Well, if we are going to discuss password generation and strength, then someone has to trot out the two canonical references, which I do now: http://xkcd.com/936 https://www.grc.com/haystack.htm -- dkm At 6/14/2012 03:58 PM Thursday, STeve Andre' wrote: >Teach people to pick phrases from their favorite songs or poems, and >you get great passwords: > > now is the time for all good men to come to the aid of their country > >makes > > nittfagmtcttaotc > >take an i make a 1, etc, and you've further obfuscated things. Longer >is better and I've seen lots of people take stanzas from things and >create truly monstrous pw's. > >I teach people to make their own passwords that way. Judging from >the clackclackclack... noises when logging into things, it's been working. > >Use a system that generates passwords for you, and they wind up on >postit notes. Last week I saw just that for an account which controls >a lot of money. A LOT. I've seen this so many times when "good" pw's >are enforced on people. > >Passwords certainly are a pain, but they can be managed. > >--STeve Andre' > >On 06/14/12 09:11, Hoort, Brian wrote: >>Compared to using the same password for all >>their websites, which is what our users do that >>aren’t using a LastPass like service, using >>LastPass to generate random, long strings for >>passwords and storing them in an encrypted blob >>(LastPass does not have the key) is far more >>secure. This very event with LinkedIn >>demonstrates this. LinkedIn lost their password >>hashes. This is most dangerous to a typical >>user (97%?) who has reused passwords across web >>sites. Had they been using LastPass (or a >>similar service) to generate random, different >>passwords across sites, they would be in a far >>more secure position. While there is the >>theoretical problem of the encrypted blob being >>compromised, LastPass would have had to also >>fail in their implementation of encryption for >>that loss to be dangerous. LastPass, used >>properly to generate passwords, is a big >>net-win in security for the vast majority of people. >> >>Brian Hoort | 517-355-3776 >>ANR Technology Services, MSU >> >>From: Kramer, Jack >>[<mailto:[log in to unmask]>mailto:[log in to unmask]] >>Sent: Wednesday, June 13, 2012 5:26 PM >>To: <mailto:[log in to unmask]>[log in to unmask] >>Subject: Re: [MSUNAG] LinkedIn Password hacked. >> >>Right, I get that. If you use them as a >>password manager you've definitely increased >>your attack surface. I would consider something >>like 1Password less attackable since the >>password database is kept local. However, this >>LinkedIn check utility isn't giving them your >>passwordit's just doing the SHA-1 compute on >>it and then comparing that hash to a list of >>hashes that are already out there. I mean, I >>guess someone could theoretically compromise >>the server hosting that utility and replace the >>code with something that captures your password >>in plaintext and sends it off to some nefarious >>third party, but with no account name (or way >>to capture such) I'm having trouble seeing how that's useful information. >> >>---- >>Jack Kramer >>Manager of Information Technology >>Communications and Brand Strategy >>Michigan State University >>w: 517-884-1231 / c: 248-635-4955 >> >>From: STeve Andre' <<mailto:[log in to unmask]>[log in to unmask]> >>Reply-To: STeve Andre' <<mailto:[log in to unmask]>[log in to unmask]> >>Date: Wednesday, June 13, 2012 5:11 PM >>To: >>"<mailto:[log in to unmask]>[log in to unmask] >>" <<mailto:[log in to unmask]>[log in to unmask]> >>Subject: Re: [MSUNAG] LinkedIn Password hacked. >> >>My distrust stems from having some other entity get your password. >> >>A single point of failure, and you are trusting them to do it right, and >>not be compromised. So yes, there *is* an increased attack surface >>here: you are adding to the complexity of things and trusting that >>they are secure. To me, that's increasing the attack surface. I >>don't know what else to call it. >> >>--STeve Andre' >> >>On 06/13/12 17:05, Kramer, Jack wrote: >>Are you objecting to the concept of a password >>manager utility or the check site that Matt >>posted? I agree that password managers >>represent a single point of failure, though >>that single point is at least easier to protect >>than the many points of weak password we seem >>to end up without any sort of manager; however, >>the LinkedIn check page they have just compares >>the SHA-1 hash of any text you enter with the >>known leak of SHA-1 hashes and tells you if >>there's a match. There really isn't an attack >>surface there considering you're perfectly >>welcome to download that hash leak yourself and >>run all the comparisons your heart desires on it. >> >>---- >>Jack Kramer >>Manager of Information Technology >>Communications and Brand Strategy >>Michigan State University >>w: 517-884-1231 / c: 248-635-4955 >> >>From: STeve Andre' <<mailto:[log in to unmask]>[log in to unmask]> >>Reply-To: STeve Andre' <<mailto:[log in to unmask]>[log in to unmask]> >>Date: Wednesday, June 13, 2012 4:51 PM >>To: >>"<mailto:[log in to unmask]>[log in to unmask] >>" <<mailto:[log in to unmask]>[log in to unmask]> >>Subject: Re: [MSUNAG] LinkedIn Password hacked. >> >>On 06/13/12 16:30, Carl Bussema III wrote: >>Actually LastPass is a well-known and respected security tool, so I >>would actually trust them not to compromise the password. I actually >>tried to decipher the HTTPS session with Fiddler, but Chrome + >>LastPass detected a man-in-the-middle and wouldn't proceed. >> >>And because apparently some people need to be put out of their >>paranoia, I went ahead and just used my regular developer tools and >>found exactly what I suspected: >> >>I posted the password "asdf" to their form. I then watched the AJAX >>request (which because it happens client side is unencrypted before >>transmission) ... and you know what they are sending to their servers? >>THE HASHED PASSWORD. It's not like it's hard to SHA1 a string >>in JavaScript. >> >>So the send the hash to the server, check the list of "known bad >>hashes" (which is what the hackers have published) and tell you if >>your password hash matches a known compromised hash. >> >>It's really about as safe as you can possibly imagine and a great >>tool. Yes, we should be careful about inputting passwords onto strange >>sites, but you should also do your due diligence and check if the site >>might actually be legit. >> >>/rant >> >> >> >>Passwords are about as fragile a thing as there is today: users >>pick and display idiot pw's, and system (often) have bad security >>measures in place which don't really work. >> >>LastPass is likely an up-front honest entity, but that isn't the reason >>why they shouldn't be used. Trusting another entity with your pw >>increases the attack surface of the product you are testing. As >>good as LastPass is, your are now trusting them to be really secure. >>That they throw away the string you enter is good, but that means >>that vandals know just where to look if they were trying to break >>that system. >> >>This is a philosophical thing. Minimizing the places on the net that >>have pw's is a good thing. >> >>--STeve Andre'