with today's computing
power, it really isn't anymore.  While no one could just guess it, it
could be cracked/hacked I'm sure.  I need to come up with a new one that
meets the requirements I just mentioned.  Strong, easy to remember, easy
to type but won't forget.  I've read that using maiden names, years of
birth or whole dates of birth, actual names, pet's name, words in a
dictionary and a whole list of other things makes it easier, especially
if you post a lot on social media, for hackers to use against you.  I'm
trying to avoid that sort of thing obviously and have a couple ideas but
am curious as to what method others use, without exposing to much detail
since this is public. 

How do you, especially those who admin systems that are always being
hacked at, generate strong passwords that meet the above?  I've googled
and found some ideas but if I use the same method, well, how many others
are using that same method, if you know what I mean.  ;-)  Just looking
for ideas. 

Thanks much.

Dale

:-)  :-) 

P. S.  I haven't had time to deal with the video thing in previous
thread.  It's on my todo list still.  :-( 

Re: [gentoo-user] Coming up with a password that is very strong.

[Peter Humphrey]

On Monday, 4 February 2019 05:47:35 GMT Dale wrote:

> How do you, especially those who admin systems that are always being
> hacked at, generate strong passwords that meet the above?  I've googled
> and found some ideas but if I use the same method, well, how many others
> are using that same method, if you know what I mean.  ;-)  Just looking
> for ideas. 

You could use a password generator to keep creating random passwords until it 
comes up with something you like the look of, then learn it by rote. I did 
that some time ago - it must be about time I did it again to make another one.

-- 
Regards,
Peter.

Re: [gentoo-user] Coming up with a password that is very strong.

[Neil Bothwick]

[-- Attachment #1: Type: text/plain, Size: 732 bytes --]

On Mon, 04 Feb 2019 10:24:27 +0000, Peter Humphrey wrote:

> > How do you, especially those who admin systems that are always being
> > hacked at, generate strong passwords that meet the above?  I've
> > googled and found some ideas but if I use the same method, well, how
> > many others are using that same method, if you know what I
> > mean.  ;-)  Just looking for ideas.   
> 
> You could use a password generator to keep creating random passwords
> until it comes up with something you like the look of, then learn it by
> rote. I did that some time ago - it must be about time I did it again
> to make another one.

https://xkcd.com/936/


-- 
Neil Bothwick

There's too much blood in my caffeine system.

[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 833 bytes --]

[gentoo-user] Re: Coming up with a password that is very strong.

[Nikos Chantziaras]

On 04/02/2019 07:47, Dale wrote:
> How do you, especially those who admin systems that are always being
> hacked at, generate strong passwords that meet the above?  I've googled
> and found some ideas but if I use the same method, well, how many others
> are using that same method, if you know what I mean.  ;-)  Just looking
> for ideas.

I don't use a password manager. For website logins, I just use the 
password manager in the browser (Firefox), which does not use a master 
password :-P I just assume my own system is not going to be compromised.

For the websites I use, I generate a unique password per site using this 
command:

$ pwmake 128

This generates a password using 128 bits of entropy from /dev/urandom. 
You need dev-libs/libpwquality being installed (it's a dep of something 
important, I think, so should be installed on most systems already.)

For remote systems I administer through SSH, I don't use passwords. I 
use a public/private key pair to log in (4096 bits.) My private key is 
protected with a strong password though, but it's easy to remember since 
it doesn't need to change. Something like:

ilp&mac4d@4*r

Which is short for:

I like pizza and macaroni for dinner at four star restaurants.

Re: [gentoo-user] Coming up with a password that is very strong.

[Mick]

[-- Attachment #1: Type: text/plain, Size: 1966 bytes --]

On Monday, 4 February 2019 10:37:03 GMT Neil Bothwick wrote:
> On Mon, 04 Feb 2019 10:24:27 +0000, Peter Humphrey wrote:
> > > How do you, especially those who admin systems that are always being
> > > hacked at, generate strong passwords that meet the above?  I've
> > > googled and found some ideas but if I use the same method, well, how
> > > many others are using that same method, if you know what I
> > > mean.  ;-)  Just looking for ideas.
> > 
> > You could use a password generator to keep creating random passwords
> > until it comes up with something you like the look of, then learn it by
> > rote. I did that some time ago - it must be about time I did it again
> > to make another one.
> 
> https://xkcd.com/936/

Not strictly true ... the crackers would probably use rainbow tables attacks 
first.  Also, it isn't fair to compare an 11 character passwd against a 25 
character passwd.  For the *same* number of characters used in any given 
passwd, a random lower/upper/numerical/symbol passwd will provide an 
exponentially higher degree of difficulty in cracking it with brute force, 
than one which uses only lower case dictionary words.  Anyway, these days many 
attacks are focused on OS or hardware vulnerabilities which have been baked in 
by design, rather than brute force attacks.

Any financial company worth their salt are employing 2-factor authentication 
and account lockups to stop brute forcing of users credentials.  So, guarding 
against your own OS compromise is more important than individual website 
credentials.

You will be surprised how many people are still using passwds like:

password
password1
arsenal
manchesterunited2018
fido

on websites which store their credit card details.  O_O

You may want to take a look at app-admin/apg and to mitigate against your 
CPU's lack of randomness use sys-apps/haveged.  Combining multiple outputs of 
apg should arrive at a passwd which is more secure than not.

-- 
Regards,
Mick

[-- Attachment #2: This is a digitally signed message part. --]
[-- Type: application/pgp-signature, Size: 833 bytes --]

[gentoo-user] Re: Coming up with a password that is very strong.

[Nikos Chantziaras]

On 04/02/2019 13:17, Mick wrote:
> You will be surprised how many people are still using passwds like:
> 
> password
> password1
> arsenal
> manchesterunited2018
> fido
> 
> on websites which store their credit card details.  O_O

A friend of mine used "********" as a password because it matched what 
was being shown on the screen while typing it, and thus no one would 
ever be able to figure that one out. He thought he was being very smart.

Re: [gentoo-user] Coming up with a password that is very strong.

[Neil Bothwick]

[-- Attachment #1: Type: text/plain, Size: 856 bytes --]

On Mon, 04 Feb 2019 11:17:13 +0000, Mick wrote:

> > https://xkcd.com/936/  
> 
> Not strictly true ... the crackers would probably use rainbow tables
> attacks first.  Also, it isn't fair to compare an 11 character passwd
> against a 25 character passwd.  For the *same* number of characters
> used in any given passwd, a random lower/upper/numerical/symbol passwd
> will provide an exponentially higher degree of difficulty in cracking
> it with brute force, than one which uses only lower case dictionary
> words.  Anyway, these days many attacks are focused on OS or hardware
> vulnerabilities which have been baked in by design, rather than brute
> force attacks.

I'm not sure xkcd is meant to be taken that seriously...


-- 
Neil Bothwick

Help a man when he is in trouble and he will remember you when he is in
trouble again

[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 833 bytes --]

Re: [gentoo-user] Coming up with a password that is very strong.

[Rich Freeman]

On Mon, Feb 4, 2019 at 8:21 AM Neil Bothwick <neil@digimed.co.uk> wrote:
>
> On Mon, 04 Feb 2019 11:17:13 +0000, Mick wrote:
>
> > > https://xkcd.com/936/
> >
> > Not strictly true ... the crackers would probably use rainbow tables
> > attacks first.  Also, it isn't fair to compare an 11 character passwd
> > against a 25 character passwd.  For the *same* number of characters
> > used in any given passwd, a random lower/upper/numerical/symbol passwd
> > will provide an exponentially higher degree of difficulty in cracking
> > it with brute force, than one which uses only lower case dictionary
> > words.  Anyway, these days many attacks are focused on OS or hardware
> > vulnerabilities which have been baked in by design, rather than brute
> > force attacks.
>
> I'm not sure xkcd is meant to be taken that seriously...
>

IMO xkcd has treated the situation more seriously than some of the
replies here...

Obviously words from a dictionary have less entropy per character than
random characters do, but the xkcd cartoon already takes this into
account.

For the same number of bits of ENTROPY a random password provides the
exact same level of security as one based on words.

To obtain that entropy through words requires more characters of
course.  However, the whole point of the cartoon is that our brains
are much better at remembering words than random characters, since we
have a big chunk of grey matter evolved to do exactly that which is
more sophisticated than any computer on the planet so far.

Now, if you have some brain-dead software which only accepts 8
character passwords then you would obviously do better to use random
characters (truly random - not picking the most pleasing-looking
random password out of a list) than to try to cram one or two words in
there.  Likewise, if you're using a password manager and want to
maximize entropy per bit of storage/transmission then random passwords
are better since words provide no utility.

However, if you want to obtain the highest number of bits of entropy
for a password that is memorized, xkcd makes a compelling argument
that you're better off with a longer password composed of words,
because they let you cram more entropy into your brain.  Two bits from
a dictionary might be the same as two bits from 1/3rd of a random
character to a brute force cracking engine, but they aren't the same
to your brain.  Xkcd isn't doing a like-for-like comparison, because
the two categories aren't alike.

-- 
Rich

Re: [gentoo-user] Coming up with a password that is very strong.

[Laurence Perkins]

On Sun, 2019-02-03 at 23:47 -0600, Dale wrote:
> 
> 
> How do you, especially those who admin systems that are always being
> hacked at, generate strong passwords that meet the above?  I've
> googled
> and found some ideas but if I use the same method, well, how many
> others
> are using that same method, if you know what I mean.  ;-)  Just
> looking
> for ideas. 
> 
> Thanks much.
> 
> Dale
> 
> :-)  :-) 
> 
> P. S.  I haven't had time to deal with the video thing in previous
> thread.  It's on my todo list still.  :-( 
> 

Take 80 to 100 characters of something you already have memorized. 
Poetry, bible verses, RFCs, pages of the phone book, digits of pi out
of the middle, whatever.  Run it through a transposition, substitution,
or combination cipher that you can calculate in your head on-the-fly. 
(Do avoid the substitutions that everyone uses since those will be
tried first.)

Now you only need to remember a pointer to the memorized section, the
length, and the cipher specification.  There are enough possible
combinations that an attacker won't be able to make a meaningful
reduction in entropy by examining your social media.

As an example:  The second paragraph of Hamlet's soliloquy and invert
the case based on whether the corresponding digit of e is odd or even.

LMP

Re: [gentoo-user] Coming up with a password that is very strong.

[Lee Clagett]

On Sun, 3 Feb 2019 23:47:35 -0600
Dale <rdalek1967@gmail.com> wrote:

> Howdy,
> 
[...snip...]
> 
> How do you, especially those who admin systems that are always being
> hacked at, generate strong passwords that meet the above?  I've
> googled and found some ideas but if I use the same method, well, how
> many others are using that same method, if you know what I
> mean.  ;-)  Just looking for ideas. 

Search for diceware. Memorizing 7-10 word passwords is possible and
fairly strong.

Lee

Re: [gentoo-user] Re: Coming up with a password that is very strong.

[Jack]

On 2019.02.04 06:10, Nikos Chantziaras wrote:
> On 04/02/2019 07:47, Dale wrote:
>> How do you, especially those who admin systems that are always being
>> hacked at, generate strong passwords that meet the above?  I've  
>> googled
>> and found some ideas but if I use the same method, well, how many  
>> others
>> are using that same method, if you know what I mean.  ;-)  Just  
>> looking
>> for ideas.
> 
> I don't use a password manager. For website logins, I just use the  
> password manager in the browser (Firefox), which does not use a  
> master password :-P I just assume my own system is not going to be  
> compromised.
> 
> For the websites I use, I generate a unique password per site using  
> this command:
> 
> $ pwmake 128
> 
> This generates a password using 128 bits of entropy from  
> /dev/urandom. You need dev-libs/libpwquality being installed (it's a  
> dep of something important, I think, so should be installed on most  
> systems already.)
> 
> For remote systems I administer through SSH, I don't use passwords. I  
> use a public/private key pair to log in (4096 bits.) My private key  
> is protected with a strong password though, but it's easy to remember  
> since it doesn't need to change. Something like:
> 
> ilp&mac4d@4*r
> 
> Which is short for:
> 
> I like pizza and macaroni for dinner at four star restaurants.
The problem I have with many of these suggestions is that I have  
multiple devices (two desktops, two laptops, tablet, android phone) I  
use sufficiently often that I either need to be able to remember the  
passwords or have some way of easily accessing them when I'm not  
sitting at my main desktop.  Other than using a password manager (which  
I do not currently have) how to others deal with this?

Jack

[gentoo-user] Re: Coming up with a password that is very strong.

[Dale]

Dale wrote:
> Howdy,
>
> <<< SNIP >>>
>
> How do you, especially those who admin systems that are always being
> hacked at, generate strong passwords that meet the above?  I've googled
> and found some ideas but if I use the same method, well, how many others
> are using that same method, if you know what I mean.  ;-)  Just looking
> for ideas. 
>
> Thanks much.
>
> Dale
>
> :-)  :-) 
>
> P. S.  I haven't had time to deal with the video thing in previous
> thread.  It's on my todo list still.  :-( 
>


I read the replies and got some ideas.  I don't have any favorite songs
or sayings so that wouldn't work with me.  I'm weird, as some know but
might not say it.  ROFL  I did come up with some things tho based on
replies.  I then googled for some password checker sites, found three or
so, and checked to see what they think about my password.  Here is some
results:


It would take a computer about 34 thousand years to crack your password

Medium size botnet About 143 billion years or Standard Desktop PC About
143 quadrillion years

Time to crack your password:  17 centuries or Review: Fantastic, using
that password makes you as secure as Fort Knox.


I'm not sure if one can convert that to NSA time or not.  o_O  The
password contains upper/lower case letters, couple symbols from up top
of the number keys and several numbers.  None of which anyone would be
able to guess in any way.  They have nothing to do with that list of
things not to use, birthdays etc.  If a person was trying to just guess
it, even a best friend who knows me extremely well, they would not be
able to guess it much less the order of it.  The only bad thing, it
isn't to easy to type.  Of course, a really good password usually isn't
so . . .

I'm going to practice typing that thing in a bit to see if I get the
hang of it.  Maybe it will grow on me or I can come up with a change
that makes it easier to type. 

Thanks to all for the suggestions.  It did help.  Some were sort of
funny but they would make a good password easy to remember.

Dale

:-)  :-) 

Re: [gentoo-user] Re: Coming up with a password that is very strong.

[Rich Freeman]

On Mon, Feb 4, 2019 at 3:09 PM Dale <rdalek1967@gmail.com> wrote:
>
> I'm not sure if one can convert that to NSA time or not.  o_O  The
> password contains upper/lower case letters, couple symbols from up top
> of the number keys and several numbers.  None of which anyone would be
> able to guess in any way.  They have nothing to do with that list of
> things not to use, birthdays etc.  If a person was trying to just guess
> it, even a best friend who knows me extremely well, they would not be
> able to guess it much less the order of it.  The only bad thing, it
> isn't to easy to type.  Of course, a really good password usually isn't
> so . . .

And do you use that password on only a single site?

If you use it on more than one, then as soon as one of those sites is
compromised it will sniff your password and then your password can be
used on all the others without any cpu cycles wasted on brute-forcing
it at all.

That is the weakness of random passwords.  Unless you use some kind of
password manager you won't actually use a unique password on each site
due to difficulty with memorization...

-- 
Rich

Re: [gentoo-user] Re: Coming up with a password that is very strong.

[Dale]

Nikos Chantziaras wrote:
> On 04/02/2019 07:47, Dale wrote:
>> How do you, especially those who admin systems that are always being
>> hacked at, generate strong passwords that meet the above?  I've googled
>> and found some ideas but if I use the same method, well, how many others
>> are using that same method, if you know what I mean.  ;-)  Just looking
>> for ideas.
>
> I don't use a password manager. For website logins, I just use the
> password manager in the browser (Firefox), which does not use a master
> password :-P I just assume my own system is not going to be compromised.
>
> For the websites I use, I generate a unique password per site using
> this command:
>
> $ pwmake 128
>
> This generates a password using 128 bits of entropy from /dev/urandom.
> You need dev-libs/libpwquality being installed (it's a dep of
> something important, I think, so should be installed on most systems
> already.)
>
> For remote systems I administer through SSH, I don't use passwords. I
> use a public/private key pair to log in (4096 bits.) My private key is
> protected with a strong password though, but it's easy to remember
> since it doesn't need to change. Something like:
>
> ilp&mac4d@4*r
>
> Which is short for:
>
> I like pizza and macaroni for dinner at four star restaurants.
>
>
>


One reason I use LastPass, it is mobile.  I can go to someone else's
computer, use LastPass to say make use of Paypal, Newegg, Ebay etc,
logoff and it is like I was never there.  Also, if my computer were to
die a sudden death, power supply goes bonkers and burns everything in it
up including hard drives, my passwords are still safe but available. 
When I get a new rig built, I can install LastPass, put in my email and
password then go on like nothing ever happened.  I can also use a
neighbors computer to order the parts for a new rig as well.  I just use
LastPass on their computer.  I could do that even if my backups were out
of date as well. 

I also like that it generates passwords that are dang near impossible to
crack.  It also doesn't have to be anything I can remember either.  This
is a few examples of what it generates.

*k0Dx^RiNPHOocIg

5wfy&YQA&vNa4^HHgwZ3

NnWM9DwCrVYyVryS3Aa9

Now I admit, I sometimes see one that pops up that I don't like the
looks of and I click for a new one.  Just like the last one in the
list.  It has two of the same letter at the beginning.  One upper and
one lower but still the same.  I'd skip that one.  Still, good luck
guessing it easily.  Cracking it is always possible but it makes it
difficult.  Also, I sometimes have to leave off the other characters
since some websites don't allow those.  My bank for example doesn't
allow a couple of them.  I think "*" and "$" is a no go.  It does reject
it when you try to enter it tho. 

If I were to ever get me a smart phone, LastPass works on those too.  I
still like my Razr tho.  It makes phone calls and allows me to text.  It
does what I need.  It also takes the place of a watch as well.  ;-) 

I get why some may just use Firefox or other browsers password tool but
thing is, if you don't have a backup of it and something happens, you
could be working a while to get those passwords going again.  If I
recall correctly, I have to go to the bank, present ID and such to do a
complete reset of my bank password.  I know it was that way several
years ago because I had to do it once. 

Those keys do work for things that support it.  I don't think any site I
use has that ability tho.  If it does, I don't know about it.  Maybe one
day tho. 

Dale

:-)  :-) 

Re: [gentoo-user] Re: Coming up with a password that is very strong.

[Neil Bothwick]

[-- Attachment #1: Type: text/plain, Size: 1132 bytes --]

On Mon, 04 Feb 2019 14:38:38 -0500, Jack wrote:

> The problem I have with many of these suggestions is that I have  
> multiple devices (two desktops, two laptops, tablet, android phone) I  
> use sufficiently often that I either need to be able to remember the  
> passwords or have some way of easily accessing them when I'm not  
> sitting at my main desktop.  Other than using a password manager
> (which I do not currently have) how to others deal with this?

If you don't want to use an online passwrd manager like LastPass, you
could use a local solution. I use KeePassX, which is available for Linux
and Android (and some minority OSes). It stores the passwords in an
encrypted database file, protected by a master password. As it's a single
file it is easy enough to keep this synchronised between devices. I
initially did this with DropBox but soon switched to Syncthing.

It's just another file to keep synchronised between devices, so use
whatever method you already use for that purpose.


-- 
Neil Bothwick

You are about to give someone a piece of your mind,
something you can ill afford...

[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 833 bytes --]

Re: [gentoo-user] Re: Coming up with a password that is very strong.

[Rich Freeman]

On Mon, Feb 4, 2019 at 3:49 PM Dale <rdalek1967@gmail.com> wrote:
>
> One reason I use LastPass, it is mobile.  I can go to someone else's
> computer, use LastPass to say make use of Paypal, Newegg, Ebay etc,
> logoff and it is like I was never there.

As much as I like Lastpass I would never do that.  It isn't magic - it
is javascript.  If there is a compromise on your computer, then your
password database will be compromised.  This is true of other
solutions like KeePassX and so on - if something roots your box then
it will be compromised.

If you were talking about something like a Chromebook that is still
locked down and you're using guest mode or logging in under a separate
user account from anybody else, then you're probably fairly safe
against that.  However, if you're just looking into a generic windows
box or a shared linux account then there isn't going to be much
protection if something has compromised the system.

At that point you're vulnerable to all kinds of attacks, from theft of
the password manager database, to just skimming the accounts you're
using.

This won't stop sniffing of individual passwords, but you could at
least protect your overall database by looking up the password on a
secure device (your phone or whatever) and rekeying it on the
untrusted device.  Then while that password is still vulnerable your
password database never touches that box.

-- 
Rich

Re: [gentoo-user] Re: Coming up with a password that is very strong.

[Neil Bothwick]

[-- Attachment #1: Type: text/plain, Size: 862 bytes --]

On Mon, 4 Feb 2019 15:59:02 -0500, Rich Freeman wrote:

> > One reason I use LastPass, it is mobile.  I can go to someone else's
> > computer, use LastPass to say make use of Paypal, Newegg, Ebay etc,
> > logoff and it is like I was never there.  
> 
> As much as I like Lastpass I would never do that.  It isn't magic - it
> is javascript.  If there is a compromise on your computer, then your
> password database will be compromised.  This is true of other
> solutions like KeePassX and so on - if something roots your box then
> it will be compromised.

I don't see what root has to do with it. If someone gains access to your
box, they can copy the database file and then take their time trying to
crack the password, but you don't need to be root to do that.


-- 
Neil Bothwick

... "I'm simply not a nice girl", she whispered tartly.

[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 833 bytes --]

Re: [gentoo-user] Re: Coming up with a password that is very strong.

[Dale]

Rich Freeman wrote:
> On Mon, Feb 4, 2019 at 3:09 PM Dale <rdalek1967@gmail.com> wrote:
>> I'm not sure if one can convert that to NSA time or not.  o_O  The
>> password contains upper/lower case letters, couple symbols from up top
>> of the number keys and several numbers.  None of which anyone would be
>> able to guess in any way.  They have nothing to do with that list of
>> things not to use, birthdays etc.  If a person was trying to just guess
>> it, even a best friend who knows me extremely well, they would not be
>> able to guess it much less the order of it.  The only bad thing, it
>> isn't to easy to type.  Of course, a really good password usually isn't
>> so . . .
> And do you use that password on only a single site?
>
> If you use it on more than one, then as soon as one of those sites is
> compromised it will sniff your password and then your password can be
> used on all the others without any cpu cycles wasted on brute-forcing
> it at all.
>
> That is the weakness of random passwords.  Unless you use some kind of
> password manager you won't actually use a unique password on each site
> due to difficulty with memorization...
>


Right now, I'm coming up with a master password for LastPass and maybe a
new set of keys.  I may use something different for my keys to your
point.  My encryption thingy broke on Seamonkey, the keys are broken
somehow.  I googled, tried some stuff but can't figure out how to fix
them so I revoked the things and am going to start fresh.  Heck, only
one person ever uses them anyway.  lol 

Once I get logged into LastPass, I generate unique passwords with it for
each site.  Depending on the site, I try to generate as long and use as
many characters as the site will allow.  If it allows the symbols on top
of the number keys, I enable them.  If it doesn't, I cut that off.  If
it allows 20 characters, I set it to generate 20.  It's not like I have
to remember it or even type it in either.  I may as well be as secure
and random as possible.  The master password is the current project tho. 

Way back, I used to have three passwords.  One fairly secure one for
financial type sites, one somewhat decent one for stuff like social
sites and one I could care less about.  None of them would be easy to
guess but the complexity changed.  Nowadays, I wouldn't even dream of
doing like that.  Far to many script kiddys out there trying to steal
stuff.  That doesn't even mention the pros and what they do. 

You are right tho, reusing passwords is a really bad idea.  It makes it
dead simple to hack everything else. 

Dale

:-)  :-) 

Re: [gentoo-user] Re: Coming up with a password that is very strong.

[Dale]

Neil Bothwick wrote:
> On Mon, 4 Feb 2019 15:59:02 -0500, Rich Freeman wrote:
>
>>> One reason I use LastPass, it is mobile.  I can go to someone else's
>>> computer, use LastPass to say make use of Paypal, Newegg, Ebay etc,
>>> logoff and it is like I was never there.  
>> As much as I like Lastpass I would never do that.  It isn't magic - it
>> is javascript.  If there is a compromise on your computer, then your
>> password database will be compromised.  This is true of other
>> solutions like KeePassX and so on - if something roots your box then
>> it will be compromised.
> I don't see what root has to do with it. If someone gains access to your
> box, they can copy the database file and then take their time trying to
> crack the password, but you don't need to be root to do that.
>
>


I might point out, LastPass encrypts the password before sticking it in
a file.  It isn't visible or plain text.  Even getting the file would
still require some tools and cracking to get the password itself. 
Cracking the master password would likely be much easier and doesn't
even require access to the box itself, Linux or windoze.  Also, LastPass
only stores the encrypted password on its servers.  Even if LastPass is
hacked, the passwords are still encrypted.  It's one reason LastPass
shouldn't have to worry about getting court orders to turn over
passwords.  It doesn't really have them.  I would suspect that cracking
a encrypted password is as difficult as is just poking at a password
until it is guessed. 

Even if a person is using a perfect tool, cracking a password is always
going to be possible.  The tougher the password, the harder it will be
and the longer it will take.  Still, it can be done.  Using these tools
just makes it harder.  I'm not aware of a perfect password tool.  I
doubt one exists or ever will either.  ;-)  It's still good to pick one,
use it and try to be as secure as one can. 

Dale

:-)  :-) 

Re: [gentoo-user] Coming up with a password that is very strong.

[Tanstaafl]

On 2/4/2019, 12:47:35 AM, Dale <rdalek1967@gmail.com> wrote:
> Thing is, with today's computing power, it really isn't anymore.
> While no one could just guess it, it could be cracked/hacked I'm
> sure.  I need to come up with a new one that meets the requirements I
> just mentioned.  Strong, easy to remember, easy to type but won't
> forget.  I've read that using maiden names, years of birth or whole
> dates of birth, actual names, pet's name, words in a dictionary and a
> whole list of other things makes it easier, especially if you post a
> lot on social media, for hackers to use against you.  I'm trying to
> avoid that sort of thing obviously and have a couple ideas but am
> curious as to what method others use, without exposing to much
> detail since this is public.
I've been using a little Firefox Addon called Passwordmaker for many,
many years, and despite all of its warts, I've been loathe to give it
up, even though it will never be upgraded to work as a WebExtension.

2 things I loved about it -

 a) it doesn't save the password locally, only info about the
    site/account, and
 b) you can use an unlimited number of Master Passwords

I'm looking at migrating to KeePassXC, and even though I really hate the
idea of saving the actual password - Passwordmaker simply generates the
password on the fly each time based on certain specified criteria (ie,
the site URL, username, password length, etc for each account - one
technique I adopted shortly after assisting in updating the
Passwordmaker website eases my mind about it...

This is a simple technique I strongly recommend that everyone employ,
especially if you use a Password manager (like LastPass or KeePass)...

It is uncrackable (well, as long as it isn't the CIA or NSA that wants
to crack it and they are willing to kidnap/torture you to do so).

You sit down and come up with a ... call it a 'password modification
protocol' ... whereby, you always modify your generated/stored password
in a specific way before pressing enter.

For example, you delete characters 3, 5 and 7, then add 2 characters to
the beginning and 2 to the end.

It is very simple, and negates worrying about someone stealing your
password vault.

Re: [gentoo-user] Re: Coming up with a password that is very strong.

[Rich Freeman]

On Mon, Feb 4, 2019 at 5:12 PM Dale <rdalek1967@gmail.com> wrote:
>
> Neil Bothwick wrote:
> > On Mon, 4 Feb 2019 15:59:02 -0500, Rich Freeman wrote:
> >
> >>> One reason I use LastPass, it is mobile.  I can go to someone else's
> >>> computer, use LastPass to say make use of Paypal, Newegg, Ebay etc,
> >>> logoff and it is like I was never there.
> >> As much as I like Lastpass I would never do that.  It isn't magic - it
> >> is javascript.  If there is a compromise on your computer, then your
> >> password database will be compromised.  This is true of other
> >> solutions like KeePassX and so on - if something roots your box then
> >> it will be compromised.
> > I don't see what root has to do with it. If someone gains access to your
> > box, they can copy the database file and then take their time trying to
> > crack the password, but you don't need to be root to do that.

Correct, it just needs access to the user's data or browser process,
which could mean running as root, or that user.

>
> I might point out, LastPass encrypts the password before sticking it in
> a file.  It isn't visible or plain text.  Even getting the file would
> still require some tools and cracking to get the password itself.

That assumes you're attacking the password file directly.

If you're using lastpass on a compromised system then there are many
ways that can be used to bypass the encryptions.  They could sniff
your master password when you key it in, or read it directly from the
browser's memory.  These things are protected from sandboxed code in
your browser, but not from processes running outside the browser
(unless again you're using a non-conventional privilege system like
selinux/android/etc).

-- 
Rich

Re: [gentoo-user] Re: Coming up with a password that is very strong.

[Mick]

[-- Attachment #1: Type: text/plain, Size: 2710 bytes --]

On Monday, 4 February 2019 22:12:16 GMT Dale wrote:
> Neil Bothwick wrote:
> > On Mon, 4 Feb 2019 15:59:02 -0500, Rich Freeman wrote:
> >>> One reason I use LastPass, it is mobile.  I can go to someone else's
> >>> computer, use LastPass to say make use of Paypal, Newegg, Ebay etc,
> >>> logoff and it is like I was never there.
> >> 
> >> As much as I like Lastpass I would never do that.  It isn't magic - it
> >> is javascript.  If there is a compromise on your computer, then your
> >> password database will be compromised.  This is true of other
> >> solutions like KeePassX and so on - if something roots your box then
> >> it will be compromised.
> > 
> > I don't see what root has to do with it. If someone gains access to your
> > box, they can copy the database file and then take their time trying to
> > crack the password, but you don't need to be root to do that.
> 
> I might point out, LastPass encrypts the password before sticking it in
> a file.  It isn't visible or plain text.  Even getting the file would
> still require some tools and cracking to get the password itself. 
> Cracking the master password would likely be much easier and doesn't
> even require access to the box itself, Linux or windoze.  Also, LastPass
> only stores the encrypted password on its servers.  Even if LastPass is
> hacked, the passwords are still encrypted.  It's one reason LastPass
> shouldn't have to worry about getting court orders to turn over
> passwords.  It doesn't really have them.  I would suspect that cracking
> a encrypted password is as difficult as is just poking at a password
> until it is guessed. 
> 
> Even if a person is using a perfect tool, cracking a password is always
> going to be possible.  The tougher the password, the harder it will be
> and the longer it will take.  Still, it can be done.  Using these tools
> just makes it harder.  I'm not aware of a perfect password tool.  I
> doubt one exists or ever will either.  ;-)  It's still good to pick one,
> use it and try to be as secure as one can. 
> 
> Dale
> 
> :-)  :-) 

A solution like LastPass et al., using a browser's javascript to access it, 
under a single master passwd, theoretically would have so many side-channel 
attacks no one would be wasting time to brute force anything.

https://en.wikipedia.org/wiki/LastPass#Security_issues

You could use gpg/openssl to encrypt a number of files, which would contain 
your different website/application passwds.  For paranoid use cases you can 
use asymmetric keys and store your private key out-of-band.  Sure, it won't be 
as convenient as LastPass, but I expect it would be more secure and unlikely 
to be compromised by XSS vulnerabilities.

-- 
Regards,
Mick

[-- Attachment #2: This is a digitally signed message part. --]
[-- Type: application/pgp-signature, Size: 833 bytes --]

Re: [gentoo-user] Coming up with a password that is very strong.

[Dale]

Tanstaafl wrote:
> On 2/4/2019, 12:47:35 AM, Dale <rdalek1967@gmail.com> wrote:
>> Thing is, with today's computing power, it really isn't anymore.
>> While no one could just guess it, it could be cracked/hacked I'm
>> sure.  I need to come up with a new one that meets the requirements I
>> just mentioned.  Strong, easy to remember, easy to type but won't
>> forget.  I've read that using maiden names, years of birth or whole
>> dates of birth, actual names, pet's name, words in a dictionary and a
>> whole list of other things makes it easier, especially if you post a
>> lot on social media, for hackers to use against you.  I'm trying to
>> avoid that sort of thing obviously and have a couple ideas but am
>> curious as to what method others use, without exposing to much
>> detail since this is public.
> I've been using a little Firefox Addon called Passwordmaker for many,
> many years, and despite all of its warts, I've been loathe to give it
> up, even though it will never be upgraded to work as a WebExtension.
>
> 2 things I loved about it -
>
>  a) it doesn't save the password locally, only info about the
>     site/account, and
>  b) you can use an unlimited number of Master Passwords
>
> I'm looking at migrating to KeePassXC, and even though I really hate the
> idea of saving the actual password - Passwordmaker simply generates the
> password on the fly each time based on certain specified criteria (ie,
> the site URL, username, password length, etc for each account - one
> technique I adopted shortly after assisting in updating the
> Passwordmaker website eases my mind about it...
>
> This is a simple technique I strongly recommend that everyone employ,
> especially if you use a Password manager (like LastPass or KeePass)...
>
> It is uncrackable (well, as long as it isn't the CIA or NSA that wants
> to crack it and they are willing to kidnap/torture you to do so).
>
> You sit down and come up with a ... call it a 'password modification
> protocol' ... whereby, you always modify your generated/stored password
> in a specific way before pressing enter.
>
> For example, you delete characters 3, 5 and 7, then add 2 characters to
> the beginning and 2 to the end.
>
> It is very simple, and negates worrying about someone stealing your
> password vault.
>
>


I tried to find it just to see how it works but it isn't listed.  From
what you wrote, you may want to at least check into LastPass.  Link
below.  It may do what you currently use and some.  I only use the free
version and it does more than I need already.  I think if I get a smart
phone, I'd have to pay a small monthly fee.  Still, I'm sure there is a
tool that will suite your needs.  There are a lot of them out there. 
Typing password in the add-on search box produces a LOT of results. 
Just find a good one and let it work for you. 

https://www.lastpass.com/

I'm not sure I understand what you mean password modification protocol. 
It sounds like you change your master password each time you use it.  If
I did that, I'd never know which one to use because that would confuse
me.  I don't write passwords down, period.  I went to the local nursing
home the other day, to drop off some puzzle books and a bunch of
bananas, and they have a coded entry thing on the door.  I entered the
code a couple times and it didn't work.  One of the nurses that was
coming on shift came up and entered the code.  When she told me the
code, I realized I was using the code they had before the current one. 
I shifted back in time a bit I guess.  I may not have a flux capacitor
but I did it anyway.  lol   I admit, some of the new things they use, I
have no idea how they work since I've never used most of them.  I've
read about a few of them but don't really get how they work.  If I used
them, I'd get it.

What I hate most, when my bank changes something about their login
process and a little research shows it accomplishes nothing.  My credit
card site has this picture and phrase thing.  I found where it was
researched and it does little to actually help because most people don't
pay it any attention.  My biggest cheat, I adblock stuff on the bank
website, like their great big logo thing.  If I do go to a website and
that logo shows up, it didn't match my adblock setting.  At that point,
that gets a little extra attention until I know for sure and for certain
I'm on the correct site.  Also, LastPass will pick up its on the wrong
site to.  It won't fill in the password info if it doesn't match up. 
They've had the same logo on the site for years. 

It's amazing what we have to do with our computers to keep ourselves
safe because of . . . computers.  :/  I guess this is one reason I like
Linux.  It at least tries to be secure. 

Dale

:-)  :-) 

Re: [gentoo-user] Coming up with a password that is very strong.

[Roger J. H. Welsh]

Hi Dale,

On  Sun, Feb 03, 2019 at 11:47:35PM -0600 , Dale wrote:
> How do you, especially those who admin systems that are always being
> hacked at, generate strong passwords that meet the above?

I have a script for generating passwords the way I like (basically diceware on bash).

Something like:
FACTOR=$[ 2**(4*8)/$(cat "$WORDLIST"|wc -l) ]
cat "$WORDLIST" | head -n "$[ $(od -vAn -N4 -tu4 < /dev/random ) / $FACTOR ]" | tail -1

I use this in conjunction with
https://github.com/dwyl/english-words/blob/master/words.txt

As far as I understand, if you have about 96 bits of entropy you are
golden. 256 bits is unbruteforceable (at least within the realms of
physics apparently).
5 words = 94 bits (which is good enough for me)
14 words = 256 bits (which seems like a lot of typing)

I also have a messy spreadsheet for checking passwords.
https://github.com/rjhwelsh/gpg-tutorial/blob/master/password_checker.ods

I provide no warranty for my working. ;)

--

Roger Welsh
fpr: 2FCB 9E31 EA77 CDEC A3AE  5DD7 D54C C777 553A 180D

Re: [gentoo-user] Coming up with a password that is very strong.

[Dale]

Neil Bothwick wrote:
> On Mon, 04 Feb 2019 11:17:13 +0000, Mick wrote:
>
>>> https://xkcd.com/936/  
>> Not strictly true ... the crackers would probably use rainbow tables
>> attacks first.  Also, it isn't fair to compare an 11 character passwd
>> against a 25 character passwd.  For the *same* number of characters
>> used in any given passwd, a random lower/upper/numerical/symbol passwd
>> will provide an exponentially higher degree of difficulty in cracking
>> it with brute force, than one which uses only lower case dictionary
>> words.  Anyway, these days many attacks are focused on OS or hardware
>> vulnerabilities which have been baked in by design, rather than brute
>> force attacks.
> I'm not sure xkcd is meant to be taken that seriously...
>
>


Sort of picking a random message to reply to here.  Someone sent a reply
off list about checking passwords on my system with tools available.
They also mentioned not trusting strength meters which I can get since
they pass some obvious passwords.  I used three meters and some sort of
common sense as well.  I found cracklib-check after some digging.  I
used that to try to check my password and get this weird response. 

-su: me-supper-secret-password-here;): event not found

I'm going to try to emulate my password without actually posting it, for
obvious reasons.  You all are smart enough to understand why.  ROFL  It
has some of the following 'stuff' in it.  !sdER*ark4567#  As you can
tell, I use some of those things on the tops of the number keys.  It
seems that confuses cracklib just a bit.  BTW, I was running that as
root just to be sure it wasn't a permissions issue.  I tried a few
different things but it seems the "!" is triggering that at least, maybe
others too.  The command works fine with just normal stuff.  That leads
me to this question.  Is there a tool I can use/install that will test a
password, try to crack it if you will, that will work regardless of the
characters used?  In other words, it doesn't mind the things on top of
the number keys. 

BTW, I've also whittled it down to something a little easier to type
too.  Feel sorry for any poor fool trying to just guess it.  lol  May
have better luck with P vs NP.  ;-)

Thanks.

Dale

:-)  :-) 

Re: [gentoo-user] Re: Coming up with a password that is very strong.

[Dale]

Rich Freeman wrote:
> On Mon, Feb 4, 2019 at 5:12 PM Dale <rdalek1967@gmail.com> wrote:
>> Neil Bothwick wrote:
>>> On Mon, 4 Feb 2019 15:59:02 -0500, Rich Freeman wrote:
>>>
>>>>> One reason I use LastPass, it is mobile.  I can go to someone else's
>>>>> computer, use LastPass to say make use of Paypal, Newegg, Ebay etc,
>>>>> logoff and it is like I was never there.
>>>> As much as I like Lastpass I would never do that.  It isn't magic - it
>>>> is javascript.  If there is a compromise on your computer, then your
>>>> password database will be compromised.  This is true of other
>>>> solutions like KeePassX and so on - if something roots your box then
>>>> it will be compromised.
>>> I don't see what root has to do with it. If someone gains access to your
>>> box, they can copy the database file and then take their time trying to
>>> crack the password, but you don't need to be root to do that.
> Correct, it just needs access to the user's data or browser process,
> which could mean running as root, or that user.
>
>> I might point out, LastPass encrypts the password before sticking it in
>> a file.  It isn't visible or plain text.  Even getting the file would
>> still require some tools and cracking to get the password itself.
> That assumes you're attacking the password file directly.
>
> If you're using lastpass on a compromised system then there are many
> ways that can be used to bypass the encryptions.  They could sniff
> your master password when you key it in, or read it directly from the
> browser's memory.  These things are protected from sandboxed code in
> your browser, but not from processes running outside the browser
> (unless again you're using a non-conventional privilege system like
> selinux/android/etc).
>


One could argue the same thing with any password tool out there tho,
right?  After all, at some point, all password tools have to decrypt the
password even if it is only in memory.  At that point, it can be
'sniffed' out.  Thing is, if my system or any system I use is
compromised, I'll have the same issue no matter what I do or what tool I
use.  Even if I use the password tool included in Firefox or any other
browser, wouldn't I run into the same problem?  Wouldn't I run into some
other security problem if I used no password tool at all and just typed
in the same password for say 20 or 30 different sites?  The solution is,
be reasonably secure.  Nothing is 100% secure unless it is turned off
completely, maybe not even then.  I'm sure even selinux has its security
issues as well.  It is after all a OS that runs a lot of code and only
needs one flaw in it. 

As I've pointed out before on different topics, if a person gets
physical access or control of a machine and is able to install things on
it, it doesn't really matter what one does unless they can detect it
somehow before ever using anything.  Given I only install things from
trusted sources, the odds of that happening are likely very small.  Even
my neighbors don't install much of anything because they mostly use it
to access financial sites and to check their email.  They are a older
pair so they don't use it like even someone my age does.  Still, if I
did have to use it in a situation, such as ordering computer parts to
rebuild, I'd likely change my more important passwords just to be sure
ASAP.  I already do that regularly anyway especially for my financial
sites.  That's another thing LastPass tracks, how long a password has
been in use for a site.  It reminds me of that sort of thing.

While I'm trying to come up with a good password, I don't expect it to
cover every possible case.  While I use LastPass, I don't expect it to
be a perfect solution.  I wouldn't expect it of any other tool either. 
Thing is, LastPass does what I need and is likely as secure as other
tools that can do the same things.  I get that one can be hacked as you
describe but once a person is able to do what you describe, it really
doesn't matter what tool I use.  Even a simple keylogger can do the job
if I use no password tool at all.  I'm just trying to be reasonably
secure.  If everyone or even most everyone would do the same, those
little script kiddys would have to work much harder.  That's one thing I
read about while googling for ways to come up with passwords.  Over half
the people using passwords use some really awful ones.  Some use the
same one for a lot of sites as well.  Something we both know is bad.  If
everyone would put in even a tenth of the effort I am, the internet
would be a much safer place. 

Dale

:-)  :-) 

Re: [gentoo-user] Re: Coming up with a password that is very strong.

[Dale]

Mick wrote:
> On Monday, 4 February 2019 22:12:16 GMT Dale wrote:
>> Neil Bothwick wrote:
>>> On Mon, 4 Feb 2019 15:59:02 -0500, Rich Freeman wrote:
>>>>> One reason I use LastPass, it is mobile.  I can go to someone else's
>>>>> computer, use LastPass to say make use of Paypal, Newegg, Ebay etc,
>>>>> logoff and it is like I was never there.
>>>> As much as I like Lastpass I would never do that.  It isn't magic - it
>>>> is javascript.  If there is a compromise on your computer, then your
>>>> password database will be compromised.  This is true of other
>>>> solutions like KeePassX and so on - if something roots your box then
>>>> it will be compromised.
>>> I don't see what root has to do with it. If someone gains access to your
>>> box, they can copy the database file and then take their time trying to
>>> crack the password, but you don't need to be root to do that.
>> I might point out, LastPass encrypts the password before sticking it in
>> a file.  It isn't visible or plain text.  Even getting the file would
>> still require some tools and cracking to get the password itself. 
>> Cracking the master password would likely be much easier and doesn't
>> even require access to the box itself, Linux or windoze.  Also, LastPass
>> only stores the encrypted password on its servers.  Even if LastPass is
>> hacked, the passwords are still encrypted.  It's one reason LastPass
>> shouldn't have to worry about getting court orders to turn over
>> passwords.  It doesn't really have them.  I would suspect that cracking
>> a encrypted password is as difficult as is just poking at a password
>> until it is guessed. 
>>
>> Even if a person is using a perfect tool, cracking a password is always
>> going to be possible.  The tougher the password, the harder it will be
>> and the longer it will take.  Still, it can be done.  Using these tools
>> just makes it harder.  I'm not aware of a perfect password tool.  I
>> doubt one exists or ever will either.  ;-)  It's still good to pick one,
>> use it and try to be as secure as one can. 
>>
>> Dale
>>
>> :-)  :-) 
> A solution like LastPass et al., using a browser's javascript to access it, 
> under a single master passwd, theoretically would have so many side-channel 
> attacks no one would be wasting time to brute force anything.
>
> https://en.wikipedia.org/wiki/LastPass#Security_issues
>
> You could use gpg/openssl to encrypt a number of files, which would contain 
> your different website/application passwds.  For paranoid use cases you can 
> use asymmetric keys and store your private key out-of-band.  Sure, it won't be 
> as convenient as LastPass, but I expect it would be more secure and unlikely 
> to be compromised by XSS vulnerabilities.
>


From what I read, no users had their passwords compromised in those.  As
I pointed out earlier, the passwords are already encrypted when they are
sent to LastPass.  If I called LastPass, could prove I am who I claim to
be and asked them for a password to a site, they couldn't give it to me
because it is encrypted when it leaves my machine. 

The only breach I recall is when they said that users email addresses
were taken.  There was once where they asked everyone to change their
master password as a precaution several years ago.  They had no info
that showed anything was hacked but they wanted users to change them
anyway.  Since I get emails as a user, I've never received a email that
said their service was hacked and that passwords were known to be taken
decrypted.  I do get emails when something needs to be changed or I
changed something. 

As I pointed out to Rich, I don't expect these tools to be 100%.  There
is no perfect password tool or a perfect way to manage them either.  No
matter what you do, someone can come along and poke a hole in it.  If
you use a tool, the tool is hackable.  If you use the same password that
is 40 characters long for several dozen sites, then the site can be
hacked and they have the password for those other sites as well.  The
list could go on for ages but it doesn't really change anything.  We do
the best we can and then hope it is enough.  Using tools is in my
opinion better than not using a tool at all.  At the least, they will
have a hard time breaking into a site directly without my password.  It
beats the alternative which is cutting off the computer and unplugging
it.  :-( 

Still can't get cracklib to work right.  < scratches head > 

Dale

:-)  :-) 

Re: [gentoo-user] Re: Coming up with a password that is very strong.

[Neil Bothwick]

[-- Attachment #1: Type: text/plain, Size: 593 bytes --]

On Mon, 04 Feb 2019 23:26:52 +0000, Mick wrote:

> You could use gpg/openssl to encrypt a number of files, which would
> contain your different website/application passwds.

pass does exactly that

* app-admin/pass
     Available versions:  1.7.3 **9999 {X dmenu emacs fish-completion +git importers zsh-completion ELIBC="Darwin"}
     Homepage: https://www.passwordstore.org/
     Description: Stores, retrieves, generates, and synchronizes passwords securely


-- 
Neil Bothwick

"There are some ideas so idiotic that only an intellectual could believe
them" George Orwell

[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 833 bytes --]

Re: [gentoo-user] Re: Coming up with a password that is very strong.

[Mick]

[-- Attachment #1: Type: text/plain, Size: 709 bytes --]

On Tuesday, 5 February 2019 08:41:28 GMT Neil Bothwick wrote:
> On Mon, 04 Feb 2019 23:26:52 +0000, Mick wrote:
> > You could use gpg/openssl to encrypt a number of files, which would
> > contain your different website/application passwds.
> 
> pass does exactly that
> 
> * app-admin/pass
>      Available versions:  1.7.3 **9999 {X dmenu emacs fish-completion +git
> importers zsh-completion ELIBC="Darwin"} Homepage:
> https://www.passwordstore.org/
>      Description: Stores, retrieves, generates, and synchronizes passwords
> securely

What do you know?!  Someone else thought of it too.  :-)

Thanks Neil, this looks interesting and seems way more advanced than my simple 
one-liner.

-- 
Regards,
Mick

[-- Attachment #2: This is a digitally signed message part. --]
[-- Type: application/pgp-signature, Size: 833 bytes --]

Re: [gentoo-user] Coming up with a password that is very strong.

[Mick]

[-- Attachment #1: Type: text/plain, Size: 2258 bytes --]

On Tuesday, 5 February 2019 06:48:53 GMT Dale wrote:

> Sort of picking a random message to reply to here.  Someone sent a reply
> off list about checking passwords on my system with tools available.
> They also mentioned not trusting strength meters which I can get since
> they pass some obvious passwords.  I used three meters and some sort of
> common sense as well.  I found cracklib-check after some digging.  I
> used that to try to check my password and get this weird response. 
> 
> -su: me-supper-secret-password-here;): event not found
> 
> I'm going to try to emulate my password without actually posting it, for
> obvious reasons.  You all are smart enough to understand why.  ROFL  It
> has some of the following 'stuff' in it.  !sdER*ark4567#  As you can
> tell, I use some of those things on the tops of the number keys.  It
> seems that confuses cracklib just a bit.  BTW, I was running that as
> root just to be sure it wasn't a permissions issue.  I tried a few
> different things but it seems the "!" is triggering that at least, maybe
> others too.  The command works fine with just normal stuff.

Hmm ... I don't get such problem here, when I run cracklib as a plain user:

$ cracklib-check
password
password: it is based on a dictionary word
p4ssw0rd
p4ssw0rd: it is based on a dictionary word
p477w0rd
p477w0rd: OK
!sdER*ark4567#
!sdER*ark4567#: OK
helloworld
helloworld: OK
reallysecurepassword
reallysecurepassword: OK

LOL!

Could it be something to do with your terminal/shell?  I've run the above with 
bash in a urxvt terminal.


> That leads
> me to this question.  Is there a tool I can use/install that will test a
> password, try to crack it if you will, that will work regardless of the
> characters used?  In other words, it doesn't mind the things on top of
> the number keys. 
> 
> BTW, I've also whittled it down to something a little easier to type
> too.  Feel sorry for any poor fool trying to just guess it.  lol  May
> have better luck with P vs NP.  ;-)
> 
> Thanks.
> 
> Dale
> 
> :-)  :-) 

I've used app-crypt/johntheripper in the distant past, but you'll need a good 
word list for it to be useful.  Some of the wordlists I had found at the time 
were too big to download over dial-up!  :p

-- 
Regards,
Mick

[-- Attachment #2: This is a digitally signed message part. --]
[-- Type: application/pgp-signature, Size: 833 bytes --]

Re: [gentoo-user] Coming up with a password that is very strong.

[Michael Schwartzkopff]

[-- Attachment #1.1: Type: text/plain, Size: 2810 bytes --]

Am 05.02.19 um 10:55 schrieb Mick:
> On Tuesday, 5 February 2019 06:48:53 GMT Dale wrote:
>
>> Sort of picking a random message to reply to here.  Someone sent a reply
>> off list about checking passwords on my system with tools available.
>> They also mentioned not trusting strength meters which I can get since
>> they pass some obvious passwords.  I used three meters and some sort of
>> common sense as well.  I found cracklib-check after some digging.  I
>> used that to try to check my password and get this weird response. 
>>
>> -su: me-supper-secret-password-here;): event not found
>>
>> I'm going to try to emulate my password without actually posting it, for
>> obvious reasons.  You all are smart enough to understand why.  ROFL  It
>> has some of the following 'stuff' in it.  !sdER*ark4567#  As you can
>> tell, I use some of those things on the tops of the number keys.  It
>> seems that confuses cracklib just a bit.  BTW, I was running that as
>> root just to be sure it wasn't a permissions issue.  I tried a few
>> different things but it seems the "!" is triggering that at least, maybe
>> others too.  The command works fine with just normal stuff.
> Hmm ... I don't get such problem here, when I run cracklib as a plain user:
>
> $ cracklib-check
> password
> password: it is based on a dictionary word
> p4ssw0rd
> p4ssw0rd: it is based on a dictionary word
> p477w0rd
> p477w0rd: OK
> !sdER*ark4567#
> !sdER*ark4567#: OK
> helloworld
> helloworld: OK
> reallysecurepassword
> reallysecurepassword: OK
>
> LOL!
>
> Could it be something to do with your terminal/shell?  I've run the above with 
> bash in a urxvt terminal.
>
>
>> That leads
>> me to this question.  Is there a tool I can use/install that will test a
>> password, try to crack it if you will, that will work regardless of the
>> characters used?  In other words, it doesn't mind the things on top of
>> the number keys. 
>>
>> BTW, I've also whittled it down to something a little easier to type
>> too.  Feel sorry for any poor fool trying to just guess it.  lol  May
>> have better luck with P vs NP.  ;-)
>>
>> Thanks.
>>
>> Dale
>>
>> :-)  :-) 
> I've used app-crypt/johntheripper in the distant past, but you'll need a good 
> word list for it to be useful.  Some of the wordlists I had found at the time 
> were too big to download over dial-up!  :p
>
A good password also has to be memorizable. See:

https://xkcd.com/936/


Mit freundlichen Grüßen,

-- 

[*] sys4 AG
 
https://sys4.de, +49 (89) 30 90 46 64
Schleißheimer Straße 26/MG,80333 München
 
Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263
Vorstand: Patrick Ben Koetter, Marc Schiffbauer, Wolfgang Stief
Aufsichtsratsvorsitzender: Florian Kirstein



[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 213 bytes --]

Re: [gentoo-user] Coming up with a password that is very strong.

[Dale]

Mick wrote:
> On Tuesday, 5 February 2019 06:48:53 GMT Dale wrote:
>
>> Sort of picking a random message to reply to here.  Someone sent a reply
>> off list about checking passwords on my system with tools available.
>> They also mentioned not trusting strength meters which I can get since
>> they pass some obvious passwords.  I used three meters and some sort of
>> common sense as well.  I found cracklib-check after some digging.  I
>> used that to try to check my password and get this weird response. 
>>
>> -su: me-supper-secret-password-here;): event not found
>>
>> I'm going to try to emulate my password without actually posting it, for
>> obvious reasons.  You all are smart enough to understand why.  ROFL  It
>> has some of the following 'stuff' in it.  !sdER*ark4567#  As you can
>> tell, I use some of those things on the tops of the number keys.  It
>> seems that confuses cracklib just a bit.  BTW, I was running that as
>> root just to be sure it wasn't a permissions issue.  I tried a few
>> different things but it seems the "!" is triggering that at least, maybe
>> others too.  The command works fine with just normal stuff.
> Hmm ... I don't get such problem here, when I run cracklib as a plain user:
>
> $ cracklib-check
> password
> password: it is based on a dictionary word
> p4ssw0rd
> p4ssw0rd: it is based on a dictionary word
> p477w0rd
> p477w0rd: OK
> !sdER*ark4567#
> !sdER*ark4567#: OK
> helloworld
> helloworld: OK
> reallysecurepassword
> reallysecurepassword: OK
>
> LOL!
>
> Could it be something to do with your terminal/shell?  I've run the above with 
> bash in a urxvt terminal.
>
>


He he he he.  It was the idiot in the chair.  The idiot in the chair
thought it was done this way, like I saw on a website that must be
outdated. 

root@fireball / # cracklib-check !sdER*ark4567#
-su: !sdER: event not found
root@fireball / #

After seeing your reply, I realize I just type the command and it
prompts me for a password.  I ctrl c to exit.  Well, ain't that
something?  You can stop laughing now.  ;-) 

It seems to think helloworld and reallysecurepassword is OK.  I have to
question just how good this tool is at this point.  Maybe I need to
install some more stuff here.  Pardon me while I go find some more of
this.  Something has to be missing.  :/

Dale

:-)  :-) 

Re: [gentoo-user] Coming up with a password that is very strong.

[Dale]

Michael Schwartzkopff wrote:
> Am 05.02.19 um 10:55 schrieb Mick:
>> On Tuesday, 5 February 2019 06:48:53 GMT Dale wrote:
>>
>>> Sort of picking a random message to reply to here.  Someone sent a reply
>>> off list about checking passwords on my system with tools available.
>>> They also mentioned not trusting strength meters which I can get since
>>> they pass some obvious passwords.  I used three meters and some sort of
>>> common sense as well.  I found cracklib-check after some digging.  I
>>> used that to try to check my password and get this weird response. 
>>>
>>> -su: me-supper-secret-password-here;): event not found
>>>
>>> I'm going to try to emulate my password without actually posting it, for
>>> obvious reasons.  You all are smart enough to understand why.  ROFL  It
>>> has some of the following 'stuff' in it.  !sdER*ark4567#  As you can
>>> tell, I use some of those things on the tops of the number keys.  It
>>> seems that confuses cracklib just a bit.  BTW, I was running that as
>>> root just to be sure it wasn't a permissions issue.  I tried a few
>>> different things but it seems the "!" is triggering that at least, maybe
>>> others too.  The command works fine with just normal stuff.
>> Hmm ... I don't get such problem here, when I run cracklib as a plain user:
>>
>> $ cracklib-check
>> password
>> password: it is based on a dictionary word
>> p4ssw0rd
>> p4ssw0rd: it is based on a dictionary word
>> p477w0rd
>> p477w0rd: OK
>> !sdER*ark4567#
>> !sdER*ark4567#: OK
>> helloworld
>> helloworld: OK
>> reallysecurepassword
>> reallysecurepassword: OK
>>
>> LOL!
>>
>> Could it be something to do with your terminal/shell?  I've run the above with 
>> bash in a urxvt terminal.
>>
>>
>>> That leads
>>> me to this question.  Is there a tool I can use/install that will test a
>>> password, try to crack it if you will, that will work regardless of the
>>> characters used?  In other words, it doesn't mind the things on top of
>>> the number keys. 
>>>
>>> BTW, I've also whittled it down to something a little easier to type
>>> too.  Feel sorry for any poor fool trying to just guess it.  lol  May
>>> have better luck with P vs NP.  ;-)
>>>
>>> Thanks.
>>>
>>> Dale
>>>
>>> :-)  :-) 
>> I've used app-crypt/johntheripper in the distant past, but you'll need a good 
>> word list for it to be useful.  Some of the wordlists I had found at the time 
>> were too big to download over dial-up!  :p
>>
> A good password also has to be memorizable. See:
>
> https://xkcd.com/936/
>
>
> Mit freundlichen Grüßen,
>


That's the problem.  I want one really good password that would be
virtually impossible even for someone who knows me to guess.  Doing that
and being able to remember it plus be relatively easy to remember
complicates things a lot.  While at it, I'd like it to be hard to crack
as well.  Even with these password test tools, that is proving to be
hard to know for sure.  I have one that I know would be hard to guess
and I think it would be hard to crack as well but I don't know that last
part for sure, yet anyway. 

Thanks.  It's a work in progress still. 

Dale

:-)  :-) 

Re: [gentoo-user] Coming up with a password that is very strong.

[Mick]

[-- Attachment #1: Type: text/plain, Size: 743 bytes --]

On Tuesday, 5 February 2019 10:13:44 GMT Dale wrote:

> After seeing your reply, I realize I just type the command and it
> prompts me for a password.  I ctrl c to exit.  Well, ain't that
> something?  You can stop laughing now.  ;-) 
> 
> It seems to think helloworld and reallysecurepassword is OK.  I have to
> question just how good this tool is at this point.  

Quite!

I think the cracklib acceptance parameters are not as strict as they could 
have been for modern computing, but I don't know how to tweak them.  With 
johntheripper you have many options to tweak the characters tested, length, 
etc. when checking a password.

PS.  I wasn't laughing at you, I was laughing at the passwords cracklib 
thought were OK.
-- 
Regards,
Mick

[-- Attachment #2: This is a digitally signed message part. --]
[-- Type: application/pgp-signature, Size: 833 bytes --]

Re: [gentoo-user] Re: Coming up with a password that is very strong.

[Mick]

[-- Attachment #1: Type: text/plain, Size: 3108 bytes --]

On Tuesday, 5 February 2019 07:55:41 GMT Dale wrote:
> Mick wrote:

> > https://en.wikipedia.org/wiki/LastPass#Security_issues
> > 

> From what I read, no users had their passwords compromised in those.

I read it differently.  LastPass didn't know if any passwds were compromised 
(or wouldn't tell you).  As a precaution they asked users to change their 
master passwd, while they changed their server's salt.  In addition, there 
were XSS vulnerabilities later on, which is probably to be expected with 
JavaScript and similar technologies.


> As
> I pointed out earlier, the passwords are already encrypted when they are
> sent to LastPass.  If I called LastPass, could prove I am who I claim to
> be and asked them for a password to a site, they couldn't give it to me
> because it is encrypted when it leaves my machine. 

I don't know exactly how the LastPass architecture is configured, other than 
it relies on device based encryption activated with JavaScript, but anomalies 
they observed in incoming and outgoing traffic on the 2011 incident indicate 
someone was interfering with their data streams.  Given Diffie-Hellman could 
be compromised (e.g. as per Logjam) by precomputing some of the most commonly 
used primes in factoring large integers, it may be someone was undertaking 
comparative analysis to deduce ciphers and what not.  If the server salt was 
obtained, then one layer of encryption was compromised.

All this is juxtaposition and my hypothesizing does not mean LastPass is not 
useful, or not secure.  It just means its design is not as secure as locally 
run simpler encryption mechanisms, which do not leave your PC and are not 
stored somewhere else.

The greater surface area a security system exposes, the higher likelihood 
someone will take a punt at cracking it.  A browser, sandboxed or not, has far 
too many moving parts and exposed flanks to keep crackers and state actors 
busy.  I expect with advances in AI this effort will accelerate 
logarithmically.


> As I pointed out to Rich, I don't expect these tools to be 100%.  There
> is no perfect password tool or a perfect way to manage them either.  No
> matter what you do, someone can come along and poke a hole in it.  If
> you use a tool, the tool is hackable.  If you use the same password that
> is 40 characters long for several dozen sites, then the site can be
> hacked and they have the password for those other sites as well.  The
> list could go on for ages but it doesn't really change anything.  We do
> the best we can and then hope it is enough.  Using tools is in my
> opinion better than not using a tool at all.  At the least, they will
> have a hard time breaking into a site directly without my password.  It
> beats the alternative which is cutting off the computer and unplugging
> it.  :-( 

Yes, well said.  A disconnected and switched off PC is probably quite secure, 
but what use is this to anybody.  LOL!  The effectiveness of PC security is 
challenged on a daily basis and you eventually have to arrive at a personal 
trade-off between security and usability.

-- 
Regards,
Mick

[-- Attachment #2: This is a digitally signed message part. --]
[-- Type: application/pgp-signature, Size: 833 bytes --]

[gentoo-user] Re: Coming up with a password that is very strong.

[Nikos Chantziaras]

On 04/02/2019 22:49, Dale wrote:
> Also, if my computer were to
> die a sudden death, power supply goes bonkers and burns everything in it
> up including hard drives, my passwords are still safe but available.

Firefox stores my login passwords encrypted on a server provided by 
Mozilla. It syncs them between my machines.

Re: [gentoo-user] Coming up with a password that is very strong.

[Dale]

Mick wrote:
> On Tuesday, 5 February 2019 10:13:44 GMT Dale wrote:
>
>> After seeing your reply, I realize I just type the command and it
>> prompts me for a password.  I ctrl c to exit.  Well, ain't that
>> something?  You can stop laughing now.  ;-) 
>>
>> It seems to think helloworld and reallysecurepassword is OK.  I have to
>> question just how good this tool is at this point.  
> Quite!
>
> I think the cracklib acceptance parameters are not as strict as they could 
> have been for modern computing, but I don't know how to tweak them.  With 
> johntheripper you have many options to tweak the characters tested, length, 
> etc. when checking a password.
>
> PS.  I wasn't laughing at you, I was laughing at the passwords cracklib 
> thought were OK.

I'm emerging john* or at least it's thinking on it. 

I was talking about you laughing at my comment about the idiot in the
chair who was using the command wrong.  I have to admit, I was laughing
at myself over here.  lol  I might add, I did try to get a man page or
-h to help but it didn't. 

I've got my password down to something I can remember and isn't to bad
to type.  The password strength meter thingys, while not perfect either,
do say it is a strong one.  My looking at it says it is strong too.  I
just can't imagine anyone guessing it.  It's so random and such that I
think it would be very difficult to crack.  Even if one could, it would
take a fairly long time even with some pretty fast puters.  It may not
be NSA proof either but I suspect it would take even them a while. 
Still, I'd like to test this thing really well if I can find a tool that
can really do it properly.  We already know the meter sites aren't
trustworthy.  It seems cracklib isn't quite there either.  Moving on. 

Thanks for the help.  By the time I get around to using this thing, it
may be easy to crack with some laser type puter or something. 

Dale

:-)  :-) 

Re: [gentoo-user] Re: Coming up with a password that is very strong.

[Dale]

Mick wrote:
> On Tuesday, 5 February 2019 07:55:41 GMT Dale wrote:
>> Mick wrote:
>>> https://en.wikipedia.org/wiki/LastPass#Security_issues
>>>
>> From what I read, no users had their passwords compromised in those.
> I read it differently.  LastPass didn't know if any passwds were compromised 
> (or wouldn't tell you).  As a precaution they asked users to change their 
> master passwd, while they changed their server's salt.  In addition, there 
> were XSS vulnerabilities later on, which is probably to be expected with 
> JavaScript and similar technologies.
>

I recall the email vaguely.  It said there was nothing that showed the
passwords were compromised.  I did change passwords for things like my
bank etc but left the others alone.  Of course, I change those passwords
on a fairly regular basis anyway.  Thing is, when it comes to financial
stuff, I don't leave as much to chance.  I found the email notice.  Here
is a bit of it:


"No encrypted user vault data was taken, however other data, including
email addresses and password reminders, was compromised." 

So, the encrypted stuff such as passwords was not compromised.  They
only got email addys and such which isn't a big deal.


>> As
>> I pointed out earlier, the passwords are already encrypted when they are
>> sent to LastPass.  If I called LastPass, could prove I am who I claim to
>> be and asked them for a password to a site, they couldn't give it to me
>> because it is encrypted when it leaves my machine. 
> I don't know exactly how the LastPass architecture is configured, other than 
> it relies on device based encryption activated with JavaScript, but anomalies 
> they observed in incoming and outgoing traffic on the 2011 incident indicate 
> someone was interfering with their data streams.  Given Diffie-Hellman could 
> be compromised (e.g. as per Logjam) by precomputing some of the most commonly 
> used primes in factoring large integers, it may be someone was undertaking 
> comparative analysis to deduce ciphers and what not.  If the server salt was 
> obtained, then one layer of encryption was compromised.
>
> All this is juxtaposition and my hypothesizing does not mean LastPass is not 
> useful, or not secure.  It just means its design is not as secure as locally 
> run simpler encryption mechanisms, which do not leave your PC and are not 
> stored somewhere else.
>
> The greater surface area a security system exposes, the higher likelihood 
> someone will take a punt at cracking it.  A browser, sandboxed or not, has far 
> too many moving parts and exposed flanks to keep crackers and state actors 
> busy.  I expect with advances in AI this effort will accelerate 
> logarithmically.

This is why I don't use the built in password manager in Firefox. 
Firefox most likely concentrates on the browser since its main job is
being a browser.  A password tool is a little lower on the list I would
think.  However, LastPass and other password tools, it is their main
function to be password tools that are secure but can still work with
the browser as well. 


>
>> As I pointed out to Rich, I don't expect these tools to be 100%.  There
>> is no perfect password tool or a perfect way to manage them either.  No
>> matter what you do, someone can come along and poke a hole in it.  If
>> you use a tool, the tool is hackable.  If you use the same password that
>> is 40 characters long for several dozen sites, then the site can be
>> hacked and they have the password for those other sites as well.  The
>> list could go on for ages but it doesn't really change anything.  We do
>> the best we can and then hope it is enough.  Using tools is in my
>> opinion better than not using a tool at all.  At the least, they will
>> have a hard time breaking into a site directly without my password.  It
>> beats the alternative which is cutting off the computer and unplugging
>> it.  :-( 
> Yes, well said.  A disconnected and switched off PC is probably quite secure, 
> but what use is this to anybody.  LOL!  The effectiveness of PC security is 
> challenged on a daily basis and you eventually have to arrive at a personal 
> trade-off between security and usability.
>

This is what I run into with this new password project.  I want one that
is easy for me to remember, easy to type and such but I also want it to
where some script kiddy can't crack it in like 10 seconds while laughing
his/her fool head off at me.  The decision to use a tool like LastPass,
or any other tool for that matter, also means a trade off.  Anything we
use will expose us to something.  That said, not using one exposes us to
something else, even if it is just bad ways to deal with passwords. 
Using one password on several sites is one thing that jumps to my mind. 
We just have to try to be reasonable about it.  One thing about this,
I'm putting more effort into one password than most do for every
password they have. 

Now to play with the strength meters some more. 

Dale

:-)  :-)

Re: [gentoo-user] Re: Coming up with a password that is very strong.

[Rich Freeman]

On Tue, Feb 5, 2019 at 2:34 AM Dale <rdalek1967@gmail.com> wrote:
>
> Rich Freeman wrote:
> > On Mon, Feb 4, 2019 at 5:12 PM Dale <rdalek1967@gmail.com> wrote:
> >> Neil Bothwick wrote:
> >>> On Mon, 4 Feb 2019 15:59:02 -0500, Rich Freeman wrote:
> >>>
> >>>>> One reason I use LastPass, it is mobile.  I can go to someone else's
> >>>>> computer, use LastPass to say make use of Paypal, Newegg, Ebay etc,
> >>>>> logoff and it is like I was never there.
> >>>> As much as I like Lastpass I would never do that.  It isn't magic - it
> >>>> is javascript.  If there is a compromise on your computer, then your
> >>>> password database will be compromised.  This is true of other
> >>>> solutions like KeePassX and so on - if something roots your box then
> >>>> it will be compromised.
> >
> >> I might point out, LastPass encrypts the password before sticking it in
> >> a file.  It isn't visible or plain text.  Even getting the file would
> >> still require some tools and cracking to get the password itself.
> > That assumes you're attacking the password file directly.
> >
> > If you're using lastpass on a compromised system then there are many
> > ways that can be used to bypass the encryptions.  They could sniff
> > your master password when you key it in, or read it directly from the
> > browser's memory.  These things are protected from sandboxed code in
> > your browser, but not from processes running outside the browser
> > (unless again you're using a non-conventional privilege system like
> > selinux/android/etc).
>
> One could argue the same thing with any password tool out there tho,
> right?

Of course.  This is by no means specific to Lastpass.  I wasn't
reacting to your use of Lastpass (I use it myself).  I was reacting to
your statement that you can go to someone else's computer and use
lastpass on that computer and then log off and it is as if you were
never there.

> Given I only install things from
> trusted sources, the odds of that happening are likely very small.

Not if you go typing your Lastpass master password into computers
owned by people who aren't as careful as you are...

If you do want the benefits of a password manager on an untrusted
computer then you might want to look into the hardware/USB-based
solutions, or alternatives like U2F and so on.

Now, you're still vulnerable to MITM attacks and so on against the
sites you're actually logging into, but your credentials for other
sites would not be at risk since they stay on the hardware device,
which is going to be hardened against USB attacks (well, at least you
hope it would be).  If you're using conventional passwords then of
course something could still sniff that password since it has to pass
through the untrusted computer.  If you're using OTPs or U2F/etc then
you may still be vulnerable to some cookie-based attacks and MITM and
so on, but if you log off at the end of your session that at least
limits their duration.

Personally I would like to switch to a hardware-based solution, but
they have their own set of downsides:

1.  Less convenience - you have to physically have the device on you
(I don't carry my keys around in the hosue/etc), and plug it in when
you want to use it.
2.  Recovery options aren't always great.  Often these devices don't
really have their own recovery solution, and you're stuck following
the recovery options on each individual site.  Many of these are
pretty lousy.
3.  Often no support for multiple hardware devices (and keeping them
in sync).  Again you're stuck with what individual sites allow, and
many sites don't let you have multiple hardware tokens registered.
4.  Lack of convenience features like auto-changing passwords.  Some
software-based solutions have this.  Though, to be honest, I rarely
trust these because if something goes wrong I could lose account
access and this can be difficult or impossible to recover from in many
situations.

A big advantage (and disadvantage) of the software-based solutions is
that they're just data files and you can back them up trivially.

Really though a lot of this boils down to the fact that PKI is a hard
problem without a trusted and convenient mediator, and this largely
doesn't exist in the world of free online services.

-- 
Rich

Re: [gentoo-user] Re: Coming up with a password that is very strong.

[Dale]

Rich Freeman wrote:
> On Tue, Feb 5, 2019 at 2:34 AM Dale <rdalek1967@gmail.com> wrote:
>> Rich Freeman wrote:
>>> On Mon, Feb 4, 2019 at 5:12 PM Dale <rdalek1967@gmail.com> wrote:
>>>> Neil Bothwick wrote:
>>>>> On Mon, 4 Feb 2019 15:59:02 -0500, Rich Freeman wrote:
>>>>>
>>>>>>> One reason I use LastPass, it is mobile.  I can go to someone else's
>>>>>>> computer, use LastPass to say make use of Paypal, Newegg, Ebay etc,
>>>>>>> logoff and it is like I was never there.
>>>>>> As much as I like Lastpass I would never do that.  It isn't magic - it
>>>>>> is javascript.  If there is a compromise on your computer, then your
>>>>>> password database will be compromised.  This is true of other
>>>>>> solutions like KeePassX and so on - if something roots your box then
>>>>>> it will be compromised.
>>>> I might point out, LastPass encrypts the password before sticking it in
>>>> a file.  It isn't visible or plain text.  Even getting the file would
>>>> still require some tools and cracking to get the password itself.
>>> That assumes you're attacking the password file directly.
>>>
>>> If you're using lastpass on a compromised system then there are many
>>> ways that can be used to bypass the encryptions.  They could sniff
>>> your master password when you key it in, or read it directly from the
>>> browser's memory.  These things are protected from sandboxed code in
>>> your browser, but not from processes running outside the browser
>>> (unless again you're using a non-conventional privilege system like
>>> selinux/android/etc).
>> One could argue the same thing with any password tool out there tho,
>> right?
> Of course.  This is by no means specific to Lastpass.  I wasn't
> reacting to your use of Lastpass (I use it myself).  I was reacting to
> your statement that you can go to someone else's computer and use
> lastpass on that computer and then log off and it is as if you were
> never there.

What I meant was, they couldn't use it without knowing my password. 
Sure, I may leave something, like LastPass installed but disabled, on
their computer but no one can use it without it being logged in.  Once I
logout and close the browser, that pretty much ends the session.  Most
sites I visit are not set to remember me anyway and some don't allow
it.  I also logout before leaving a site especially when I'm on a
computer other than mine.  So, once I logout, they can't login as me
without my password.  We sort of went in different directions. 

If I really wanted to, I could use some bootable media like Knoppix.  I
think it comes with Firefox already installed. I could boot that,
install LastPass, do my thing, reboot into the OS and not have to worry
about anything they have installed at all.  I do keep copies of those
around and try to update every once in a while.  I certainly keep
sysrescue up to date.  I don't think it has a browser tho.  It may but
I'm not sure. 


>> Given I only install things from
>> trusted sources, the odds of that happening are likely very small.
> Not if you go typing your Lastpass master password into computers
> owned by people who aren't as careful as you are...
>
> If you do want the benefits of a password manager on an untrusted
> computer then you might want to look into the hardware/USB-based
> solutions, or alternatives like U2F and so on.
>
> Now, you're still vulnerable to MITM attacks and so on against the
> sites you're actually logging into, but your credentials for other
> sites would not be at risk since they stay on the hardware device,
> which is going to be hardened against USB attacks (well, at least you
> hope it would be).  If you're using conventional passwords then of
> course something could still sniff that password since it has to pass
> through the untrusted computer.  If you're using OTPs or U2F/etc then
> you may still be vulnerable to some cookie-based attacks and MITM and
> so on, but if you log off at the end of your session that at least
> limits their duration.
>
> Personally I would like to switch to a hardware-based solution, but
> they have their own set of downsides:
>
> 1.  Less convenience - you have to physically have the device on you
> (I don't carry my keys around in the hosue/etc), and plug it in when
> you want to use it.
> 2.  Recovery options aren't always great.  Often these devices don't
> really have their own recovery solution, and you're stuck following
> the recovery options on each individual site.  Many of these are
> pretty lousy.
> 3.  Often no support for multiple hardware devices (and keeping them
> in sync).  Again you're stuck with what individual sites allow, and
> many sites don't let you have multiple hardware tokens registered.
> 4.  Lack of convenience features like auto-changing passwords.  Some
> software-based solutions have this.  Though, to be honest, I rarely
> trust these because if something goes wrong I could lose account
> access and this can be difficult or impossible to recover from in many
> situations.
>
> A big advantage (and disadvantage) of the software-based solutions is
> that they're just data files and you can back them up trivially.
>
> Really though a lot of this boils down to the fact that PKI is a hard
> problem without a trusted and convenient mediator, and this largely
> doesn't exist in the world of free online services.
>

This is what was mentioned in another post.  No matter what we use, it
is a trade off.  While it may be rare that I need it, I like the idea of
my passwords being stored somewhere that can be available if I'm
somewhere else or my computer blows a gasket.  No matter what is used,
there is some risk involved unless we don't use a computer at all. 
Heck, even having a computer that is unplugged from the internet can
still have security issues.  At one point, that used to be a option but
then you have to bring media in for updates or other data to be added. 
If it is compromised, well, there you go. 

I saw a link on a link posted here that lists password tools on the wiki
thing.  LastPass and one other that is dead now was the only two that
seemed to fit what I like having.  Given that the other is no longer a
option, LastPass is the only one that works like I want it too.  Now
later on something better may come along but for the moment, LastPass is
the set of trade-offs that has to be dealt with.  Some of that is
because I just don't have time to try to figure out how to store things
encrypted on USB sticks and such as well.  I still haven't had time to
play with the kodi thing for my videos either. 

Of course, right now, I'm just trying to generate a good master
password.  I'd like to test the thing a bit but most tools just aren't
up to the task.  Since the NSA saves all our emails, maybe they will
offer some help.  Howdy you nosy things.  lol  You enjoying our password
talks?

Dale

:-)  :-) 

Re: [gentoo-user] Coming up with a password that is very strong.

[Tanstaafl]

On 2/4/2019, 8:10:57 PM, Dale <rdalek1967@gmail.com> wrote:
> Tanstaafl wrote:
>> I've been using a little Firefox Addon called Passwordmaker for many,
>> many years, and despite all of its warts, I've been loathe to give it
>> up, even though it will never be upgraded to work as a WebExtension.
>>
>> 2 things I loved about it -
>>
>>  a) it doesn't save the password locally, only info about the
>>     site/account, and
>>  b) you can use an unlimited number of Master Passwords
>>
>> I'm looking at migrating to KeePassXC, and even though I really hate the
>> idea of saving the actual password - Passwordmaker simply generates the
>> password on the fly each time based on certain specified criteria (ie,
>> the site URL, username, password length, etc for each account - one
>> technique I adopted shortly after assisting in updating the
>> Passwordmaker website eases my mind about it...
>>
>> This is a simple technique I strongly recommend that everyone employ,
>> especially if you use a Password manager (like LastPass or KeePass)...
>>
>> It is uncrackable (well, as long as it isn't the CIA or NSA that wants
>> to crack it and they are willing to kidnap/torture you to do so).
>>
>> You sit down and come up with a ... call it a 'password modification
>> protocol' ... whereby, you always modify your generated/stored password
>> in a specific way before pressing enter.
>>
>> For example, you delete characters 3, 5 and 7, then add 2 characters to
>> the beginning and 2 to the end.
>>
>> It is very simple, and negates worrying about someone stealing your
>> password vault.

> I tried to find it just to see how it works but it isn't listed.

What... Passwordmaker (the old one I still use and why I keep an old
Firefox 56 portable version around)?

> From what you wrote, you may want to at least check into LastPass.

I did a massive amount of research (including LastPass), and settled on
KeePassXC for a good reason.

> Still, I'm sure there is a tool that will suite your needs.

? Its like you didn't really read my email. I already said, I'm
migrating to KeePassXC. But my complaint is, nothing works like
Passwordmaker (again, it doesn't store passwords, can only use one
Master Password).

> I'm not sure I understand what you mean password modification protocol. 
> It sounds like you change your master password each time you use it.

No, I'm talking about the saved (or in Passwordmakers case, generated)
password, not the Master Password.

Doing this with the Master Password wouldn't make any sense.

Re: [gentoo-user] Re: Coming up with a password that is very strong.

[Mark David Dumlao]

On Tue, Feb 5, 2019 at 3:39 AM Jack <ostroffjh@users.sourceforge.net> wrote:
> The problem I have with many of these suggestions is that I have
> multiple devices (two desktops, two laptops, tablet, android phone) I
> use sufficiently often that I either need to be able to remember the
> passwords or have some way of easily accessing them when I'm not
> sitting at my main desktop.  Other than using a password manager (which
> I do not currently have) how to others deal with this?
>
> Jack

Haven't posted here in a long while. I personally do not trust password managers
for (1) the same reason you gave above and (2) typically the way around it is
they store your passwords in the cloud which is all sorts of facepalm from a
security perspective.

My own solution is actually very simple. I have a "secret algorithm" that
incorporates several secrets with a predictable way to generate a site-specific
secret. The end result is a 100% predictable way to generate unique passwords
for every site that are cryptographically secure from each other (you
cannot derive
one from the other) which can be generated by any device using the appropriate
tools. There is also a protocol for password shifting in case any
single password
is revealed.

The long and short of it is that you can combine secure passwords with hashing
techniques, site-specific data, and truncation / peppering in a
predetermined way
that is easy for you to remember but guarantees that the original secret data is
irrecoverable. Then all you need is the hashing program on, say, your phone,
and you will always be able to generate the site-specific password when needed.
In effect the algorithm is your secret, the site-specific password is
just a side
effect of that secret.
-- 
This email is:    [ ] actionable   [x] fyi        [x] social
Response needed:  [ ] yes          [x] up to you  [ ] no
Time-sensitive:   [ ] immediate    [ ] soon       [x] none

Re: [gentoo-user] Re: Coming up with a password that is very strong.

[Neil Bothwick]

[-- Attachment #1: Type: text/plain, Size: 1066 bytes --]

On Wed, 6 Feb 2019 04:28:49 +0800, Mark David Dumlao wrote:

> My own solution is actually very simple. I have a "secret algorithm"
> that incorporates several secrets with a predictable way to generate a
> site-specific secret. The end result is a 100% predictable way to
> generate unique passwords for every site that are cryptographically
> secure from each other (you cannot derive
> one from the other) which can be generated by any device using the
> appropriate tools.

The was a tool in portage this did this. I tried it but it did not work
in the real world because you couldn't set a rule for generated passwords
that matched the requirements of all sites, for example some require a
non-alphanumeric character while other sites only allow alphanumerics.

I can remember what the tools was called, although I'm pretty sure it
was written in Python. I'd be interested to know how you get around the
conflicting restrictions as this seems a good way to do things.


-- 
Neil Bothwick

MIPS: Meaningless Indication of Processor Speed

[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 833 bytes --]

Re: [gentoo-user] Coming up with a password that is very strong.

[Dale]

Tanstaafl wrote:
> On 2/4/2019, 8:10:57 PM, Dale <rdalek1967@gmail.com> wrote:
>> Tanstaafl wrote:
>>> I've been using a little Firefox Addon called Passwordmaker for many,
>>> many years, and despite all of its warts, I've been loathe to give it
>>> up, even though it will never be upgraded to work as a WebExtension.
>>>
>>> 2 things I loved about it -
>>>
>>>  a) it doesn't save the password locally, only info about the
>>>     site/account, and
>>>  b) you can use an unlimited number of Master Passwords
>>>
>>> I'm looking at migrating to KeePassXC, and even though I really hate the
>>> idea of saving the actual password - Passwordmaker simply generates the
>>> password on the fly each time based on certain specified criteria (ie,
>>> the site URL, username, password length, etc for each account - one
>>> technique I adopted shortly after assisting in updating the
>>> Passwordmaker website eases my mind about it...
>>>
>>> This is a simple technique I strongly recommend that everyone employ,
>>> especially if you use a Password manager (like LastPass or KeePass)...
>>>
>>> It is uncrackable (well, as long as it isn't the CIA or NSA that wants
>>> to crack it and they are willing to kidnap/torture you to do so).
>>>
>>> You sit down and come up with a ... call it a 'password modification
>>> protocol' ... whereby, you always modify your generated/stored password
>>> in a specific way before pressing enter.
>>>
>>> For example, you delete characters 3, 5 and 7, then add 2 characters to
>>> the beginning and 2 to the end.
>>>
>>> It is very simple, and negates worrying about someone stealing your
>>> password vault.
>> I tried to find it just to see how it works but it isn't listed.
> What... Passwordmaker (the old one I still use and why I keep an old
> Firefox 56 portable version around)?


I'm on the newer version of Firefox so it doesn't show up in my search
since it isn't compatible.  I'm pretty sure that is why it doesn't show
up for me.  If I were on the older version of Firefox, then it would
show up.  I was wanting to look at it tho.  I did find a Pro version
which is likely the same thing but for the newer versions of Firefox. 
Did you see it?  It is here:

https://addons.mozilla.org/en-US/firefox/addon/firefox-passwordmaker-pro/?src=search

I see another version as well but with very few users.  Still, if the
above is just a version for the newer Firefox, you may not have to
switch or can use both somehow.  Some other add-ons I use did similar
things.  Since some required a complete rewrite, they also changed the
name a bit too.  Thing is, some of the new versions of add-ons don't
show up in older versions of Firefox.  If you didn't see this, I hope it
helps.


>> From what you wrote, you may want to at least check into LastPass.
> I did a massive amount of research (including LastPass), and settled on
> KeePassXC for a good reason.

I've read where people use that and like it.  It just depends on what
you are looking for and expect from the tool.  If it meets your needs,
then it is a good fit for you.  I picked LastPass since it did what I
need and then some plus is free.  I also had the privilege of emailing
back and forth with one of the original owners or creators way back
then.  His name is Joe Siegrist.  My bank and credit card sites wouldn't
work at first.  I gave him a link and he made some changes so that the
next version would fill those sites.  I may switch one day, may even
switch to what you are using, but at the moment, LastPass seems to be
doing well. 


>> Still, I'm sure there is a tool that will suite your needs.
> ? Its like you didn't really read my email. I already said, I'm
> migrating to KeePassXC. But my complaint is, nothing works like
> Passwordmaker (again, it doesn't store passwords, can only use one
> Master Password).
>
>> I'm not sure I understand what you mean password modification protocol. 
>> It sounds like you change your master password each time you use it.
> No, I'm talking about the saved (or in Passwordmakers case, generated)
> password, not the Master Password.
>
> Doing this with the Master Password wouldn't make any sense.
>

If I understand you correctly, I think I have seen a site that allows
that sort of thing.  I think.  To be honest, this is why I like tools. 
I tend to let tools do the heavy lifting.  My biggest responsibility is
having a good master password.  That's what started this.  I want a good
one.  ;-)  Most of the sites I use are email or ID plus password.  A
couple have this picture and phrase thing between login and password
tho.  There is also a couple that uses that secret question thing.  Some
of those are plain annoying tho.  lol

Given how things are nowadays, I suspect we will always be in a constant
race to try and stay ahead of hackers and such.  Every time we change to
try and beat them, they will find new tools, faster hardware etc to beat
us.  The biggest thing, our tools or us have to keep up.  I really need
to keep up with the newer stuff better but to be honest, time just isn't
that available to me right now. 

I wonder what hackers will come up with next.

Dale

:-)  :-) 

Re: [gentoo-user] Re: Coming up with a password that is very strong.

[Mark David Dumlao]

On Wed, Feb 6, 2019 at 5:18 AM Neil Bothwick <neil@digimed.co.uk> wrote:
>
> On Wed, 6 Feb 2019 04:28:49 +0800, Mark David Dumlao wrote:
>
> > My own solution is actually very simple. I have a "secret algorithm"
> > that incorporates several secrets with a predictable way to generate a
> > site-specific secret. The end result is a 100% predictable way to
> > generate unique passwords for every site that are cryptographically
> > secure from each other (you cannot derive
> > one from the other) which can be generated by any device using the
> > appropriate tools.
>
> The was a tool in portage this did this. I tried it but it did not work
> in the real world because you couldn't set a rule for generated passwords
> that matched the requirements of all sites, for example some require a
> non-alphanumeric character while other sites only allow alphanumerics.
>
> I can remember what the tools was called, although I'm pretty sure it
> was written in Python. I'd be interested to know how you get around the
> conflicting restrictions as this seems a good way to do things.
>

Well the original idea is to reduce dependency on specific tools, such
that the algorithm is the secret, and the passwords are just
byproducts of the secret. You will still need tools to do any hashing,
but those are generic tools you can acquire anywhere.

So for example, the "password123" equivalent secret algorithm might be:
1) global pepper: "password"
3) site-specific pepper: pepper plus number = vowels in domain name
2) site-specific ID: pepper dot domain name dot username
4) hashing algorithm: md5sum + base64, take first 8

Example application: madumlao@gmail.com
1) site-specific pepper: pepper3 (3 vowels in domain name: google)
2) site-specific ID: pepper3.google.madumlao
3) site-specific hash: (2) -> md5sum -> base64 -> first8 -> NGI3MTQz
4) combined with global pepper: password.NGI3MTQz
5) hashed with global pepper: (4) -> md5sum -> base64 -> first8 -> MWJjZjg2
password: MWJjZjg2

Example application: madumlao@yahoo.com
1) site-specific pepper: pepper3 (3 vowels in domain name: yahoo)
2) site-specific ID: pepper3.yahoo.madumlao
3) site-specific hash: (2) -> md5sum -> base64 -> first8 -> ZDQzZGM5
4) combined with global pepper: password.ZDQzZGM5
5) hashed with global pepper: (4) -> md5sum -> base64 -> first8 -> ZjUwMTI2
password: ZjUwMTI2

The procedure takes up a little more headspace than 1 password, but
definitely less headspace than a dozen cryptographically secure
passwords. You can change the hashing algorithm, peppering rule, ID
rule, number of characters, etc to your tastes. You can add iteration
rules for the nth password change anywhere in the procedure, and add
constraint rules for sites that have certain password limitations (the
caveat is that you have to remember which sites have password changes
and constraints). For me really all that matters is that the building
blocks are widely available and the end result incorporates data loss
that makes it impossible to recover the original secrets.

"Obviously" do not use this algorithm as-is. The algorithm, not the
password, is the secret, so using this algorithm as is is the
equivalent of using any example of a crypto secure password (correct
horse battery stapler) as a password.
-- 
This email is:    [ ] actionable   [x] fyi        [ ] social
Response needed:  [ ] yes          [x] up to you  [ ] no
Time-sensitive:   [ ] immediate    [ ] soon       [x] none

Re: [gentoo-user] Coming up with a password that is very strong.

[Tanstaafl]

[-- Attachment #1: Type: text/plain, Size: 2162 bytes --]

On 2/5/2019, 6:50:29 PM, Dale <rdalek1967@gmail.com> wrote:
> Tanstaafl wrote:
>> On 2/4/2019, 8:10:57 PM, Dale <rdalek1967@gmail.com> wrote:

> I'm on the newer version of Firefox so it doesn't show up in my search
> since it isn't compatible.

Correct - maybe you missed my comment that I'm having to keep an old
Portable version of 56 in order to continue being able to use it.

I have a copy I downloaded long ago from AMO, see attached. But it won't
install in newer versions. I'm using a Portable version of 56.

> I did find a Pro version which is likely the same thing but for the
> newer versions of Firefox.
> Did you see it?  It is here:
> 
> https://addons.mozilla.org/en-US/firefox/addon/firefox-passwordmaker-pro/?src=search

I'm aware of it, but no, it isn't even close to the same thing. It
simply was created to be able to ready Passwordmaker's data file (RDF file).

> I picked LastPass since it did what I need and then some plus is
> free.

Yes, but one of my main criteria was it has to be open source. LastPass
isn't open source.

>>> I'm not sure I understand what you mean password modification protocol. 
>>> It sounds like you change your master password each time you use it.

>> No, I'm talking about the saved (or in Passwordmakers case, generated)
>> password, not the Master Password.
>>
>> Doing this with the Master Password wouldn't make any sense.

> If I understand you correctly, I think I have seen a site that allows
> that sort of thing.  I think.

?? It doesn't have anything to do with a site. This works anywhere.

You simply let your Password Manager fill in the fields, then click
inside the password field and make your modifications before pressing Enter.

> My biggest responsibility is having a good master password.

Mine is good, but that is another benefit of my method - it doesn't have
to be super duper strong, because even if someone gets ahold of your
Password Manager and breaks into it and can see all of your passwords,
it won't do them any good, because they don't have the contents of your
brain to know what modifications to do to the password.

[-- Attachment #2: passwordmaker-1.7.8.xpi --]
[-- Type: application/x-xpinstall, Size: 275494 bytes --]

Re: [gentoo-user] Re: Coming up with a password that is very strong.

[Kai Peter]

On 2019-02-05 22:17, Neil Bothwick wrote:
> On Wed, 6 Feb 2019 04:28:49 +0800, Mark David Dumlao wrote:
> 
>> My own solution is actually very simple. I have a "secret algorithm"
>> that incorporates several secrets with a predictable way to generate a
>> site-specific secret. The end result is a 100% predictable way to
>> generate unique passwords for every site that are cryptographically
>> secure from each other (you cannot derive
>> one from the other) which can be generated by any device using the
>> appropriate tools.
> 
> The was a tool in portage this did this. I tried it but it did not work
> in the real world because you couldn't set a rule for generated 
> passwords
> that matched the requirements of all sites, for example some require a
> non-alphanumeric character while other sites only allow alphanumerics.
> 
> I can remember what the tools was called, although I'm pretty sure it
> was written in Python. I'd be interested to know how you get around the
> conflicting restrictions as this seems a good way to do things.

By using an existing tool you have to live with its restrictions always. 
But who says that it could not be done? At least Mark's solution will 
(maybe) not work for everybody (yet), but he did think about an issue 
and found a way/solution which sounds really reasonable.

-- 
Sent with eQmail-1.11 beta - a fork of djb's famous qmail

Re: [gentoo-user] Re: Coming up with a password that is very strong.

[Neil Bothwick]

[-- Attachment #1: Type: text/plain, Size: 993 bytes --]

On Fri, 08 Feb 2019 15:26:22 +0100, Kai Peter wrote:

> > The was a tool in portage this did this. I tried it but it did not
> > work in the real world because you couldn't set a rule for generated 
> > passwords
> > that matched the requirements of all sites, for example some require a
> > non-alphanumeric character while other sites only allow alphanumerics.
> > 
> > I can remember what the tools was called, although I'm pretty sure it
> > was written in Python. I'd be interested to know how you get around
> > the conflicting restrictions as this seems a good way to do things.  
> 
> By using an existing tool you have to live with its restrictions
> always. But who says that it could not be done?

It wasn't so much a restriction in the tool as the sites, which have
conflicting requirements for passwords - especially the ones that have a
MAXIMUM password length.


-- 
Neil Bothwick

Despite the cost of living, have you noticed how it remains so popular?

[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 833 bytes --]

Re: [gentoo-user] Re: Coming up with a password that is very strong.

[Dale]

Neil Bothwick wrote:
> On Fri, 08 Feb 2019 15:26:22 +0100, Kai Peter wrote:
>
>>> The was a tool in portage this did this. I tried it but it did not
>>> work in the real world because you couldn't set a rule for generated 
>>> passwords
>>> that matched the requirements of all sites, for example some require a
>>> non-alphanumeric character while other sites only allow alphanumerics.
>>>
>>> I can remember what the tools was called, although I'm pretty sure it
>>> was written in Python. I'd be interested to know how you get around
>>> the conflicting restrictions as this seems a good way to do things.  
>> By using an existing tool you have to live with its restrictions
>> always. But who says that it could not be done?
> It wasn't so much a restriction in the tool as the sites, which have
> conflicting requirements for passwords - especially the ones that have a
> MAXIMUM password length.
>
>

This is something I've ran into on several occasions using LastPass'
generation tool.  Some sites allow the symbols, letters above the number
keys, but don't allow one or more specific ones.  A couple examples, the
"!" key is a common one not allowed.  Others that are sometimes excluded
are the "$" and "*" symbols.  So I end up telling LastPass to generate
passwords until it gets one without any of those characters or I turn
off the symbols all together.  Of course, turning those off makes a
password easier to crack/hack. 

I did run up on one site recently that allowed any character, all
symbols included, and could be as long as 60 characters.  I think spaces
was the only thing on the keyboard not allowed.  Thing is, it wouldn't
accept anything longer than 28 or so for me.  I started out at 40 and
kept dropping down a few digits until I hit the one it would accept.  If
it had accepted a random password that long with symbols included, I
would think hackers would have to attack something besides the
password.  That is one long password.  I've seen paragraphs shorter than
that.  According to a couple of the test sites, it would take trillions
of years to crack a 40 digit password much less 60.  Pretty hard thing
to get past.  What surprises me, a couple sites that I would like to
have longer passwords on, won't accept anything longer than a couple
dozen characters.  I wish all financial sites would take 60 or so like
the other one I use.  I'm not sure why they limit it to that number. 
Common software limit maybe? 

This is one thing about having so many different password tools and each
person picking what they like.  It makes it harder to figure out how
passwords are generated and tracked.  Each tool has its own methods. 
It's sort of like the password strength sites.  I didn't rely on one
site.  I used several plus some common sense as well.  If all sites
think a password will take thousands of years or more to crack, it is
likely a good password.  Then apply some common sense to confirm it of
course.  I ended up with a password that was easier to type and very
strong, even stronger than what I started with.  The odds of someone
just guessing it is virtually zero.  The things it is based on is not
something anyone other than me would likely consider for creating a
password.  It's not pets, family names, date of births or anything like
that.  Heck, even if someone was sitting in my chair, they would be
clueless.  Even people who know me best would never be able to figure
out what it is based on much less how I put it in the password or which
ones.  Thing is, I think I'll be able to remember it easy enough. 

I suspect that anyone trying to hack us Linux users, users of this list
especially, would have a rough road ahead of them.  Based on replies
here, some have some pretty good methods of coming up with a password. 
Let us hope none of us dies instantly and takes the passwords with us. 
o_O  I put mine in a fire safe.  Just in case.

Dale

:-)  :-) 

Re: [gentoo-user] Re: Coming up with a password that is very strong.

[Neil Bothwick]

[-- Attachment #1: Type: text/plain, Size: 650 bytes --]

On Fri, 8 Feb 2019 18:19:26 -0600, Dale wrote:

> I suspect that anyone trying to hack us Linux users, users of this list
> especially, would have a rough road ahead of them.  Based on replies
> here, some have some pretty good methods of coming up with a password. 
> Let us hope none of us dies instantly and takes the passwords with us. 
> o_O  I put mine in a fire safe.  Just in case.

Does LastPass have an export option? With KeePassXC, I can export all my
passwords to a CSV file that I save to a USB stick I keep in my safe.


-- 
Neil Bothwick

Downloading - A quick way of catching a virus from anywhere in the world.

[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 833 bytes --]

Re: [gentoo-user] Re: Coming up with a password that is very strong.

[Dale]

Neil Bothwick wrote:
> On Fri, 8 Feb 2019 18:19:26 -0600, Dale wrote:
>
>> I suspect that anyone trying to hack us Linux users, users of this list
>> especially, would have a rough road ahead of them.  Based on replies
>> here, some have some pretty good methods of coming up with a password. 
>> Let us hope none of us dies instantly and takes the passwords with us. 
>> o_O  I put mine in a fire safe.  Just in case.
> Does LastPass have an export option? With KeePassXC, I can export all my
> passwords to a CSV file that I save to a USB stick I keep in my safe.
>
>


Yes it does.  I export mine when I do major changes, usually when I do
financial sites.  It exports it as plain text.  I then copy and paste it
into a text file and encrypt it with KGpg.  At that point, you still
need the password to decrypt it, and I guess this computer tho it may be
doable on another system with the keys.  As I mentioned before, there's
a lot I don't know about this encryption stuff still. 

I may get me a tiny USB stick and put the master password, keys and such
on it.  I'm sure you know more about this than I do, what all do I need
in case it has to be done on another system?  In other words, what all
would I need to copy over to the USB stick? 

It seems you just put yours on a stick as plain text.  If you trust your
safe, that should be fine.  Since I have mine on my system, I encrypt
it.  It may be easier to do it your way tho.  At least easier for
whoever comes after me. 

Dale

:-)  :-)

Re: [gentoo-user] Re: Coming up with a password that is very strong.

[Alec Ten Harmsel]

On Sat, Feb 09, 2019 at 04:42:42AM -0600, Dale wrote:
> 
> It seems you just put yours on a stick as plain text.  If you trust your
> safe, that should be fine.  Since I have mine on my system, I encrypt
> it.  It may be easier to do it your way tho.  At least easier for
> whoever comes after me. 

I do the same thing, except mine are printed off and in the safe. IMO it
boils down to what you're trying to defend against; if someone cracks
your safe passwords are probably the last thing to worry about. I'd
imagine by getting into someone's safe you could get enough documents
(birth certificates, passports, etc.) to be able to get through to
customer service and change passwords anyways.

Of course all my passwords that are stored on my computer are encrypted
since only I need to use those :D

Alec

Re: [gentoo-user] Coming up with a password that is very strong.

[Andrew Savchenko]

[-- Attachment #1: Type: text/plain, Size: 2277 bytes --]

On Sun, 3 Feb 2019 23:47:35 -0600 Dale wrote:
> Howdy,
> 
> Some may recall me mentioning using LastPass to manage my passwords. 
> Obviously, it can generate very strong passwords that are different for
> each site.  It can also remember them as well which makes things more
> secure than using just a few passwords for all sites.  One for things
> like financial sites, maybe a less secure one for some site you still
> want reasonably secure and a even weaker one for sites you don't care
> about hacking, and hackers likely won't either.  I know some people who
> do this even today.  Heck, ages ago, I was one of them.  Things change
> tho.  Some passwords can be hacked in seconds by a desktop computer,
> including my own if I had the software and knowledge to do it. 
> 
> The one thing about most all password managers, they have a master
> password.  That one password unlocks the rest.  Trick is, having that
> one be a good one that is easy to remember, type on a keyboard and be
> secure, virtually unhackable but also unforgettable.  I've had what used
> to be a strong password for a while.  Thing is, with today's computing
> power, it really isn't anymore.  While no one could just guess it, it
> could be cracked/hacked I'm sure.  I need to come up with a new one that
> meets the requirements I just mentioned.  Strong, easy to remember, easy
> to type but won't forget.  I've read that using maiden names, years of
> birth or whole dates of birth, actual names, pet's name, words in a
> dictionary and a whole list of other things makes it easier, especially
> if you post a lot on social media, for hackers to use against you.  I'm
> trying to avoid that sort of thing obviously and have a couple ideas but
> am curious as to what method others use, without exposing to much detail
> since this is public. 
> 
> How do you, especially those who admin systems that are always being
> hacked at, generate strong passwords that meet the above?  I've googled
> and found some ideas but if I use the same method, well, how many others
> are using that same method, if you know what I mean.  ;-)  Just looking
> for ideas. 

1) Install app-admin/apg.
2) apg -a1 -m40

Best regards,
Andrew Savchenko

[-- Attachment #2: Type: application/pgp-signature, Size: 833 bytes --]

Re: [gentoo-user] Coming up with a password that is very strong.

[Dale]

Andrew Savchenko wrote:
> On Sun, 3 Feb 2019 23:47:35 -0600 Dale wrote:
>> Howdy,
>>
>> Some may recall me mentioning using LastPass to manage my passwords. 
>> Obviously, it can generate very strong passwords that are different for
>> each site.  It can also remember them as well which makes things more
>> secure than using just a few passwords for all sites.  One for things
>> like financial sites, maybe a less secure one for some site you still
>> want reasonably secure and a even weaker one for sites you don't care
>> about hacking, and hackers likely won't either.  I know some people who
>> do this even today.  Heck, ages ago, I was one of them.  Things change
>> tho.  Some passwords can be hacked in seconds by a desktop computer,
>> including my own if I had the software and knowledge to do it. 
>>
>> The one thing about most all password managers, they have a master
>> password.  That one password unlocks the rest.  Trick is, having that
>> one be a good one that is easy to remember, type on a keyboard and be
>> secure, virtually unhackable but also unforgettable.  I've had what used
>> to be a strong password for a while.  Thing is, with today's computing
>> power, it really isn't anymore.  While no one could just guess it, it
>> could be cracked/hacked I'm sure.  I need to come up with a new one that
>> meets the requirements I just mentioned.  Strong, easy to remember, easy
>> to type but won't forget.  I've read that using maiden names, years of
>> birth or whole dates of birth, actual names, pet's name, words in a
>> dictionary and a whole list of other things makes it easier, especially
>> if you post a lot on social media, for hackers to use against you.  I'm
>> trying to avoid that sort of thing obviously and have a couple ideas but
>> am curious as to what method others use, without exposing to much detail
>> since this is public. 
>>
>> How do you, especially those who admin systems that are always being
>> hacked at, generate strong passwords that meet the above?  I've googled
>> and found some ideas but if I use the same method, well, how many others
>> are using that same method, if you know what I mean.  ;-)  Just looking
>> for ideas. 
> 1) Install app-admin/apg.
> 2) apg -a1 -m40
>
> Best regards,
> Andrew Savchenko


My password manager does that already.  The password I was trying to
come up with was the master password which I must easily remember, be
secure and be easy to type.  The other passwords I let the password
manager generate and remember as well.  I don't type those so they can
be anything. 

Goes to show tho, there is yet another tool to come up with passwords. 
lol 

Dale

:-)  :-) 

Re: [gentoo-user] Coming up with a password that is very strong.

[Andrew Savchenko]

[-- Attachment #1: Type: text/plain, Size: 3147 bytes --]

On Sun, 10 Feb 2019 10:27:32 -0600 Dale wrote:
> Andrew Savchenko wrote:
> > On Sun, 3 Feb 2019 23:47:35 -0600 Dale wrote:
> >> Howdy,
> >>
> >> Some may recall me mentioning using LastPass to manage my passwords. 
> >> Obviously, it can generate very strong passwords that are different for
> >> each site.  It can also remember them as well which makes things more
> >> secure than using just a few passwords for all sites.  One for things
> >> like financial sites, maybe a less secure one for some site you still
> >> want reasonably secure and a even weaker one for sites you don't care
> >> about hacking, and hackers likely won't either.  I know some people who
> >> do this even today.  Heck, ages ago, I was one of them.  Things change
> >> tho.  Some passwords can be hacked in seconds by a desktop computer,
> >> including my own if I had the software and knowledge to do it. 
> >>
> >> The one thing about most all password managers, they have a master
> >> password.  That one password unlocks the rest.  Trick is, having that
> >> one be a good one that is easy to remember, type on a keyboard and be
> >> secure, virtually unhackable but also unforgettable.  I've had what used
> >> to be a strong password for a while.  Thing is, with today's computing
> >> power, it really isn't anymore.  While no one could just guess it, it
> >> could be cracked/hacked I'm sure.  I need to come up with a new one that
> >> meets the requirements I just mentioned.  Strong, easy to remember, easy
> >> to type but won't forget.  I've read that using maiden names, years of
> >> birth or whole dates of birth, actual names, pet's name, words in a
> >> dictionary and a whole list of other things makes it easier, especially
> >> if you post a lot on social media, for hackers to use against you.  I'm
> >> trying to avoid that sort of thing obviously and have a couple ideas but
> >> am curious as to what method others use, without exposing to much detail
> >> since this is public. 
> >>
> >> How do you, especially those who admin systems that are always being
> >> hacked at, generate strong passwords that meet the above?  I've googled
> >> and found some ideas but if I use the same method, well, how many others
> >> are using that same method, if you know what I mean.  ;-)  Just looking
> >> for ideas. 
> > 1) Install app-admin/apg.
> > 2) apg -a1 -m40
> >
> > Best regards,
> > Andrew Savchenko
> 
> 
> My password manager does that already.  The password I was trying to
> come up with was the master password which I must easily remember, be
> secure and be easy to type.  The other passwords I let the password
> manager generate and remember as well.  I don't type those so they can
> be anything. 

The line above is approximately the same how I got one of my master
passwords. It is not that hard to remember 30-40 random chars.
Just try typing them several hundred times. I'm serious.

> Goes to show tho, there is yet another tool to come up with passwords. 
> lol 
> 
> Dale
> 
> :-)  :-) 
> 
> 


Best regards,
Andrew Savchenko

[-- Attachment #2: Type: application/pgp-signature, Size: 833 bytes --]

Re: [gentoo-user] Coming up with a password that is very strong.

[Mark David Dumlao]

On Mon, Feb 11, 2019 at 1:00 AM Andrew Savchenko <bircoph@gentoo.org> wrote:
>
> On Sun, 10 Feb 2019 10:27:32 -0600 Dale wrote:
> > My password manager does that already.  The password I was trying to
> > come up with was the master password which I must easily remember, be
> > secure and be easy to type.  The other passwords I let the password
> > manager generate and remember as well.  I don't type those so they can
> > be anything.
>
> The line above is approximately the same how I got one of my master
> passwords. It is not that hard to remember 30-40 random chars.
> Just try typing them several hundred times. I'm serious.

That's one of the problems of secure password generation is that human
memory is used backwards. Things become encoded permanently in our
memory after the fact that we've repeated them several times, but most
password generation utilities require you to have perfect memory
first, THEN use repetition to enforce it.

Both a managed password / algorithmic approach gets this more
humanely. You need to first have a reliable way to generate the
pssword, and if you typie it enough times, your brain will commit it
to memory.

Re: [gentoo-user] Coming up with a password that is very strong.

[Dale]

Mark David Dumlao wrote:
> On Mon, Feb 11, 2019 at 1:00 AM Andrew Savchenko <bircoph@gentoo.org> wrote:
>> On Sun, 10 Feb 2019 10:27:32 -0600 Dale wrote:
>>> My password manager does that already.  The password I was trying to
>>> come up with was the master password which I must easily remember, be
>>> secure and be easy to type.  The other passwords I let the password
>>> manager generate and remember as well.  I don't type those so they can
>>> be anything.
>> The line above is approximately the same how I got one of my master
>> passwords. It is not that hard to remember 30-40 random chars.
>> Just try typing them several hundred times. I'm serious.
> That's one of the problems of secure password generation is that human
> memory is used backwards. Things become encoded permanently in our
> memory after the fact that we've repeated them several times, but most
> password generation utilities require you to have perfect memory
> first, THEN use repetition to enforce it.
>
> Both a managed password / algorithmic approach gets this more
> humanely. You need to first have a reliable way to generate the
> pssword, and if you typie it enough times, your brain will commit it
> to memory.
>
>


My biggest thing was to find a way to come up with it.  Most use some
famous quote or song and then each first letter or something with a few
numbers and symbols thrown in.  Thing is, I don't really have any of
those.  So, what I did, I based it on model numbers of some things I
like.  I threw in a few symbols as well just to make it harder. 

I might add, I used three password strength sites to sort of give me a
idea on strength.  I tried different methods to shorten the thing and
make it easier to type as well.  I actually ended up with a slightly
shorter password but one that the meters said would be harder to crack. 
I might add, the difference was large.  The original was something along
the lines of thousands of years.  The end result that was easier to type
and slightly shorter was millions of years.  I was able to put in more
symbols.  Those things help toughen up a password pretty quick.

What I find so interesting about this, everyone seems to have a slightly
or even very different way of doing this.  Even if a person is reading
this list and taking notes, I wish them luck trying to guess our
passwords.  Given the variety of methods used, I don't see how any tool
could be built that would guess any of our passwords in a short time
frame either.  Now if everyone else would put some effort into this
instead of using "passw0rd" or something as silly as that, the internet
would be a much safer place. 

I also ran up on some sites that discussed passwords that people
commonly used and some are just laughable but so bad one should cry. 
Some people are just plain idiots.  I might add, some sites restrict
passwords in ways that keeps a person from generating a really good
password too.  Some need to get with the current threat models instead
of living in the past when security wasn't such a issue. 

Interesting thread.

Dale

:-)  :-) 

Re: [gentoo-user] Re: Coming up with a password that is very strong.

[Rich Freeman]

On Fri, Feb 8, 2019 at 9:26 AM Kai Peter <kp@lists.openqmail.org> wrote:
>
> On 2019-02-05 22:17, Neil Bothwick wrote:
> > On Wed, 6 Feb 2019 04:28:49 +0800, Mark David Dumlao wrote:
> >
> >> My own solution is actually very simple. I have a "secret algorithm"
> >> that incorporates several secrets with a predictable way to generate a
> >> site-specific secret. The end result is a 100% predictable way to
> >> generate unique passwords for every site that are cryptographically
> >> secure from each other (you cannot derive
> >> one from the other) which can be generated by any device using the
> >> appropriate tools.
> >
> > The was a tool in portage this did this. I tried it but it did not work
> > in the real world because you couldn't set a rule for generated
> > passwords
> > that matched the requirements of all sites, for example some require a
> > non-alphanumeric character while other sites only allow alphanumerics.
> >
> > I can remember what the tools was called, although I'm pretty sure it
> > was written in Python. I'd be interested to know how you get around the
> > conflicting restrictions as this seems a good way to do things.
>
> By using an existing tool you have to live with its restrictions always.
> But who says that it could not be done? At least Mark's solution will
> (maybe) not work for everybody (yet), but he did think about an issue
> and found a way/solution which sounds really reasonable.
>

I just stumbled on lesspass which seems to be such a tool for
algorithmic password generation (lesspass.com).

Some thoughts regarding this approach:

1. Remembering the right "site name" for every site might be tricky -
sites change names/URLs and you won't have any database to search.
2.  The solution does allow incremental counters for sites, but of
course that is basically state and it looks like they have a way to
sync this somewhere, but of course that means having a cloud sync
infrastructure and that info could get compromised (doesn't include
the passwords themselves).
3.  Master password complexity probably matters more than for
something like Lastpass/KeepassX.  With traditional password managers
you need the database plus you need to crack the master password (or
get it some other way).  With a purely algorithmic approach you can
probably guess at all the parameters other than the master password,
so anybody can try to crack you without stealing any data at all,
assuming they think you're using the algorithm.  It sounds like the
hashing system they're using is considered secure, but it is obviously
only as good as the master password.
4.  I'm not sure how straightforward it would be to change
passwords/etc.  If you have 100 sites, you'd have to remember what
password you used for what site, or change them all at once.  Again,
the stateless approach has its downsides as passwords are not
stateless from the standpoint of the remote sites.

The big upside to stateless is that if you never increment passwords
then as long as you remember your master password you always have
access to your password everywhere, with nothing to back up.

If you do increment passwords, well, now you just introduced state
back in, and the "stateless" solution isn't really so.

Password incrementing is an issue for any algorithmic solution - you
need to be able to remember which password version is in use on what
site.

-- 
Rich

Re: [gentoo-user] Re: Coming up with a password that is very strong.

[Mark David Dumlao]

On Thu, Feb 14, 2019 at 12:32 AM Rich Freeman <rich0@gentoo.org> wrote:
> > > On Wed, 6 Feb 2019 04:28:49 +0800, Mark David Dumlao wrote:
> > >
> > >> My own solution is actually very simple. I have a "secret algorithm"
> > >> that incorporates several secrets with a predictable way to generate a
> > >> site-specific secret. The end result is a 100% predictable way to
> > >> generate unique passwords for every site that are cryptographically
> > >> secure from each other (you cannot derive
> > >> one from the other) which can be generated by any device using the
> > >> appropriate tools.
> I just stumbled on lesspass which seems to be such a tool for
> algorithmic password generation (lesspass.com).

Great tool. Good to know there are those that think alike. One
important point though is that in my "version", the user has to
completely know a secure algorithm (which is where all the security
comes from), with a managed tool this is only feasible for technical
users (or at least technical past a certain level). A version of
lesspass that allows users to view and customize the secret-generation
algorithm would be much more secure.

Or another way to put it might be: if an attacker knows that you're
using lesspass, then the only encryption they have to break is that on
your master password, so your security is only as strong as your
master password. On the other hand, if an attacker knows that I am
using an algorithm-generating technique, they need to break both the
master secret AND the algorithm, which could have vastly more entropy
than the master secret itself.

>
> Some thoughts regarding this approach:
>
> 1. Remembering the right "site name" for every site might be tricky -
> sites change names/URLs and you won't have any database to search.

In my personal practice, not a problem. In practice you always
remember the old site name for any common enough site. If you don't,
you reset the password to the new site name.

> 2.  The solution does allow incremental counters for sites, but of
> course that is basically state and it looks like they have a way to
> sync this somewhere, but of course that means having a cloud sync
> infrastructure and that info could get compromised (doesn't include
> the passwords themselves).

Also not an issue for me in practice. In practice you also remembr
which sites forced you to change passwords, since they're pretty much
the only ones in that class.

> 3.  Master password complexity probably matters more than for
> something like Lastpass/KeepassX.  With traditional password managers
> you need the database plus you need to crack the master password (or
> get it some other way).  With a purely algorithmic approach you can
> probably guess at all the parameters other than the master password,
> so anybody can try to crack you without stealing any data at all,

This is an issue for lesspass, because the only secret is the master
password. This is not an issue for algorithmic approaches in general,
because the algorithm is part of the secret. Every which way that you
choose to encode the intermediary steps in my example above is also
part of the secret, because none of those can be guessed from the
resulting password.

As an example, encoding "madumlao@gmail.com" as the site-specific
identifier would give a completely different password than
"gmail:madumlao" or "madumlao@gmail" or "madumlao+gmail", etc. And
that hasn't yet counted any peppering which influences intermediary
hashes.

That being said, any system that depends on a master password had
better be goddamned secure. In fact, my email account - which is a
resetting point for basically all services - is exempt from my
password algorithm and uses some ridiculously long secret. Likewise,
your keepass / lesspass secrets should probably be some insane
paranoid level secret that themselves don't come from keepass /
lesspass and their alternatives.

> 4.  I'm not sure how straightforward it would be to change
> passwords/etc.  If you have 100 sites, you'd have to remember what
> password you used for what site, or change them all at once.  Again,
> the stateless approach has its downsides as passwords are not
> stateless from the standpoint of the remote sites.

Actually the generation approach is massively simpler since the
passwords themselves don't matter. If you don't like your secret, are
not sure which iteration a site is, are not sure if a site used an old
or new secret, etc, you can trigger a password reset on most services
and force it to use the current generated password. You can update any
passwords on an as-needed basis to always use the current generated
iteration.

> If you do increment passwords, well, now you just introduced state
> back in, and the "stateless" solution isn't really so.
>
> Password incrementing is an issue for any algorithmic solution - you
> need to be able to remember which password version is in use on what
> site.

If you're talking about remembering the iteration counter for a
particular site, well, yes you have to store state somewhere. But
consider:
1 very strong secret + remember that these 3 or 4 sites are on iteration X

is a LOT less headspace than
4+ independent strong secrets

and I'm pretty sure most people have logins on more than 4 sites.

If literally the only state you need to know about a site is the Nth
iteration, I wouldn't mind cloud providers knowing that because they
can't do anything about that number.

Re: [gentoo-user] Re: Coming up with a password that is very strong.

[Rich Freeman]

On Wed, Feb 13, 2019 at 12:12 PM Mark David Dumlao <madumlao@gmail.com> wrote:
>
> On Thu, Feb 14, 2019 at 12:32 AM Rich Freeman <rich0@gentoo.org> wrote:
> > I just stumbled on lesspass which seems to be such a tool for
> > algorithmic password generation (lesspass.com).
>
> Great tool. Good to know there are those that think alike. One
> important point though is that in my "version", the user has to
> completely know a secure algorithm (which is where all the security
> comes from), with a managed tool this is only feasible for technical
> users (or at least technical past a certain level). A version of
> lesspass that allows users to view and customize the secret-generation
> algorithm would be much more secure.

Maybe.  Here is the problem with this:

If you just give the user a choice of one of several secure algorithms
to use, then basically all you're doing is adding a few more bits of
entropy to the mix.  You also have to deal with vulnerabilities in any
algorithm your software uses, and not just the one you picked.

If you instead let the user code their own algorithm, then while this
increases complexity, it also makes it easy for users to shoot
themselves in the feet with an insecure algorithm.

I think it would make more sense for users to focus on more robust
master keys than to rely on security by obscurity with an algorithm
that doesn't benefit from peer review.


> > 2.  The solution does allow incremental counters for sites, but of
> > course that is basically state and it looks like they have a way to
> > sync this somewhere, but of course that means having a cloud sync
> > infrastructure and that info could get compromised (doesn't include
> > the passwords themselves).
>
> Also not an issue for me in practice. In practice you also remembr
> which sites forced you to change passwords, since they're pretty much
> the only ones in that class.

Sure, assuming you don't regularly change your passwords everywhere.
I'm not sure that this is as important with manager-generated
passwords, but it is a consideration.

> Likewise,
> your keepass / lesspass secrets should probably be some insane
> paranoid level secret that themselves don't come from keepass /
> lesspass and their alternatives.

While any master password should be secure, the algorithmic approaches
suffer more, IMO.  With something like Keepass or Lastpass you need
both the database and the master password to do an attack.  Now, with
lastpass anybody with the master password can obtain the database from
the cloud, but they're going to throttle attacks or lock the account
after so many failures, and you have nothing to crack offline.
Lastpass would be vulnerable to intruders stealing the database of
course, which then reduces the difficulty of an attack to the same as
something like Lesspass.

>
> > 4.  I'm not sure how straightforward it would be to change
> > passwords/etc.  If you have 100 sites, you'd have to remember what
> > password you used for what site, or change them all at once.  Again,
> > the stateless approach has its downsides as passwords are not
> > stateless from the standpoint of the remote sites.
>
> Actually the generation approach is massively simpler since the
> passwords themselves don't matter. If you don't like your secret, are
> not sure which iteration a site is, are not sure if a site used an old
> or new secret, etc, you can trigger a password reset on most services
> and force it to use the current generated password. You can update any
> passwords on an as-needed basis to always use the current generated
> iteration.

The problem with "as-needed" is that you have to remember which
accounts use which master password.  That sounds simple until you have
100 different accounts.  My password manager has a huge number of
accounts in it.  Granted, some of those are more disposable than
others, but keep in mind that everything from the local burger chain
to your bank has a password these days.  Either that, or it supports
something even worse like Facebook authentication.  I'm all for SSO,
but not ones locked into a single provider, and especially not
Facebook.


> > Password incrementing is an issue for any algorithmic solution - you
> > need to be able to remember which password version is in use on what
> > site.
>
> If you're talking about remembering the iteration counter for a
> particular site, well, yes you have to store state somewhere. But
> consider:
> 1 very strong secret + remember that these 3 or 4 sites are on iteration X
>
> is a LOT less headspace than
> 4+ independent strong secrets

Sure, but I'm mostly comparing altorithmic password managers to
database-based ones.  In neither case are you remembering hundreds of
passwords.

>
> and I'm pretty sure most people have logins on more than 4 sites.
>
> If literally the only state you need to know about a site is the Nth
> iteration, I wouldn't mind cloud providers knowing that because they
> can't do anything about that number.
>

It still means having a need to sync state, that was my main point.
If it were truly stateless you wouldn't need any kind of cloud sync at
all, and I think most would agree that would be an objective benefit.
However, here we still have the need to maintain a cloud account, have
devices that sync to it, and a need to keep that data backed up less
that cloud provider shut down without warning.

I think we're mostly on the same page though.

-- 
Rich

Re: [gentoo-user] Re: Coming up with a password that is very strong.

[Mark David Dumlao]

On Thu, Feb 14, 2019 at 3:18 AM Rich Freeman <rich0@gentoo.org> wrote:
>
> On Wed, Feb 13, 2019 at 12:12 PM Mark David Dumlao <madumlao@gmail.com> wrote:
> >
> > On Thu, Feb 14, 2019 at 12:32 AM Rich Freeman <rich0@gentoo.org> wrote:
> > > I just stumbled on lesspass which seems to be such a tool for
> > > algorithmic password generation (lesspass.com).
> >
> > Great tool. Good to know there are those that think alike. One
> > important point though is that in my "version", the user has to
> > completely know a secure algorithm (which is where all the security
> > comes from), with a managed tool this is only feasible for technical
> > users (or at least technical past a certain level). A version of
> > lesspass that allows users to view and customize the secret-generation
> > algorithm would be much more secure.
>
> Maybe.  Here is the problem with this:
>
> If you just give the user a choice of one of several secure algorithms
> to use, then basically all you're doing is adding a few more bits of
> entropy to the mix.  You also have to deal with vulnerabilities in any
> algorithm your software uses, and not just the one you picked.
>
> If you instead let the user code their own algorithm, then while this
> increases complexity, it also makes it easy for users to shoot
> themselves in the feet with an insecure algorithm.
>
> I think it would make more sense for users to focus on more robust
> master keys than to rely on security by obscurity with an algorithm
> that doesn't benefit from peer review.

Changing (or rather customizing) algorithms is not security by
obscurity. While it may be true that at the end of the day you're
adding bits of entropy, the fact is the freeform nature of design
implies the number of bits of entropy you are adding could very easily
exceed any humane password.

And on second point, you can completely automate simply running
lesspass, whereas to automate cracking an unknown algorithm you would
have to automate writing arbitrary programs, which is in theory
reducible to the halting problem. TLDR: you probably can't.

> While any master password should be secure, the algorithmic approaches
> suffer more, IMO.  With something like Keepass or Lastpass you need
> both the database and the master password to do an attack.  Now, with
> lastpass anybody with the master password can obtain the database from
> the cloud, but they're going to throttle attacks or lock the account
> after so many failures, and you have nothing to crack offline.
> Lastpass would be vulnerable to intruders stealing the database of
> course, which then reduces the difficulty of an attack to the same as
> something like Lesspass.

That's technically correct, which is why I would suggest a
custom-designed algorithm as opposed to something like lesspass. With
lesspass all the security directly goes to your secret, so the
pressure to make the secret ridiculous is huge. With your own
algorithm, the algorithm itself adds entropy between your secret and
the generated password.

Consider:
- to crack a lesspass secret, you can bruteforce the lesspass secret
and check if they produce a valid output. On any success, you're
99.99x% certain to have cracked the original lesspass secret, which
will instantly work on other sites.
- to crack an arbitrary algorithm, it is insufficient to bruteforce an
input secret because by itsef it does not produce an output secret.
You would also have to bruteforce different transformation algorithms
that map from the input secret to the output secret. Even if you end
up producing a valid password, you cannot guarantee that thje guessed
algorithm works on other accounts, because it might simply be a
collision, which is indistinguishable from the algorithm being wrong
due to missing some site-specific rules.

>
> >
> > > 4.  I'm not sure how straightforward it would be to change
> > > passwords/etc.  If you have 100 sites, you'd have to remember what
> > > password you used for what site, or change them all at once.  Again,
> > > the stateless approach has its downsides as passwords are not
> > > stateless from the standpoint of the remote sites.
> >
> > Actually the generation approach is massively simpler since the
> > passwords themselves don't matter. If you don't like your secret, are
> > not sure which iteration a site is, are not sure if a site used an old
> > or new secret, etc, you can trigger a password reset on most services
> > and force it to use the current generated password. You can update any
> > passwords on an as-needed basis to always use the current generated
> > iteration.
>
> The problem with "as-needed" is that you have to remember which
> accounts use which master password.  That sounds simple until you have
> 100 different accounts.

The point of an approach like this is to reduce the number of secrets,
ideally, to only a handful, in practice only to one. Thus you don't
need to remember which account uses which master password because just
like keepass there is just one. I have over 100 different accounts
(software testing) and I can say it's very simple, at least no
different than using something like keepass.

In the algorithmic approach, you don't have to change your master
password per iteration. Your algorithm can take iterations into
account to use the same secret to generate an Nth iteration. For
instance, using iteration numbers as part of a site-specific ID.

Re: [gentoo-user] Re: Coming up with a password that is very strong.

[Rich Freeman]

On Wed, Feb 13, 2019 at 4:34 PM Mark David Dumlao <madumlao@gmail.com> wrote:
>
> On Thu, Feb 14, 2019 at 3:18 AM Rich Freeman <rich0@gentoo.org> wrote:
> >
> > If you instead let the user code their own algorithm, then while this
> > increases complexity, it also makes it easy for users to shoot
> > themselves in the feet with an insecure algorithm.
> >
>
> And on second point, you can completely automate simply running
> lesspass, whereas to automate cracking an unknown algorithm you would
> have to automate writing arbitrary programs, which is in theory
> reducible to the halting problem. TLDR: you probably can't.

Only if the algorithm the user chooses is secure.  If they pick
something equivalent to ROT13 then the attacker's problem becomes
easier.

That was my point, and users aren't necessarily good at picking secure
algorithms.

Now, if they just copy/paste one off the website, then they become
open to attacks that check the commonly used algorithms.

> > The problem with "as-needed" is that you have to remember which
> > accounts use which master password.  That sounds simple until you have
> > 100 different accounts.
>
> In the algorithmic approach, you don't have to change your master
> password per iteration. Your algorithm can take iterations into
> account to use the same secret to generate an Nth iteration. For
> instance, using iteration numbers as part of a site-specific ID.

Of course, but my point is that if you ever DO have to change the
master password it is a mess.  Maybe you have to change it because
somebody beat it out of you with a hose.  Or maybe you accidentally
typed it into the wrong window.  Or maybe somebody stole it with a
sniffer.  Or whatever.

My point is that if it fails then it is more painful to recover.  If
you lose your master password on a database-backed solution and the
database isn't compromised, then you just change your password.  If
the database is compromised then you also have to change all your site
passwords, but as you change them the database maintains state and you
can forget the old master password the moment it is changed.

It is just a pro/con of the approach - individuals can judge the overall merits.

-- 
Rich