That all works well and good until you run into, oh, just for example, an Active Directory policy which requires 3 out of 5 from lowercase, uppercase, numbers, symbols, and unicode, and expires every 42 days so you have to make up a new one (that you haven't used in the last year). Still it's good advice and I recommend users try to find ways to add in uppercase (proper nouns) and numbers ("4" = for, "2" = to, too) or even punctuation like ? or ! which helps a lot. Still doesn't get around users who just re-use passwords because it's too hard to remember > 5 of them (or at that point they write them down in an insecure location like a sticky note under the keyboard). Carl Bussema III Information Technologist Michigan State University Outreach & Engagement Phone: (517) 353-8977 • Fax: (517) 432-9541 [log in to unmask] On Thu, Jun 14, 2012 at 3:58 PM, STeve Andre' <[log in to unmask]> wrote: > Teach people to pick phrases from their favorite songs or poems, and > you get great passwords: > > now is the time for all good men to come to the aid of their country > > makes > > nittfagmtcttaotc > > take an i make a 1, etc, and you've further obfuscated things. Longer > is better and I've seen lots of people take stanzas from things and > create truly monstrous pw's. > > I teach people to make their own passwords that way. Judging from > the clackclackclack... noises when logging into things, it's been working. > > Use a system that generates passwords for you, and they wind up on > postit notes. Last week I saw just that for an account which controls > a lot of money. A LOT. I've seen this so many times when "good" pw's > are enforced on people. > > Passwords certainly are a pain, but they can be managed. > > --STeve Andre' > > > On 06/14/12 09:11, Hoort, Brian wrote: > > Compared to using the same password for all their websites, which is > what our users do that aren’t using a LastPass like service, using LastPass > to generate random, long strings for passwords and storing them in an > encrypted blob (LastPass does not have the key) is far more secure. This > very event with LinkedIn demonstrates this. LinkedIn lost their password > hashes. This is most dangerous to a typical user (97%?) who has reused > passwords across web sites. Had they been using LastPass (or a similar > service) to generate random, different passwords across sites, they would > be in a far more secure position. While there is the theoretical problem of > the encrypted blob being compromised, LastPass would have had to also fail > in their implementation of encryption for that loss to be dangerous. > LastPass, used properly to generate passwords, is a big net-win in security > for the vast majority of people.**** > > ** ** > > Brian Hoort | 517-355-3776**** > > ANR Technology Services, MSU**** > > ** ** > > *From:* Kramer, Jack [mailto:[log in to unmask]<[log in to unmask]>] > > *Sent:* Wednesday, June 13, 2012 5:26 PM > *To:* [log in to unmask] > *Subject:* Re: [MSUNAG] LinkedIn Password hacked.**** > > ** ** > > Right, I get that. If you use them as a password manager you've definitely > increased your attack surface. I would consider something like 1Password > less attackable since the password database is kept local. However, this > LinkedIn check utility isn't giving them your password—it's just doing the > SHA-1 compute on it and then comparing that hash to a list of hashes that > are already out there. I mean, I guess someone could theoretically > compromise the server hosting that utility and replace the code with > something that captures your password in plaintext and sends it off to some > nefarious third party, but with no account name (or way to capture such) > I'm having trouble seeing how that's useful information.**** > > ** ** > > ---- > Jack Kramer > Manager of Information Technology > Communications and Brand Strategy **** > > Michigan State University**** > > w: 517-884-1231 / c: 248-635-4955**** > > ** ** > > *From: *STeve Andre' <[log in to unmask]> > *Reply-To: *STeve Andre' <[log in to unmask]> > *Date: *Wednesday, June 13, 2012 5:11 PM > *To: *"[log in to unmask]" <[log in to unmask]> > *Subject: *Re: [MSUNAG] LinkedIn Password hacked.**** > > ** ** > > My distrust stems from having some other entity get your password. > > A single point of failure, and you are trusting them to do it right, and > not be compromised. So yes, there *is* an increased attack surface > here: you are adding to the complexity of things and trusting that > they are secure. To me, that's increasing the attack surface. I > don't know what else to call it. > > --STeve Andre' > > On 06/13/12 17:05, Kramer, Jack wrote: **** > > Are you objecting to the concept of a password manager utility or the > check site that Matt posted? I agree that password managers represent a > single point of failure, though that single point is at least easier to > protect than the many points of weak password we seem to end up without any > sort of manager; however, the LinkedIn check page they have just compares > the SHA-1 hash of any text you enter with the known leak of SHA-1 hashes > and tells you if there's a match. There really isn't an attack surface > there considering you're perfectly welcome to download that hash leak > yourself and run all the comparisons your heart desires on it.**** > > ** ** > > ---- > Jack Kramer > Manager of Information Technology > Communications and Brand Strategy **** > > Michigan State University**** > > w: 517-884-1231 / c: 248-635-4955**** > > ** ** > > *From: *STeve Andre' <[log in to unmask]> > *Reply-To: *STeve Andre' <[log in to unmask]> > *Date: *Wednesday, June 13, 2012 4:51 PM > *To: *"[log in to unmask]" <[log in to unmask]> > *Subject: *Re: [MSUNAG] LinkedIn Password hacked.**** > > ** ** > > On 06/13/12 16:30, Carl Bussema III wrote:**** > > Actually LastPass is a well-known and respected security tool, so I **** > > would actually trust them not to compromise the password. I actually **** > > tried to decipher the HTTPS session with Fiddler, but Chrome + **** > > LastPass detected a man-in-the-middle and wouldn't proceed.**** > > ** ** > > And because apparently some people need to be put out of their **** > > paranoia, I went ahead and just used my regular developer tools and **** > > found exactly what I suspected:**** > > ** ** > > I posted the password "asdf" to their form. I then watched the AJAX **** > > request (which because it happens client side is unencrypted before **** > > transmission) ... and you know what they are sending to their servers? *** > * > > THE HASHED PASSWORD. It's not like it's hard to SHA1 a string **** > > in JavaScript.**** > > ** ** > > So the send the hash to the server, check the list of "known bad **** > > hashes" (which is what the hackers have published) and tell you if **** > > your password hash matches a known compromised hash.**** > > ** ** > > It's really about as safe as you can possibly imagine and a great **** > > tool. Yes, we should be careful about inputting passwords onto strange *** > * > > sites, but you should also do your due diligence and check if the site *** > * > > might actually be legit.**** > > ** ** > > /rant**** > > ** ** > > ** ** > > Passwords are about as fragile a thing as there is today: users**** > > pick and display idiot pw's, and system (often) have bad security**** > > measures in place which don't really work.**** > > ** ** > > LastPass is likely an up-front honest entity, but that isn't the reason*** > * > > why they shouldn't be used. Trusting another entity with your pw**** > > increases the attack surface of the product you are testing. As**** > > good as LastPass is, your are now trusting them to be really secure.**** > > That they throw away the string you enter is good, but that means**** > > that vandals know just where to look if they were trying to break**** > > that system.**** > > ** ** > > This is a philosophical thing. Minimizing the places on the net that**** > > have pw's is a good thing.**** > > ** ** > > --STeve Andre'**** > > ** ** > > ** ** > > >