LISTSERV 16.0 - MSUNAG Archives

Teach people to pick phrases from their favorite songs or poems, and
you get great passwords:

     now is the time for all good men to come to the aid of their country

makes

      nittfagmtcttaotc

take an i make a 1, etc, and you've further obfuscated things.  Longer
is better and I've seen lots of people take stanzas from things and
create truly monstrous pw's.

I teach people to make their own passwords that way.  Judging from
the clackclackclack... noises when logging into things, it's been working.

Use a system that generates passwords for you, and they wind up on
postit notes.  Last week I saw just that for an account which controls
a lot of money.  A LOT.  I've seen this so many times when "good" pw's
are enforced on people.

Passwords certainly are a pain, but they can be managed.

--STeve Andre'

On 06/14/12 09:11, Hoort, Brian wrote:
>
> Compared to using the same password for all their websites, which is 
> what our users do that aren't using a LastPass like service, using 
> LastPass to generate random, long strings for passwords and storing 
> them in an encrypted blob (LastPass does not have the key) is far more 
> secure.  This very event with LinkedIn demonstrates this. LinkedIn 
> lost their password hashes.  This is most dangerous to a typical user 
> (97%?) who has reused passwords across web sites.  Had they been using 
> LastPass (or a similar service) to generate random, different 
> passwords across sites, they would be in a far more secure position. 
> While there is the theoretical problem of the encrypted blob being 
> compromised, LastPass would have had to also fail in their 
> implementation of encryption for that loss to be dangerous. LastPass, 
> used properly to generate passwords, is a big net-win in security for 
> the vast majority of people.
>
> Brian Hoort     |     517-355-3776
>
> ANR Technology Services, MSU
>
> *From:*Kramer, Jack [mailto:[log in to unmask]]
> *Sent:* Wednesday, June 13, 2012 5:26 PM
> *To:* [log in to unmask]
> *Subject:* Re: [MSUNAG] LinkedIn Password hacked.
>
> Right, I get that. If you use them as a password manager you've 
> definitely increased your attack surface. I would consider something 
> like 1Password less attackable since the password database is kept 
> local. However, this LinkedIn check utility isn't giving them your 
> password---it's just doing the SHA-1 compute on it and then comparing 
> that hash to a list of hashes that are already out there. I mean, I 
> guess someone could theoretically compromise the server hosting that 
> utility and replace the code with something that captures your 
> password in plaintext and sends it off to some nefarious third party, 
> but with no account name (or way to capture such) I'm having trouble 
> seeing how that's useful information.
>
> ----
> Jack Kramer
> Manager of Information Technology
> Communications and Brand Strategy
>
> Michigan State University
>
> w: 517-884-1231 / c: 248-635-4955
>
> *From: *STeve Andre' <[log in to unmask] <mailto:[log in to unmask]>>
> *Reply-To: *STeve Andre' <[log in to unmask] <mailto:[log in to unmask]>>
> *Date: *Wednesday, June 13, 2012 5:11 PM
> *To: *"[log in to unmask] <mailto:[log in to unmask]>" 
> <[log in to unmask] <mailto:[log in to unmask]>>
> *Subject: *Re: [MSUNAG] LinkedIn Password hacked.
>
>     My distrust stems from having some other entity get your password.
>
>     A single point of failure, and you are trusting them to do it
>     right, and
>     not be compromised.  So yes, there *is* an increased attack surface
>     here: you are adding to the complexity of things and trusting that
>     they are secure.  To me, that's increasing the attack surface.  I
>     don't know what else to call it.
>
>     --STeve Andre'
>
>     On 06/13/12 17:05, Kramer, Jack wrote:
>
>     Are you objecting to the concept of a password manager utility or
>     the check site that Matt posted? I agree that password managers
>     represent a single point of failure, though that single point is
>     at least easier to protect than the many points of weak password
>     we seem to end up without any sort of manager; however, the
>     LinkedIn check page they have just compares the SHA-1 hash of any
>     text you enter with the known leak of SHA-1 hashes and tells you
>     if there's a match. There really isn't an attack surface there
>     considering you're perfectly welcome to download that hash leak
>     yourself and run all the comparisons your heart desires on it.
>
>     ----
>     Jack Kramer
>     Manager of Information Technology
>     Communications and Brand Strategy
>
>     Michigan State University
>
>     w: 517-884-1231 / c: 248-635-4955
>
>     *From: *STeve Andre' <[log in to unmask] <mailto:[log in to unmask]>>
>     *Reply-To: *STeve Andre' <[log in to unmask] <mailto:[log in to unmask]>>
>     *Date: *Wednesday, June 13, 2012 4:51 PM
>     *To: *"[log in to unmask] <mailto:[log in to unmask]>"
>     <[log in to unmask] <mailto:[log in to unmask]>>
>     *Subject: *Re: [MSUNAG] LinkedIn Password hacked.
>
>         On 06/13/12 16:30, Carl Bussema III wrote:
>
>             Actually LastPass is a well-known and respected security
>             tool, so I
>
>             would actually trust them not to compromise the password.
>             I actually
>
>             tried to decipher the HTTPS session with Fiddler, but
>             Chrome +
>
>             LastPass detected a man-in-the-middle and wouldn't proceed.
>
>             And because apparently some people need to be put out of
>             their
>
>             paranoia, I went ahead and just used my regular developer
>             tools and
>
>             found exactly what I suspected:
>
>             I posted the password "asdf" to their form. I then watched
>             the AJAX
>
>             request (which because it happens client side is
>             unencrypted before
>
>             transmission) ... and you know what they are sending to
>             their servers?
>
>             THE HASHED PASSWORD. It's not like it's hard to SHA1 a string
>
>             in JavaScript.
>
>             So the send the hash to the server, check the list of
>             "known bad
>
>             hashes" (which is what the hackers have published) and
>             tell you if
>
>             your password hash matches a known compromised hash.
>
>             It's really about as safe as you can possibly imagine and
>             a great
>
>             tool. Yes, we should be careful about inputting passwords
>             onto strange
>
>             sites, but you should also do your due diligence and check
>             if the site
>
>             might actually be legit.
>
>             /rant
>
>         Passwords are about as fragile a thing as there is today: users
>
>         pick and display idiot pw's, and system (often) have bad security
>
>         measures in place which don't really work.
>
>         LastPass is likely an up-front honest entity, but that isn't
>         the reason
>
>         why they shouldn't be used.  Trusting another entity with your pw
>
>         increases the attack surface of the product you are testing.  As
>
>         good as LastPass is, your are now trusting them to be really
>         secure.
>
>         That they throw away the string you enter is good, but that means
>
>         that vandals know just where to look if they were trying to break
>
>         that system.
>
>         This is a philosophical thing.  Minimizing the places on the
>         net that
>
>         have pw's is a good thing.
>
>         --STeve Andre'
>