LISTSERV 16.0 - MSUNAG Archives

That all works well and good until you run into, oh, just for example, an
Active Directory policy which requires 3 out of 5 from lowercase,
uppercase, numbers, symbols, and unicode, and expires every 42 days so you
have to make up a new one (that you haven't used in the last year).

Still it's good advice and I recommend users try to find ways to add in
uppercase (proper nouns) and numbers ("4" = for, "2" = to, too) or even
punctuation like ? or ! which helps a lot.

Still doesn't get around users who just re-use passwords because it's too
hard to remember > 5 of them (or at that point they write them down in an
insecure location like a sticky note under the keyboard).


Carl Bussema III
Information Technologist
Michigan State University Outreach & Engagement
Phone: (517) 353-8977 • Fax: (517) 432-9541
[log in to unmask]



On Thu, Jun 14, 2012 at 3:58 PM, STeve Andre' <[log in to unmask]> wrote:

>  Teach people to pick phrases from their favorite songs or poems, and
> you get great passwords:
>
>     now is the time for all good men to come to the aid of their country
>
> makes
>
>      nittfagmtcttaotc
>
> take an i make a 1, etc, and you've further obfuscated things.  Longer
> is better and I've seen lots of people take stanzas from things and
> create truly monstrous pw's.
>
> I teach people to make their own passwords that way.  Judging from
> the clackclackclack... noises when logging into things, it's been working.
>
> Use a system that generates passwords for you, and they wind up on
> postit notes.  Last week I saw just that for an account which controls
> a lot of money.  A LOT.  I've seen this so many times when "good" pw's
> are enforced on people.
>
> Passwords certainly are a pain, but they can be managed.
>
> --STeve Andre'
>
>
> On 06/14/12 09:11, Hoort, Brian wrote:
>
>  Compared to using the same password for all their websites, which is
> what our users do that aren’t using a LastPass like service, using LastPass
> to generate random, long strings for passwords and storing them in an
> encrypted blob (LastPass does not have the key) is far more secure.  This
> very event with LinkedIn demonstrates this. LinkedIn lost their password
> hashes.  This is most dangerous to a typical user (97%?) who has reused
> passwords across web sites.  Had they been using LastPass (or a similar
> service) to generate random, different passwords across sites, they would
> be in a far more secure position. While there is the theoretical problem of
> the encrypted blob being compromised, LastPass would have had to also fail
> in their implementation of encryption for that loss to be dangerous.
> LastPass, used properly to generate passwords, is a big net-win in security
> for the vast majority of people.****
>
> ** **
>
> Brian Hoort     |     517-355-3776****
>
> ANR Technology Services, MSU****
>
> ** **
>
> *From:* Kramer, Jack [mailto:[log in to unmask]<[log in to unmask]>]
>
> *Sent:* Wednesday, June 13, 2012 5:26 PM
> *To:* [log in to unmask]
> *Subject:* Re: [MSUNAG] LinkedIn Password hacked.****
>
> ** **
>
> Right, I get that. If you use them as a password manager you've definitely
> increased your attack surface. I would consider something like 1Password
> less attackable since the password database is kept local. However, this
> LinkedIn check utility isn't giving them your password—it's just doing the
> SHA-1 compute on it and then comparing that hash to a list of hashes that
> are already out there. I mean, I guess someone could theoretically
> compromise the server hosting that utility and replace the code with
> something that captures your password in plaintext and sends it off to some
> nefarious third party, but with no account name (or way to capture such)
> I'm having trouble seeing how that's useful information.****
>
> ** **
>
> ----
> Jack Kramer
> Manager of Information Technology
> Communications and Brand Strategy ****
>
> Michigan State University****
>
> w: 517-884-1231 / c: 248-635-4955****
>
> ** **
>
> *From: *STeve Andre' <[log in to unmask]>
> *Reply-To: *STeve Andre' <[log in to unmask]>
> *Date: *Wednesday, June 13, 2012 5:11 PM
> *To: *"[log in to unmask]" <[log in to unmask]>
> *Subject: *Re: [MSUNAG] LinkedIn Password hacked.****
>
> ** **
>
>  My distrust stems from having some other entity get your password.
>
> A single point of failure, and you are trusting them to do it right, and
> not be compromised.  So yes, there *is* an increased attack surface
> here: you are adding to the complexity of things and trusting that
> they are secure.  To me, that's increasing the attack surface.  I
> don't know what else to call it.
>
> --STeve Andre'
>
> On 06/13/12 17:05, Kramer, Jack wrote: ****
>
> Are you objecting to the concept of a password manager utility or the
> check site that Matt posted? I agree that password managers represent a
> single point of failure, though that single point is at least easier to
> protect than the many points of weak password we seem to end up without any
> sort of manager; however, the LinkedIn check page they have just compares
> the SHA-1 hash of any text you enter with the known leak of SHA-1 hashes
> and tells you if there's a match. There really isn't an attack surface
> there considering you're perfectly welcome to download that hash leak
> yourself and run all the comparisons your heart desires on it.****
>
> ** **
>
> ----
> Jack Kramer
> Manager of Information Technology
> Communications and Brand Strategy ****
>
> Michigan State University****
>
> w: 517-884-1231 / c: 248-635-4955****
>
> ** **
>
> *From: *STeve Andre' <[log in to unmask]>
> *Reply-To: *STeve Andre' <[log in to unmask]>
> *Date: *Wednesday, June 13, 2012 4:51 PM
> *To: *"[log in to unmask]" <[log in to unmask]>
> *Subject: *Re: [MSUNAG] LinkedIn Password hacked.****
>
> ** **
>
>   On 06/13/12 16:30, Carl Bussema III wrote:****
>
>  Actually LastPass is a well-known and respected security tool, so I ****
>
> would actually trust them not to compromise the password. I actually ****
>
> tried to decipher the HTTPS session with Fiddler, but Chrome + ****
>
> LastPass detected a man-in-the-middle and wouldn't proceed.****
>
> ** **
>
> And because apparently some people need to be put out of their ****
>
> paranoia, I went ahead and just used my regular developer tools and ****
>
> found exactly what I suspected:****
>
> ** **
>
> I posted the password "asdf" to their form. I then watched the AJAX ****
>
> request (which because it happens client side is unencrypted before ****
>
> transmission) ... and you know what they are sending to their servers? ***
> *
>
> THE HASHED PASSWORD. It's not like it's hard to SHA1 a string ****
>
> in JavaScript.****
>
> ** **
>
> So the send the hash to the server, check the list of "known bad ****
>
> hashes" (which is what the hackers have published) and tell you if ****
>
> your password hash matches a known compromised hash.****
>
> ** **
>
> It's really about as safe as you can possibly imagine and a great ****
>
> tool. Yes, we should be careful about inputting passwords onto strange ***
> *
>
> sites, but you should also do your due diligence and check if the site ***
> *
>
> might actually be legit.****
>
> ** **
>
> /rant****
>
> ** **
>
>  ** **
>
> Passwords are about as fragile a thing as there is today: users****
>
> pick and display idiot pw's, and system (often) have bad security****
>
> measures in place which don't really work.****
>
> ** **
>
> LastPass is likely an up-front honest entity, but that isn't the reason***
> *
>
> why they shouldn't be used.  Trusting another entity with your pw****
>
> increases the attack surface of the product you are testing.  As****
>
> good as LastPass is, your are now trusting them to be really secure.****
>
> That they throw away the string you enter is good, but that means****
>
> that vandals know just where to look if they were trying to break****
>
> that system.****
>
> ** **
>
> This is a philosophical thing.  Minimizing the places on the net that****
>
> have pw's is a good thing.****
>
> ** **
>
> --STeve Andre'****
>
> ** **
>
> ** **
>
>
>