Print

Print
Teach people to pick phrases from their favorite songs or poems, and
you get great passwords:

    now is the time for all good men to come to the aid of their country

makes

     nittfagmtcttaotc

take an i make a 1, etc, and you've further obfuscated things.  Longer
is better and I've seen lots of people take stanzas from things and
create truly monstrous pw's.

I teach people to make their own passwords that way.  Judging from
the clackclackclack... noises when logging into things, it's been working.

Use a system that generates passwords for you, and they wind up on
postit notes.  Last week I saw just that for an account which controls
a lot of money.  A LOT.  I've seen this so many times when "good" pw's
are enforced on people.

Passwords certainly are a pain, but they can be managed.

--STeve Andre'

On 06/14/12 09:11, Hoort, Brian wrote:
[log in to unmask]" type="cite">

Compared to using the same password for all their websites, which is what our users do that aren’t using a LastPass like service, using LastPass to generate random, long strings for passwords and storing them in an encrypted blob (LastPass does not have the key) is far more secure.  This very event with LinkedIn demonstrates this. LinkedIn lost their password hashes.  This is most dangerous to a typical user (97%?) who has reused passwords across web sites.  Had they been using LastPass (or a similar service) to generate random, different passwords across sites, they would be in a far more secure position. While there is the theoretical problem of the encrypted blob being compromised, LastPass would have had to also fail in their implementation of encryption for that loss to be dangerous. LastPass, used properly to generate passwords, is a big net-win in security for the vast majority of people.

 

Brian Hoort     |     517-355-3776

ANR Technology Services, MSU

 

From: Kramer, Jack [mailto:[log in to unmask]]
Sent: Wednesday, June 13, 2012 5:26 PM
To: [log in to unmask]
Subject: Re: [MSUNAG] LinkedIn Password hacked.

 

Right, I get that. If you use them as a password manager you've definitely increased your attack surface. I would consider something like 1Password less attackable since the password database is kept local. However, this LinkedIn check utility isn't giving them your password—it's just doing the SHA-1 compute on it and then comparing that hash to a list of hashes that are already out there. I mean, I guess someone could theoretically compromise the server hosting that utility and replace the code with something that captures your password in plaintext and sends it off to some nefarious third party, but with no account name (or way to capture such) I'm having trouble seeing how that's useful information.

 

----
Jack Kramer
Manager of Information Technology
Communications and Brand Strategy

Michigan State University

w: 517-884-1231 / c: 248-635-4955

 

From: STeve Andre' <[log in to unmask]>
Reply-To: STeve Andre' <[log in to unmask]>
Date: Wednesday, June 13, 2012 5:11 PM
To: "[log in to unmask]" <[log in to unmask]>
Subject: Re: [MSUNAG] LinkedIn Password hacked.

 

My distrust stems from having some other entity get your password.

A single point of failure, and you are trusting them to do it right, and
not be compromised.  So yes, there *is* an increased attack surface
here: you are adding to the complexity of things and trusting that
they are secure.  To me, that's increasing the attack surface.  I
don't know what else to call it.

--STeve Andre'

On 06/13/12 17:05, Kramer, Jack wrote:

Are you objecting to the concept of a password manager utility or the check site that Matt posted? I agree that password managers represent a single point of failure, though that single point is at least easier to protect than the many points of weak password we seem to end up without any sort of manager; however, the LinkedIn check page they have just compares the SHA-1 hash of any text you enter with the known leak of SHA-1 hashes and tells you if there's a match. There really isn't an attack surface there considering you're perfectly welcome to download that hash leak yourself and run all the comparisons your heart desires on it.

 

----
Jack Kramer
Manager of Information Technology
Communications and Brand Strategy

Michigan State University

w: 517-884-1231 / c: 248-635-4955

 

From: STeve Andre' <[log in to unmask]>
Reply-To: STeve Andre' <[log in to unmask]>
Date: Wednesday, June 13, 2012 4:51 PM
To: "[log in to unmask]" <[log in to unmask]>
Subject: Re: [MSUNAG] LinkedIn Password hacked.

 

On 06/13/12 16:30, Carl Bussema III wrote:

Actually LastPass is a well-known and respected security tool, so I

would actually trust them not to compromise the password. I actually

tried to decipher the HTTPS session with Fiddler, but Chrome +

LastPass detected a man-in-the-middle and wouldn't proceed.

 

And because apparently some people need to be put out of their

paranoia, I went ahead and just used my regular developer tools and

found exactly what I suspected:

 

I posted the password "asdf" to their form. I then watched the AJAX

request (which because it happens client side is unencrypted before

transmission) ... and you know what they are sending to their servers?

THE HASHED PASSWORD. It's not like it's hard to SHA1 a string

in JavaScript.

 

So the send the hash to the server, check the list of "known bad

hashes" (which is what the hackers have published) and tell you if

your password hash matches a known compromised hash.

 

It's really about as safe as you can possibly imagine and a great

tool. Yes, we should be careful about inputting passwords onto strange

sites, but you should also do your due diligence and check if the site

might actually be legit.

 

/rant

 

 

Passwords are about as fragile a thing as there is today: users

pick and display idiot pw's, and system (often) have bad security

measures in place which don't really work.

 

LastPass is likely an up-front honest entity, but that isn't the reason

why they shouldn't be used.  Trusting another entity with your pw

increases the attack surface of the product you are testing.  As

good as LastPass is, your are now trusting them to be really secure.

That they throw away the string you enter is good, but that means

that vandals know just where to look if they were trying to break

that system.

 

This is a philosophical thing.  Minimizing the places on the net that

have pw's is a good thing.

 

--STeve Andre'