Thanks. And of course, Steve Gibson had much the same idea, see https://www.grc.com/offthegrid.htm (covered in episode #315 of his Security Now! podcast on 25 Aug 2011). -- dkm At 6/15/2012 07:32 AM Friday, Tim Heckaman wrote: >I forgot to mention the card is randomly >generated so you need to print it out, and you >can make it include symbols, or only digits etc. > >[] > > >From: Tim Heckaman [mailto:[log in to unmask]] >Sent: Friday, June 15, 2012 7:30 AM >To: [log in to unmask] >Subject: Re: [MSUNAG] LinkedIn Password hacked. > >Another good way to have great passwords is this >site. ><http://www.passwordcard.org/en>http://www.passwordcard.org/en >Essentially you choose a row and column. Then >the password is whatever row/column you pick to >the end of the card, or backwards, or diagonal. >People can leave it at their desks, keep it in >their wallet and all though your password is >essentially on the card no one will know. As >long as you don’t highlight or circle the number and symbol you pick. > >Steve I do like the idea of the favorite song, >never heard of that one before but I can see how effective it will be. > >[] > > >From: STeve Andre' [mailto:[log in to unmask]] >Sent: Thursday, June 14, 2012 3:58 PM >To: <mailto:[log in to unmask]>[log in to unmask] >Subject: Re: [MSUNAG] LinkedIn Password hacked. > >Teach people to pick phrases from their favorite songs or poems, and >you get great passwords: > > now is the time for all good men to come to the aid of their country > >makes > > nittfagmtcttaotc > >take an i make a 1, etc, and you've further obfuscated things. Longer >is better and I've seen lots of people take stanzas from things and >create truly monstrous pw's. > >I teach people to make their own passwords that way. Judging from >the clackclackclack... noises when logging into things, it's been working. > >Use a system that generates passwords for you, and they wind up on >postit notes. Last week I saw just that for an account which controls >a lot of money. A LOT. I've seen this so many times when "good" pw's >are enforced on people. > >Passwords certainly are a pain, but they can be managed. > >--STeve Andre' > >On 06/14/12 09:11, Hoort, Brian wrote: >Compared to using the same password for all >their websites, which is what our users do that >aren’t using a LastPass like service, using >LastPass to generate random, long strings for >passwords and storing them in an encrypted blob >(LastPass does not have the key) is far more >secure. This very event with LinkedIn >demonstrates this. LinkedIn lost their password >hashes. This is most dangerous to a typical >user (97%?) who has reused passwords across web >sites. Had they been using LastPass (or a >similar service) to generate random, different >passwords across sites, they would be in a far >more secure position. While there is the >theoretical problem of the encrypted blob being >compromised, LastPass would have had to also >fail in their implementation of encryption for >that loss to be dangerous. LastPass, used >properly to generate passwords, is a big net-win >in security for the vast majority of people. > >Brian Hoort | 517-355-3776 >ANR Technology Services, MSU > >From: Kramer, Jack >[<mailto:[log in to unmask]>mailto:[log in to unmask]] >Sent: Wednesday, June 13, 2012 5:26 PM >To: <mailto:[log in to unmask]>[log in to unmask] >Subject: Re: [MSUNAG] LinkedIn Password hacked. > >Right, I get that. If you use them as a password >manager you've definitely increased your attack >surface. I would consider something like >1Password less attackable since the password >database is kept local. However, this LinkedIn >check utility isn't giving them your >passwordit's just doing the SHA-1 compute on it >and then comparing that hash to a list of hashes >that are already out there. I mean, I guess >someone could theoretically compromise the >server hosting that utility and replace the code >with something that captures your password in >plaintext and sends it off to some nefarious >third party, but with no account name (or way to >capture such) I'm having trouble seeing how that's useful information. > >---- >Jack Kramer >Manager of Information Technology >Communications and Brand Strategy >Michigan State University >w: 517-884-1231 / c: 248-635-4955 > >From: STeve Andre' <<mailto:[log in to unmask]>[log in to unmask]> >Reply-To: STeve Andre' <<mailto:[log in to unmask]>[log in to unmask]> >Date: Wednesday, June 13, 2012 5:11 PM >To: >"<mailto:[log in to unmask]>[log in to unmask]" > <<mailto:[log in to unmask]>[log in to unmask]> >Subject: Re: [MSUNAG] LinkedIn Password hacked. > >My distrust stems from having some other entity get your password. > >A single point of failure, and you are trusting them to do it right, and >not be compromised. So yes, there *is* an increased attack surface >here: you are adding to the complexity of things and trusting that >they are secure. To me, that's increasing the attack surface. I >don't know what else to call it. > >--STeve Andre' > >On 06/13/12 17:05, Kramer, Jack wrote: >Are you objecting to the concept of a password >manager utility or the check site that Matt >posted? I agree that password managers represent >a single point of failure, though that single >point is at least easier to protect than the >many points of weak password we seem to end up >without any sort of manager; however, the >LinkedIn check page they have just compares the >SHA-1 hash of any text you enter with the known >leak of SHA-1 hashes and tells you if there's a >match. There really isn't an attack surface >there considering you're perfectly welcome to >download that hash leak yourself and run all the >comparisons your heart desires on it. > >---- >Jack Kramer >Manager of Information Technology >Communications and Brand Strategy >Michigan State University >w: 517-884-1231 / c: 248-635-4955 > >From: STeve Andre' <<mailto:[log in to unmask]>[log in to unmask]> >Reply-To: STeve Andre' <<mailto:[log in to unmask]>[log in to unmask]> >Date: Wednesday, June 13, 2012 4:51 PM >To: >"<mailto:[log in to unmask]>[log in to unmask]" > <<mailto:[log in to unmask]>[log in to unmask]> >Subject: Re: [MSUNAG] LinkedIn Password hacked. > >On 06/13/12 16:30, Carl Bussema III wrote: >Actually LastPass is a well-known and respected security tool, so I >would actually trust them not to compromise the password. I actually >tried to decipher the HTTPS session with Fiddler, but Chrome + >LastPass detected a man-in-the-middle and wouldn't proceed. > >And because apparently some people need to be put out of their >paranoia, I went ahead and just used my regular developer tools and >found exactly what I suspected: > >I posted the password "asdf" to their form. I then watched the AJAX >request (which because it happens client side is unencrypted before >transmission) ... and you know what they are sending to their servers? >THE HASHED PASSWORD. It's not like it's hard to SHA1 a string >in JavaScript. > >So the send the hash to the server, check the list of "known bad >hashes" (which is what the hackers have published) and tell you if >your password hash matches a known compromised hash. > >It's really about as safe as you can possibly imagine and a great >tool. Yes, we should be careful about inputting passwords onto strange >sites, but you should also do your due diligence and check if the site >might actually be legit. > >/rant > > > >Passwords are about as fragile a thing as there is today: users >pick and display idiot pw's, and system (often) have bad security >measures in place which don't really work. > >LastPass is likely an up-front honest entity, but that isn't the reason >why they shouldn't be used. Trusting another entity with your pw >increases the attack surface of the product you are testing. As >good as LastPass is, your are now trusting them to be really secure. >That they throw away the string you enter is good, but that means >that vandals know just where to look if they were trying to break >that system. > >This is a philosophical thing. Minimizing the places on the net that >have pw's is a good thing. > >--STeve Andre' > > > > > > >