[cryptography] What do ya'll think about this ?

[Brian Hankey]

http://nimbusid.com
___
cryptography mailing list
cryptography@randombit.net
http://lists.randombit.net/mailman/listinfo/cryptography

Re: [cryptography] Hi all, would like your feedback on something

[Brian Hankey]

Hi Jeffrey,

I will try to make this one much shorter.  I just have a couple more questions 
and comments.

I guess what I still don’t get is why my passwords if exposed in plain text 
would jump out as having been generated by any one particular system or 
another, particularly if someone could only examine just one of them.

I understand that if one of these passwords were exposed in plain text it could 
be used on whatever site it was leaked from, the point would be that you could 
not copy it and use it for other sites (using the same password everywhere) or 
quickly and easily just take a glance at it and determine how it was created 
like you could by looking at “l1nked1n123!” or similar.

I am curious what ideas you or anyone else have for improvement? Assuming a 
person isn’t the rain man, how can we remember secure passwords without having 
to trust third parties?

I still feel as though I am personally more likely to become victim of a mass 
attack than a targeted attack and I think many others are probably in the same 
boat.

"I like to take a Kantian approach to password generation schemes: They should 
remain good even if lots of people use it. Offering advice that becomes bad if 
people actually follow the advice isn’t really good advice, is it?”

As for this, perhaps but I’m trying to figure out how to improve it. I still 
don’t think it’s as bad as what most people use, and if you can’t or won’t use 
one of the typical managers - what other options are there?  That is what I’m 
trying to find out by talking to those that know more than me.

"A password that is hashed twice instead of once just isn’t a noticeable 
barrier."

Does hashing it several times help?

I am going to read your link now.

Thanks for all your input and insights.




signature.asc
Description: Message signed with OpenPGP using GPGMail
___
cryptography mailing list
cryptography@randombit.net
http://lists.randombit.net/mailman/listinfo/cryptography

Re: [cryptography] Hi all, would like your feedback on something

[Brian Hankey]

One more thing- can you send me some links for any of these you can think of 
off the top of your head?

Thanks.


> On Dec 30, 2015, at 9:24 AM, Jeffrey Goldberg  wrote:
> 
> And that includes versions of your scheme that are far superior to what you 
> have actually worked out.



signature.asc
Description: Message signed with OpenPGP using GPGMail
___
cryptography mailing list
cryptography@randombit.net
http://lists.randombit.net/mailman/listinfo/cryptography

[cryptography] Fwd: Hi all, would like your feedback on something

[Brian Hankey]

Hi Jeffrey,

I sent a long winded reply that has been stuck in moderation for a couple
of days so I'm going to break it into two parts.  Also found an interesting
new link to add to the discussion today.

Let me make sure that I have been clear about what I propose,


Thank you. I may very well have entirely misunderstood what your system
did, as reading a bunch of PHP and JavaScript embedded within some HTML
really communicate things clearly.


Yea this is not a very clear demo.  I will probably take it down.


because this is as much about how to easily remember the unique passwords
as it is about the amateurish demo we made…  You have four inputs to this
algorithm:

1) String 1: This can be anything but I propose an easy way to remember
something that is unique.


Ah, so you want the user to remember something specific for each site.



No… remember a rule that can be used to transform the name of the site in
some way.


Not a master password and not simply “site name” could be as follows:
 Perform a transform on the site name, one that is easy to remember but
hard to guess.  It seems to me there could really be a lot of variations
here still.


Char for letter substitutions, exclude vowels, double vowels, exclude
consonants, double constants, cases, do you include or not include the
subdomain, do you include or not include the top level domain, do you
include the (.), do you append anything to it and so on.


Each one of those decisions is roughly one bit (except for “what you
append”). So you’ve got 8 bits in there, if you are equally likely to
choose each alternative (say, flip a coin for each decision).

A am going to guess that if people are expected to remember scores of
these, they will make the same decisions for each. So the individual
remembered passwords unique for each site will not be independent of each
other. (And are highly guessable).

Every single one of our transformations are part of the standard rules sets
that come with password cracking tools such as John the Ripper or Hashcat.


Yea that’s true. I am vaguely familiar with Ripper. But there are a lot of
rules you can combine.  If you are doing the same for every site you can
combine many “rules” and have it not be that hard to remember. Are you sure
the possible combinations do not provide more than 8 bits?




You could even add more and still be easy to remember… add D0G to the end
if the service starts with a vowel and C@T if it begins with a constant,
nothing if it’s a number.  If we talk about www.gmail.com we could get
something like:
MoClIaMgWwW  or gmAIl or LiaMG or WWW.gMaIl.COM  and
so on and so forth. Perhaps even running *just* this through a hash and
then ensuring an upper a lower and a special char would be sufficient alone
to be much more secure than any average password?


Except that if one of those constructed hashes is captured (as plaintext),
then someone running a cracker against it can figure out what your
remembered secret is. From that, they can make very very good guesses about
your system for constructing those.


I am not sure I understand how they could do that unless they know what
system I used to create the hashed passwords in the first place, which
seems like a pretty big assumption to me.  Since we’ve already decided that
a password system like this is too cumbersome and inconvenient to become
mass market, why would a random person assume that I used such a system in
the first place?  Because remember - my password if stored in plain text is
a hash of four other hashes that were stuck together and hashed.

Unless I’m missing something to do the kind of attack you’re talking about
the attacker would need to know that the password is a piece of a hash that
is a hash of four things, he would have to have a lot of assumptions in
there.

Am I missing something?



Even if a breached site hashes their passwords, a cracker who suspects that
you are using your system will just tune their hash cracker to first run
through your hashing and then the sites.

That is, if you have

user knows P, a low entropy password for site i

User: prehash := Hc(P)   // Hs is client’s hashing scheme
User: Send prehash to server as password
Server: h := Hs(prehash)// Hc is server’s hashing scheme

then a password cracker just need to run their guesses, P’, through
Hs(Hc(P’)) == h

It really isn’t any more trouble than what they already do in password
hashing. Your remembered constant PIN and your very low entropy remembered
site specific password remain easily crackable. And once one is cracked,
the PIN is revealed and large parts of the user’s “memorable scheme” is
revealed.

The only advantage of the prehash is if a site stores passwords unhashed
(which happens). In the paper that I pointed to, they do use PBKDF2 in the
client hashing, which helps some in that case.



Yes I realize this… but why would anyone go to that trouble when there is
so much other low hanging fruit?  Plain text 

[cryptography] Fwd: Hi all, would like your feedback on something

[Brian Hankey]

Here is another interesting link about alternative kinds of passwords:
http://phys.org/news/2015-12-images-codes-alternative-multiple-device.html
___
cryptography mailing list
cryptography@randombit.net
http://lists.randombit.net/mailman/listinfo/cryptography

[cryptography] Fwd: Hi all, would like your feedback on something

[Brian Hankey]

(part 2 continued...)

This is the question I’m getting at.  I’m sure that the current
implementation is awful as you’ve already pointed out, I only wanted this
is a demo of the concept.

If anyone is game I would love to have a practical challenge.  Let’s say we
are using SHA2.  Let’s say I will tell you the following about my inputs:

1) It is a transform on the domain www.facebook.com and I will even say it
does not include the www. or the .com

2) My number is a date of some kind.

3) My special char obviously you will know, &

4) I will not tell you my version.

How quickly could do you think this could be cracked really? If this answer
involves any of the following: “it would take quite a bit of time,” “it
would require some pretty decent CPU power,” or “it would need someone that
really knows their mathematics and cryptography well”


It would require someone who knows how to use something like John the
Ripper or Hashcat. There are thousands of such people. Using SHA-256, a GPU
acceleration would allow them to probably run millions of guesses per
second on a computer that costs less than $5000 dollars. I’m not going the
take the challenge, but my off the cuff guess is that they’d have a 75
chance of guessing within 4 hours after initial set up and configuration.

(I should note that I don’t do a lot of password cracking myself, but I
very much follow what others are doing).

You can make it harder for them by increasing the burden on the user. But
every time you do that, you make it more likely that the user will use the
same system for each site, thus increasing the risk that cracking one will
need to a crack of all.



If I hear you correctly you are saying that the hacker knows I use this
particular password “system”.  He knows that I use some form of transform
on domain name without www. or .com, that my number is a date of some kind,
that my special char is &, he doesn’t know the version.  You are saying
given all of that you would still need someone who understands password
cracking technologies, has specialized hardware (even if not crazy
expensive), would need to spend some unknown time X on setup and
configuration and then some number of hours on this dedicated machine just
to crack my password?

I would consider that a huge win.  The last time I played with John the
Ripper (at least I’m pretty sure it was that, could have been something
similar) was in the late 90’s using a 486dx 66 MHz with 8MB of ram and some
version of Linux. I realize that the algorithms used today are much better,
but then again so is the hardware.  What I remember was cracking several of
the weakest of the weak passwords within minutes, within hours or perhaps a
couple of days you could easily crack 10-20% of the passwords.  Maybe those
users were particularly stupid but somehow I don’t think so. And this was
just working mostly with the out of the box configuration.

If we are fully understanding each other here, then what I am proposing
does as much, or perhaps even more than I had ever hoped. I thought it
would take a lot more work and development for me to even get to this
point.

Another question of interest me in this case, again assuming I understood
you correctly in the first place is, how easy would it be to search for the
people using this weak system, and would somehow be any easier or more
fruitful than just going after the average passwords?



The most exciting thing I have ever read along these lines is this:
http://www.extremetech.com/extreme/133067-unbreakable-crypto-store-a-30-character-password-in-your-brains-subconscious-memory


This, and things like


@inproceedings{BonneauSchechter2014:USENIX,
Address = {San Diego, CA},
Author = {Bonneau, Joseph and Schechter, Stuart},
Booktitle = {23rd USENIX Security Symposium (USENIX Security 14)},
Month = Aug,
Pages = {607--623},
Publisher = {USENIX Association},
Title = {Towards Reliable Storage of 56-bit Secrets in Human Memory},
Year = {2014}}

https://www.usenix.org/conference/usenixsecurity14/technical-sessions/presentation/bonneau

are great. But the problem is that there is so far no testing (or reason to
believe) that people will be able to do that for dozens of independent
passwords. So those training schemes are good for something like a Master
Password for some password management system, but they are not useful for
the scores of passwords that people need to use.


Wow fantastically interesting leak.  I will watch the presentation and
perhaps comment more later.

What do you think about this one? http://www.nimbusid.com/  While the setup
and login is a bet lengthy, I find it to be extremely user friendly. The
demo requires 3 objects with 7 attributes… I don’t know if whatever math
they are still using would still workout but personally I could see it
being easier to deal with by having more objects but less attributes. I
very much like this system but I can imagine that there must be a reason
why it hasn’t taken off like wild fire yet. Even if 

Re: [cryptography] Hi all, would like your feedback on something

[Brian Hankey]

>> 
>> This, and things like 
>> 
>> 
>> @inproceedings{BonneauSchechter2014:USENIX,
>>  Address = {San Diego, CA},
>>  Author = {Bonneau, Joseph and Schechter, Stuart},
>>  Booktitle = {23rd USENIX Security Symposium (USENIX Security 14)},
>>  Month = Aug,
>>  Pages = {607--623},
>>  Publisher = {USENIX Association},
>>  Title = {Towards Reliable Storage of 56-bit Secrets in Human Memory},
>>  Year = {2014}}
>> 
>> https://www.usenix.org/conference/usenixsecurity14/technical-sessions/presentation/bonneau
>>  
>> 
>> 
>> are great. But the problem is that there is so far no testing (or reason to 
>> believe) that people will be able to do that for dozens of independent 
>> passwords. So those training schemes are good for something like a Master 
>> Password for some password management system, but they are not useful for 
>> the scores of passwords that people need to use.
> 

There is an in depth reply to the rest stuck in the moderation queue for being 
too long but now that I watched this I will respond.  Very cool.  Interesting 
research.

I also thought this was great:

https://telepathwords.research.microsoft.com 


The funny thing is, it doesn’t seem to like hashes very much. If really thought 
hard about how to “beat the system” I was able to get to perhaps character 20 
or something before I got a red X for typing a “u”.

Thanks for this.___
cryptography mailing list
cryptography@randombit.net
http://lists.randombit.net/mailman/listinfo/cryptography

Re: [cryptography] Hi all, would like your feedback on something

[Brian Hankey]

> 
> Peter Gutmann's Security Engineering
> (https://www.cs.auckland.ac.nz/~pgut001/pubs/book.pdf) has a good
> treatment of Passwords in general. See Chapter 7 on page 563.
> 

Thank you will read.

> John Stevens of OWASP performed threat modelling of passwords in
> storage on the server. See Secure Password Storage
> (https://docs.google.com/document/d/1R6c9NW6wtoEoT3CS4UVmthw1a6Ex6TGSBaEqDay5U7g).


Will check this but we are specifically trying to avoid storing passwords
___
cryptography mailing list
cryptography@randombit.net
http://lists.randombit.net/mailman/listinfo/cryptography

[cryptography] Hi all, would like your feedback on something

[Brian Hankey]

Hi,

I am curious to get some feedback from you about a little thought 
experiment/hobby project I’ve been working on with some of my coworkers and 
have a very early prototype of the concept.

The question we are trying to answer here is how could we all have ultra strong 
passwords i.e. “!3AbDEE9eE45DCea” that are you unique for each and every 
website, email, social media, etc. service that we use but without having to 
trust any third parties to store them for us protected by single password 
(perhaps with 2 factor authentication, hardware key, etc., admittedly), or to 
use some kind of local password manager that needs to be installed on every 
device you want to use it on with a local encrypted password file.  Lastly, it 
should be extremely resistant to rainbow tables if and when one of your 
passwords is leaked.

The idea is to have a very compact piece of open source code that can run in 
your browser that would help you to generate nearly unbreakable passwords on 
the fly every time you need them instead of storing them somehow, or writing 
them down where other parties may be able to access them.  

Also, clearly, nothing is unbeatable. Garbage in garbage out. If someone knows 
you and your habits they could possibly still break your password- especially 
if they know you use this tool and you put very weak things into it (i.e. 
google 1234 ! 1 - this will make sense when you look at the demo and the FAQ).  
However, the concept is more about: 

1) Not being the “low hanging fruit” when some major site gets hacked and 
usernames and passwords get leaked on the net (i.e. don’t be the guy that is 
“u:billsmith32 p:Password123!” on every site he uses).

2) Not having trust third parties (i.e.what if I don’t want Apple to store all 
my passwords in their cloud?). 

3) Not requiring cumbersome software that requires installation on your 
computer and an encrypted local password file to function (i.e. what if I am a 
friend’s house and I need to login somewhere?).

Known vulnerabilities: Keyloggers, compromised hardware, anyone that can 
observe you.  (We were thinking of adding a virtual keyboard that bounces 
around the screen randomly to help foil key loggers).

Disclaimer: I am not a programmer, I’m sure the code is buggy (and the bugs 
were probably introduced by me and not my coworkers). I am not a mathematician, 
and I’m sure there are far better hash functions to use. I’m also sure that 
there are better ways to handle the forcing of 1 special char, 1 upper, 1 lower 
and 1 number minimum in each password to satisfy the peskiest “your password is 
too weak” systems.  

The most important feedback I’m looking for is, do you think the concept is 
sound and if so why or why not? If you do think it’s sound then I would like to 
know how to improve it? If you think there is potential do you think it is 
worth developing further? Assuming it is sound how can we increase user 
friendliness and/or security?

Did somebody else already think of this and do something similar (high 
probability I guess) - please tell me so I can give credit where credit is due. 
 I thought up this idea on a long car trip a year ago and finally got the 
courage to con my coworkers into helping me build it to the bare minimum stage 
that I could ask some real experts for an opinion. I asked a few friends 
already who are pretty well advanced in computer sciences and nobody called me 
a stark raving idiot so I thought it would be OK to ask a crypto mailing list, 
hope you don’t mind.

If you find any egregious idiocy in the code it is probably my fault because 
I’ve been fooling with it a little bit while being too impatient to get the 
experts to fix it.  I think it still works as a demo though. I am the only 
non-coder of the three that have worked on this so far. The .php version is 
only to have a cool looking animation to go with the demo, this is intended to 
be run locally. If you want to see the very original version it’s there too as 
secretpassv1.html 

Thanks for your time, I look forward to hearing your feedback, good, bad, awful 
or otherwise.

Links - 

live demo http://secretpass.org 
git: https://github.com/brianci/secretpass 



Thanks. Happy Holidays! 

___
cryptography mailing list
cryptography@randombit.net
http://lists.randombit.net/mailman/listinfo/cryptography

Re: [cryptography] Hi all, would like your feedback on something

[Brian Hankey]

so consider 
> offering the same functionality as an Add-On/Program/App instead.

Absolutely right, it’s just meant as a demo though.  I already bought a 
certificate for HTTPS but have yet to install it.  You are supposed to run it 
locally if actually using it.

> - You are using PHP solely to add a cute animation. It's okay to use server 
> side scripting in general, but there's always some attack surface in any kind 
> of scripting. Consider moving the animation to JavaScript and serving the 
> page through a static server instead. That should work just as well (better, 
> actually).

Yes, will remove the PHP version soon. Miscommunication, this wasn’t supposed 
to be used at all. There is no intention of having PHP in any version that is 
intended to actually be used to create passwords.

> 
> As a final remark: you did mentioned that SecretPass is in an early stage of 
> development in your message. At this point, this is not reflected on the page 
> itself. Please consider adding a warning to people who stumble upon the page, 
> just to make sure its passwords aren't used at this early stage. This should 
> improve security (weak passwords aren't used) as well as usability (if you 
> continue development, your algorithm will likely change. this would break any 
> previously generated passwords).

Yea I’m going to do that right now.  Thanks.

> 
> That being said: keep up the good work, consider looking at 
> passwordmaker/master password for implementation examples with some 
> experience in a similar scenario and happy holidays :)

Will have a look. Thank you.

> 
> Regards,
> Florian
> 
> 
> 
> On 18 December 2015 at 15:27, Brian Hankey <bhan...@gmail.com 
> <mailto:bhan...@gmail.com>> wrote:
> Hi,
> 
> I am curious to get some feedback from you about a little thought 
> experiment/hobby project I’ve been working on with some of my coworkers and 
> have a very early prototype of the concept.
> 
> The question we are trying to answer here is how could we all have ultra 
> strong passwords i.e. “!3AbDEE9eE45DCea” that are you unique for each and 
> every website, email, social media, etc. service that we use but without 
> having to trust any third parties to store them for us protected by single 
> password (perhaps with 2 factor authentication, hardware key, etc., 
> admittedly), or to use some kind of local password manager that needs to be 
> installed on every device you want to use it on with a local encrypted 
> password file.  Lastly, it should be extremely resistant to rainbow tables if 
> and when one of your passwords is leaked.
> 
> The idea is to have a very compact piece of open source code that can run in 
> your browser that would help you to generate nearly unbreakable passwords on 
> the fly every time you need them instead of storing them somehow, or writing 
> them down where other parties may be able to access them.  
> 
> Also, clearly, nothing is unbeatable. Garbage in garbage out. If someone 
> knows you and your habits they could possibly still break your password- 
> especially if they know you use this tool and you put very weak things into 
> it (i.e. google 1234 ! 1 - this will make sense when you look at the demo and 
> the FAQ).  However, the concept is more about: 
> 
> 1) Not being the “low hanging fruit” when some major site gets hacked and 
> usernames and passwords get leaked on the net (i.e. don’t be the guy that is 
> “u:billsmith32 p:Password123!” on every site he uses).
> 
> 2) Not having trust third parties (i.e.what if I don’t want Apple to store 
> all my passwords in their cloud?). 
> 
> 3) Not requiring cumbersome software that requires installation on your 
> computer and an encrypted local password file to function (i.e. what if I am 
> a friend’s house and I need to login somewhere?).
> 
> Known vulnerabilities: Keyloggers, compromised hardware, anyone that can 
> observe you.  (We were thinking of adding a virtual keyboard that bounces 
> around the screen randomly to help foil key loggers).
> 
> Disclaimer: I am not a programmer, I’m sure the code is buggy (and the bugs 
> were probably introduced by me and not my coworkers). I am not a 
> mathematician, and I’m sure there are far better hash functions to use. I’m 
> also sure that there are better ways to handle the forcing of 1 special char, 
> 1 upper, 1 lower and 1 number minimum in each password to satisfy the 
> peskiest “your password is too weak” systems.  
> 
> The most important feedback I’m looking for is, do you think the concept is 
> sound and if so why or why not? If you do think it’s sound then I would like 
> to know how to improve it? If you think there is potential do you think it is 
> worth developing further? Assuming it is sound h