LISTSERV 16.0 - MSUNAG Archives

Subscriber's Corner

Email Lists

MSUNAG Archives

MSUNAG@LIST.MSU.EDU

View:

Message:

[

First

Last

]

By Topic:

[

First

Last

]

By Author:

[

First

Last

]

Font:

Proportional Font

		LISTSERV at MSU
		MSUNAG Home
		MSUNAG June 2012

Subject:

Re: LinkedIn Password hacked.

From:

David McFarlane <[log in to unmask]>

Reply-To:

David McFarlane <[log in to unmask]>

Date:

Thu, 14 Jun 2012 16:05:56 -0400

Content-Type:

text/plain

Parts/Attachments:

text/plain (184 lines)

Well, if we are going to discuss password 
generation and strength, then someone has to trot 
out the two canonical references, which I do now:

http://xkcd.com/936
https://www.grc.com/haystack.htm

-- dkm


At 6/14/2012 03:58 PM Thursday, STeve Andre' wrote:
>Teach people to pick phrases from their favorite songs or poems, and
>you get great passwords:
>
>     now is the time for all good men to come to the aid of their country
>
>makes
>
>      nittfagmtcttaotc
>
>take an i make a 1, etc, and you've further obfuscated things.  Longer
>is better and I've seen lots of people take stanzas from things and
>create truly monstrous pw's.
>
>I teach people to make their own passwords that way.  Judging from
>the clackclackclack... noises when logging into things, it's been working.
>
>Use a system that generates passwords for you, and they wind up on
>postit notes.  Last week I saw just that for an account which controls
>a lot of money.  A LOT.  I've seen this so many times when "good" pw's
>are enforced on people.
>
>Passwords certainly are a pain, but they can be managed.
>
>--STeve Andre'
>
>On 06/14/12 09:11, Hoort, Brian wrote:
>>Compared to using the same password for all 
>>their websites, which is what our users do that 
>>aren’t using a LastPass like service, using 
>>LastPass to generate random, long strings for 
>>passwords and storing them in an encrypted blob 
>>(LastPass does not have the key) is far more 
>>secure.  This very event with LinkedIn 
>>demonstrates this. LinkedIn lost their password 
>>hashes.  This is most dangerous to a typical 
>>user (97%?) who has reused passwords across web 
>>sites.  Had they been using LastPass (or a 
>>similar service) to generate random, different 
>>passwords across sites, they would be in a far 
>>more secure position. While there is the 
>>theoretical problem of the encrypted blob being 
>>compromised, LastPass would have had to also 
>>fail in their implementation of encryption for 
>>that loss to be dangerous. LastPass, used 
>>properly to generate passwords, is a big 
>>net-win in security for the vast majority of people.
>>
>>Brian Hoort     |     517-355-3776
>>ANR Technology Services, MSU
>>
>>From: Kramer, Jack 
>>[<mailto:[log in to unmask]>mailto:[log in to unmask]]
>>Sent: Wednesday, June 13, 2012 5:26 PM
>>To: <mailto:[log in to unmask]>[log in to unmask]
>>Subject: Re: [MSUNAG] LinkedIn Password hacked.
>>
>>Right, I get that. If you use them as a 
>>password manager you've definitely increased 
>>your attack surface. I would consider something 
>>like 1Password less attackable since the 
>>password database is kept local. However, this 
>>LinkedIn check utility isn't giving them your 
>>passwordit's just doing the SHA-1 compute on 
>>it and then comparing that hash to a list of 
>>hashes that are already out there. I mean, I 
>>guess someone could theoretically compromise 
>>the server hosting that utility and replace the 
>>code with something that captures your password 
>>in plaintext and sends it off to some nefarious 
>>third party, but with no account name (or way 
>>to capture such) I'm having trouble seeing how that's useful information.
>>
>>----
>>Jack Kramer
>>Manager of Information Technology
>>Communications and Brand Strategy
>>Michigan State University
>>w: 517-884-1231 / c: 248-635-4955
>>
>>From: STeve Andre' <<mailto:[log in to unmask]>[log in to unmask]>
>>Reply-To: STeve Andre' <<mailto:[log in to unmask]>[log in to unmask]>
>>Date: Wednesday, June 13, 2012 5:11 PM
>>To: 
>>"<mailto:[log in to unmask]>[log in to unmask] 
>>" <<mailto:[log in to unmask]>[log in to unmask]>
>>Subject: Re: [MSUNAG] LinkedIn Password hacked.
>>
>>My distrust stems from having some other entity get your password.
>>
>>A single point of failure, and you are trusting them to do it right, and
>>not be compromised.  So yes, there *is* an increased attack surface
>>here: you are adding to the complexity of things and trusting that
>>they are secure.  To me, that's increasing the attack surface.  I
>>don't know what else to call it.
>>
>>--STeve Andre'
>>
>>On 06/13/12 17:05, Kramer, Jack wrote:
>>Are you objecting to the concept of a password 
>>manager utility or the check site that Matt 
>>posted? I agree that password managers 
>>represent a single point of failure, though 
>>that single point is at least easier to protect 
>>than the many points of weak password we seem 
>>to end up without any sort of manager; however, 
>>the LinkedIn check page they have just compares 
>>the SHA-1 hash of any text you enter with the 
>>known leak of SHA-1 hashes and tells you if 
>>there's a match. There really isn't an attack 
>>surface there considering you're perfectly 
>>welcome to download that hash leak yourself and 
>>run all the comparisons your heart desires on it.
>>
>>----
>>Jack Kramer
>>Manager of Information Technology
>>Communications and Brand Strategy
>>Michigan State University
>>w: 517-884-1231 / c: 248-635-4955
>>
>>From: STeve Andre' <<mailto:[log in to unmask]>[log in to unmask]>
>>Reply-To: STeve Andre' <<mailto:[log in to unmask]>[log in to unmask]>
>>Date: Wednesday, June 13, 2012 4:51 PM
>>To: 
>>"<mailto:[log in to unmask]>[log in to unmask] 
>>" <<mailto:[log in to unmask]>[log in to unmask]>
>>Subject: Re: [MSUNAG] LinkedIn Password hacked.
>>
>>On 06/13/12 16:30, Carl Bussema III wrote:
>>Actually LastPass is a well-known and respected security tool, so I
>>would actually trust them not to compromise the password. I actually
>>tried to decipher the HTTPS session with Fiddler, but Chrome +
>>LastPass detected a man-in-the-middle and wouldn't proceed.
>>
>>And because apparently some people need to be put out of their
>>paranoia, I went ahead and just used my regular developer tools and
>>found exactly what I suspected:
>>
>>I posted the password "asdf" to their form. I then watched the AJAX
>>request (which because it happens client side is unencrypted before
>>transmission) ... and you know what they are sending to their servers?
>>THE HASHED PASSWORD. It's not like it's hard to SHA1 a string
>>in JavaScript.
>>
>>So the send the hash to the server, check the list of "known bad
>>hashes" (which is what the hackers have published) and tell you if
>>your password hash matches a known compromised hash.
>>
>>It's really about as safe as you can possibly imagine and a great
>>tool. Yes, we should be careful about inputting passwords onto strange
>>sites, but you should also do your due diligence and check if the site
>>might actually be legit.
>>
>>/rant
>>
>>
>>
>>Passwords are about as fragile a thing as there is today: users
>>pick and display idiot pw's, and system (often) have bad security
>>measures in place which don't really work.
>>
>>LastPass is likely an up-front honest entity, but that isn't the reason
>>why they shouldn't be used.  Trusting another entity with your pw
>>increases the attack surface of the product you are testing.  As
>>good as LastPass is, your are now trusting them to be really secure.
>>That they throw away the string you enter is good, but that means
>>that vandals know just where to look if they were trying to break
>>that system.
>>
>>This is a philosophical thing.  Minimizing the places on the net that
>>have pw's is a good thing.
>>
>>--STeve Andre'