Teach people to pick phrases from their favorite songs or poems, and you get great passwords: now is the time for all good men to come to the aid of their country makes nittfagmtcttaotc take an i make a 1, etc, and you've further obfuscated things. Longer is better and I've seen lots of people take stanzas from things and create truly monstrous pw's. I teach people to make their own passwords that way. Judging from the clackclackclack... noises when logging into things, it's been working. Use a system that generates passwords for you, and they wind up on postit notes. Last week I saw just that for an account which controls a lot of money. A LOT. I've seen this so many times when "good" pw's are enforced on people. Passwords certainly are a pain, but they can be managed. --STeve Andre' On 06/14/12 09:11, Hoort, Brian wrote: > > Compared to using the same password for all their websites, which is > what our users do that aren't using a LastPass like service, using > LastPass to generate random, long strings for passwords and storing > them in an encrypted blob (LastPass does not have the key) is far more > secure. This very event with LinkedIn demonstrates this. LinkedIn > lost their password hashes. This is most dangerous to a typical user > (97%?) who has reused passwords across web sites. Had they been using > LastPass (or a similar service) to generate random, different > passwords across sites, they would be in a far more secure position. > While there is the theoretical problem of the encrypted blob being > compromised, LastPass would have had to also fail in their > implementation of encryption for that loss to be dangerous. LastPass, > used properly to generate passwords, is a big net-win in security for > the vast majority of people. > > Brian Hoort | 517-355-3776 > > ANR Technology Services, MSU > > *From:*Kramer, Jack [mailto:[log in to unmask]] > *Sent:* Wednesday, June 13, 2012 5:26 PM > *To:* [log in to unmask] > *Subject:* Re: [MSUNAG] LinkedIn Password hacked. > > Right, I get that. If you use them as a password manager you've > definitely increased your attack surface. I would consider something > like 1Password less attackable since the password database is kept > local. However, this LinkedIn check utility isn't giving them your > password---it's just doing the SHA-1 compute on it and then comparing > that hash to a list of hashes that are already out there. I mean, I > guess someone could theoretically compromise the server hosting that > utility and replace the code with something that captures your > password in plaintext and sends it off to some nefarious third party, > but with no account name (or way to capture such) I'm having trouble > seeing how that's useful information. > > ---- > Jack Kramer > Manager of Information Technology > Communications and Brand Strategy > > Michigan State University > > w: 517-884-1231 / c: 248-635-4955 > > *From: *STeve Andre' <[log in to unmask] <mailto:[log in to unmask]>> > *Reply-To: *STeve Andre' <[log in to unmask] <mailto:[log in to unmask]>> > *Date: *Wednesday, June 13, 2012 5:11 PM > *To: *"[log in to unmask] <mailto:[log in to unmask]>" > <[log in to unmask] <mailto:[log in to unmask]>> > *Subject: *Re: [MSUNAG] LinkedIn Password hacked. > > My distrust stems from having some other entity get your password. > > A single point of failure, and you are trusting them to do it > right, and > not be compromised. So yes, there *is* an increased attack surface > here: you are adding to the complexity of things and trusting that > they are secure. To me, that's increasing the attack surface. I > don't know what else to call it. > > --STeve Andre' > > On 06/13/12 17:05, Kramer, Jack wrote: > > Are you objecting to the concept of a password manager utility or > the check site that Matt posted? I agree that password managers > represent a single point of failure, though that single point is > at least easier to protect than the many points of weak password > we seem to end up without any sort of manager; however, the > LinkedIn check page they have just compares the SHA-1 hash of any > text you enter with the known leak of SHA-1 hashes and tells you > if there's a match. There really isn't an attack surface there > considering you're perfectly welcome to download that hash leak > yourself and run all the comparisons your heart desires on it. > > ---- > Jack Kramer > Manager of Information Technology > Communications and Brand Strategy > > Michigan State University > > w: 517-884-1231 / c: 248-635-4955 > > *From: *STeve Andre' <[log in to unmask] <mailto:[log in to unmask]>> > *Reply-To: *STeve Andre' <[log in to unmask] <mailto:[log in to unmask]>> > *Date: *Wednesday, June 13, 2012 4:51 PM > *To: *"[log in to unmask] <mailto:[log in to unmask]>" > <[log in to unmask] <mailto:[log in to unmask]>> > *Subject: *Re: [MSUNAG] LinkedIn Password hacked. > > On 06/13/12 16:30, Carl Bussema III wrote: > > Actually LastPass is a well-known and respected security > tool, so I > > would actually trust them not to compromise the password. > I actually > > tried to decipher the HTTPS session with Fiddler, but > Chrome + > > LastPass detected a man-in-the-middle and wouldn't proceed. > > And because apparently some people need to be put out of > their > > paranoia, I went ahead and just used my regular developer > tools and > > found exactly what I suspected: > > I posted the password "asdf" to their form. I then watched > the AJAX > > request (which because it happens client side is > unencrypted before > > transmission) ... and you know what they are sending to > their servers? > > THE HASHED PASSWORD. It's not like it's hard to SHA1 a string > > in JavaScript. > > So the send the hash to the server, check the list of > "known bad > > hashes" (which is what the hackers have published) and > tell you if > > your password hash matches a known compromised hash. > > It's really about as safe as you can possibly imagine and > a great > > tool. Yes, we should be careful about inputting passwords > onto strange > > sites, but you should also do your due diligence and check > if the site > > might actually be legit. > > /rant > > Passwords are about as fragile a thing as there is today: users > > pick and display idiot pw's, and system (often) have bad security > > measures in place which don't really work. > > LastPass is likely an up-front honest entity, but that isn't > the reason > > why they shouldn't be used. Trusting another entity with your pw > > increases the attack surface of the product you are testing. As > > good as LastPass is, your are now trusting them to be really > secure. > > That they throw away the string you enter is good, but that means > > that vandals know just where to look if they were trying to break > > that system. > > This is a philosophical thing. Minimizing the places on the > net that > > have pw's is a good thing. > > --STeve Andre' >