On 06/14/12 16:38, Carl Bussema III wrote:
> That all works well and good until you run into, oh, just for example,
> an Active Directory policy which requires 3 out of 5 from lowercase,
> uppercase, numbers, symbols, and unicode, and expires every 42 days so
> you have to make up a new one (that you haven't used in the last year).
That system is broken. I speak apostasy, I know, but it is. Enforcing
things that
way leads to out-of-band methods like post-it notes. That 42 day
expiration is
alterable, isnt' it? I know on stock XP systems it is.
>
> Still it's good advice and I recommend users try to find ways to add
> in uppercase (proper nouns) and numbers ("4" = for, "2" = to, too) or
> even punctuation like ? or ! which helps a lot.
>
> Still doesn't get around users who just re-use passwords because it's
> too hard to remember > 5 of them (or at that point they write them
> down in an insecure location like a sticky note under the keyboard).
Well sure, the human is the weak spot in all this. But I am absolutely
convinced
that "normal" people are easily capable of remembering phrases from favorite
things.
My second step for this, to deal with multiple passwords is to ask them to
remember an "F" beginning phrase for Facebook, "G" for gmail, etc. So far
it seems to be working for some fraction of folks.
>
>
> Carl Bussema III
> Information Technologist
> Michigan State University Outreach & Engagement
> Phone: (517) 353-8977 • Fax: (517) 432-9541
> [log in to unmask] <mailto:[log in to unmask]>
>
>
>
> On Thu, Jun 14, 2012 at 3:58 PM, STeve Andre' <[log in to unmask]
> <mailto:[log in to unmask]>> wrote:
>
> Teach people to pick phrases from their favorite songs or poems, and
> you get great passwords:
>
> now is the time for all good men to come to the aid of their
> country
>
> makes
>
> nittfagmtcttaotc
>
> take an i make a 1, etc, and you've further obfuscated things. Longer
> is better and I've seen lots of people take stanzas from things and
> create truly monstrous pw's.
>
> I teach people to make their own passwords that way. Judging from
> the clackclackclack... noises when logging into things, it's been
> working.
>
> Use a system that generates passwords for you, and they wind up on
> postit notes. Last week I saw just that for an account which controls
> a lot of money. A LOT. I've seen this so many times when "good" pw's
> are enforced on people.
>
> Passwords certainly are a pain, but they can be managed.
>
> --STeve Andre'
>
>
> On 06/14/12 09:11, Hoort, Brian wrote:
>>
>> Compared to using the same password for all their websites, which
>> is what our users do that aren’t using a LastPass like service,
>> using LastPass to generate random, long strings for passwords and
>> storing them in an encrypted blob (LastPass does not have the
>> key) is far more secure. This very event with LinkedIn
>> demonstrates this. LinkedIn lost their password hashes. This is
>> most dangerous to a typical user (97%?) who has reused passwords
>> across web sites. Had they been using LastPass (or a similar
>> service) to generate random, different passwords across sites,
>> they would be in a far more secure position. While there is the
>> theoretical problem of the encrypted blob being compromised,
>> LastPass would have had to also fail in their implementation of
>> encryption for that loss to be dangerous. LastPass, used properly
>> to generate passwords, is a big net-win in security for the vast
>> majority of people.
>>
>> Brian Hoort | 517-355-3776 <tel:517-355-3776>
>>
>> ANR Technology Services, MSU
>>
>> *From:*Kramer, Jack [mailto:[log in to unmask]]
>> *Sent:* Wednesday, June 13, 2012 5:26 PM
>> *To:* [log in to unmask] <mailto:[log in to unmask]>
>> *Subject:* Re: [MSUNAG] LinkedIn Password hacked.
>>
>> Right, I get that. If you use them as a password manager you've
>> definitely increased your attack surface. I would consider
>> something like 1Password less attackable since the password
>> database is kept local. However, this LinkedIn check utility
>> isn't giving them your password—it's just doing the SHA-1 compute
>> on it and then comparing that hash to a list of hashes that are
>> already out there. I mean, I guess someone could theoretically
>> compromise the server hosting that utility and replace the code
>> with something that captures your password in plaintext and sends
>> it off to some nefarious third party, but with no account name
>> (or way to capture such) I'm having trouble seeing how that's
>> useful information.
>>
>> ----
>> Jack Kramer
>> Manager of Information Technology
>> Communications and Brand Strategy
>>
>> Michigan State University
>>
>> w: 517-884-1231 <tel:517-884-1231> / c: 248-635-4955
>> <tel:248-635-4955>
>>
>> *From: *STeve Andre' <[log in to unmask] <mailto:[log in to unmask]>>
>> *Reply-To: *STeve Andre' <[log in to unmask] <mailto:[log in to unmask]>>
>> *Date: *Wednesday, June 13, 2012 5:11 PM
>> *To: *"[log in to unmask] <mailto:[log in to unmask]>"
>> <[log in to unmask] <mailto:[log in to unmask]>>
>> *Subject: *Re: [MSUNAG] LinkedIn Password hacked.
>>
>> My distrust stems from having some other entity get your
>> password.
>>
>> A single point of failure, and you are trusting them to do it
>> right, and
>> not be compromised. So yes, there *is* an increased attack
>> surface
>> here: you are adding to the complexity of things and trusting
>> that
>> they are secure. To me, that's increasing the attack surface. I
>> don't know what else to call it.
>>
>> --STeve Andre'
>>
>> On 06/13/12 17:05, Kramer, Jack wrote:
>>
>> Are you objecting to the concept of a password manager
>> utility or the check site that Matt posted? I agree that
>> password managers represent a single point of failure, though
>> that single point is at least easier to protect than the many
>> points of weak password we seem to end up without any sort of
>> manager; however, the LinkedIn check page they have just
>> compares the SHA-1 hash of any text you enter with the known
>> leak of SHA-1 hashes and tells you if there's a match. There
>> really isn't an attack surface there considering you're
>> perfectly welcome to download that hash leak yourself and run
>> all the comparisons your heart desires on it.
>>
>> ----
>> Jack Kramer
>> Manager of Information Technology
>> Communications and Brand Strategy
>>
>> Michigan State University
>>
>> w: 517-884-1231 <tel:517-884-1231> / c: 248-635-4955
>> <tel:248-635-4955>
>>
>> *From: *STeve Andre' <[log in to unmask] <mailto:[log in to unmask]>>
>> *Reply-To: *STeve Andre' <[log in to unmask] <mailto:[log in to unmask]>>
>> *Date: *Wednesday, June 13, 2012 4:51 PM
>> *To: *"[log in to unmask] <mailto:[log in to unmask]>"
>> <[log in to unmask] <mailto:[log in to unmask]>>
>> *Subject: *Re: [MSUNAG] LinkedIn Password hacked.
>>
>> On 06/13/12 16:30, Carl Bussema III wrote:
>>
>> Actually LastPass is a well-known and respected
>> security tool, so I
>>
>> would actually trust them not to compromise the
>> password. I actually
>>
>> tried to decipher the HTTPS session with Fiddler, but
>> Chrome +
>>
>> LastPass detected a man-in-the-middle and wouldn't
>> proceed.
>>
>> And because apparently some people need to be put out
>> of their
>>
>> paranoia, I went ahead and just used my regular
>> developer tools and
>>
>> found exactly what I suspected:
>>
>> I posted the password "asdf" to their form. I then
>> watched the AJAX
>>
>> request (which because it happens client side is
>> unencrypted before
>>
>> transmission) ... and you know what they are sending
>> to their servers?
>>
>> THE HASHED PASSWORD. It's not like it's hard to SHA1
>> a string
>>
>> in JavaScript.
>>
>> So the send the hash to the server, check the list of
>> "known bad
>>
>> hashes" (which is what the hackers have published)
>> and tell you if
>>
>> your password hash matches a known compromised hash.
>>
>> It's really about as safe as you can possibly imagine
>> and a great
>>
>> tool. Yes, we should be careful about inputting
>> passwords onto strange
>>
>> sites, but you should also do your due diligence and
>> check if the site
>>
>> might actually be legit.
>>
>> /rant
>>
>> Passwords are about as fragile a thing as there is today:
>> users
>>
>> pick and display idiot pw's, and system (often) have bad
>> security
>>
>> measures in place which don't really work.
>>
>> LastPass is likely an up-front honest entity, but that
>> isn't the reason
>>
>> why they shouldn't be used. Trusting another entity with
>> your pw
>>
>> increases the attack surface of the product you are
>> testing. As
>>
>> good as LastPass is, your are now trusting them to be
>> really secure.
>>
>> That they throw away the string you enter is good, but
>> that means
>>
>> that vandals know just where to look if they were trying
>> to break
>>
>> that system.
>>
>> This is a philosophical thing. Minimizing the places on
>> the net that
>>
>> have pw's is a good thing.
>>
>> --STeve Andre'
>>
>
>
