[olug] (no subject)

Jeff Hinrichs - DM&T jeffh at dundeemt.com
Wed Nov 7 16:27:28 UTC 2012


I would argue that there is a balance between pass-phrases and password
managers.  I prefer my password manager, however the password for the
manager has to be "stored" outside the manager itself.  Which is where I
use pass-phrases.  I also use pass-phrases for often used, pre-access to
manager, log ins, such as my desktops and laptops and tablets.  A password
manager allows you greater recall capabilities and minimizes the chance of
a poorly implemented pass-phrase system to cause one to use too few
passwords.

Use of pass-phrases only creates problems for users because they can only
recall so many of them, so they end up reusing their pass-phrases multiple
places.  Which we all know takes us back to the "I use the same password
every where or I've got two passwords, one for secure things and a
different one."  A gigantic security is the use of a password in multiple
places.  This creates a "weakest link" exposure.  Bad guys break a site,
then start using those user/pass combos as attempts in lots of other
places.  You shared password is only as safe as the weakest link/site in
the chain.

Password managers make it simple to have a different password on every
site/place that you need one, no overlap.


best,

Jeff


On Wed, Nov 7, 2012 at 1:49 AM, Christopher Cashell <topher-olug at zyp.org>wrote:

> On Tue, Nov 6, 2012 at 9:07 AM, Hurley, Rod <RHurley at tenaska.com> wrote:
> > Honestly folks, I am so used to using complex passwords (numbers,
> special chars, caps, 8+ chars) over the years that it doesn't even phase me
> anymore.  When a user complains that they can't use Autumn12, I educate
> them on how to remember complex passwords.  (IF you don't use a pw vault
> like a lot of us.)
>
> It's good that you can remember your complex passwords, but I'd argue
> strongly that complex passwords are the wrong solution.  We need to
> move away from passwords and towards passphrases.  They provide a more
> secure and more "user friendly" solution.
>
> See: http://xkcd.com/936/
>
> Best bit: "Through 20 years of effort, we've successfully trained
> everyone to use passwords that are hard for humans to remember, but
> easy for computers to guess."  Bruce Schneier (famed cryptographer,
> security guru, and author of Applied Cryptography, also endorsed the
> XKCD scheme:
> http://www.schneier.com/blog/archives/2012/09/recent_developm_1.html)
>
> When it comes to password security, there are two aspects that you are
> trying to protect against: someone guessing or "deriving" your
> password, and someone "brute force" cracking your password with a
> tool.  There's a quasi-third aspect, regarding the security of your
> (presumably hashed) password in the event that a password database is
> stolen, but that one generally isn't worth considering because the
> security of it is almost entirely dependent on the specifics of the
> implemented security (not your password itself).
>
> For the first aspect, you protect yourself by using a password that is
> non-obvious (don't use "password" or "12345"), and not directly tied
> to you (don't use your birthday, your child's birthday, your
> anniversary, your name, your children's names, your pet's names, etc).
>  Selecting something of sufficient length will also protect you
> against this.  Making it a traditional complex password often reduces
> the security, as you are more likely to write it down, especially if
> you don't use it daily.
>
> For the second aspect, password length will trump special characters
> very quickly.  An attacker doesn't know anything about what special
> characters you might, or might not, use.  Therefore, they have to try
> everything (unless you use something short and/or they have a matching
> entry in rainbow tables).  At that point, longer is better.  Much
> better.  Stop thinking about a biglongsinglewordwithrandomcharacters,
> and make your password a passphrase.  Use multiple words.  They can
> even be "real" words (without funny characters), and still be very
> secure.  Just making it a complete sentence gives you mixed case and
> punctuation, significantly enhancing the entropy of your password.
>
> For comparison, Dan posted the excellent reference to the grc.com
> password strength calculator (https://www.grc.com/haystack.htm),  and
> noted his "20-character passwords like this "AvZo$I1mjmZ#c at e6vDxw"
> that would take "11.52 thousand trillion centuries" to crack."
>
> That's definitely good security, but it'd take me forever to remember
> such a horrifying password, which means I have to look it up
> constantly.  As an alternate approach, I could use a passphase
> sentence like, "My password sucks less!".  According to the same brute
> force resistance analysis that Dan used, this password would take
> "7.66 hundred million trillion centuries" to crack.
>
> I could type a password like Dan's 20 times, and still have to look it
> up.  I've only typed mine twice, and I bet I could remember it a month
> from now without entering it again.  Not only that, but while my
> password has 3 more characters than Dan's, I'd be willing to bet cash
> that I can type it faster and with fewer mistakes than Dan can type
> his. ;-)
>
> Both passwords are extremely secure from being cracked (or guessed),
> but one is much more memorable and typeable.
>
> Note: Someone brought up sites/tools that truncate passwords.  If the
> password is truncated to 8 characters or less, then the only security
> aspect mentioned above you need to worry about is protecting your
> password from someone guessing it.  If someone is able to run any sort
> of effective brute-force attack against it (something that isn't
> artificially rate-limited), an 8 (effective) character password, no
> matter what the 8 characters are, should be considered compromised.
> Luckily, sites and applications that do silly (stupid) things like
> this are steadily becoming rarer.
>
> --
> Christopher
> _______________________________________________
> OLUG mailing list
> OLUG at olug.org
> https://lists.olug.org/mailman/listinfo/olug
>



-- 
Best,

Jeff Hinrichs
402.218.1473



More information about the OLUG mailing list