Re: [OT] Why the password this is fun is 10x more secure than J4fS2
On Tue, Apr 26, Aaron Toponce wrote: On Tue, Apr 26, 2011 at 10:49:36AM -0600, Eric Wald wrote: Over 25,000 reasonable straight-line passwords; double that to include spirals. Certainly with range for a dictionary attack, but it would take long enough that I could re-print the card, print a new card, and change all of my most important passwords before you're likely to have cracked even one account. No, not by a long shot. Because the length of your password could be infinite, this makes the number of possibilities infinite, even in one direction. But even using limited length, say 20, you still have billions upons billions of combinations based on starting location, and direction traveled. No dictionary attack is feasible with this card. Perhaps my math is faulty, but I'm having a hard time finding billions of possible passwords unless you're willing to accept 500-character passwords with loads of repetition. I'm counting 29 columns, 8 rows, 8 straight-line directions, and 8 spiral directions. I could see using the 8 hippogonal directions, too, but that's a stretch. For length, I'm assuming that anything below 8 characters is ridiculously short for someone security-conscious enough to use such a card, and 30 characters (wrapping back to the starting column) is a reasonable upper limit. That gives me 29*8 = 232 starting positions, 8+8+8 = 24 directions, and len [8..30] = 23 lengths, for 128,064 potential passwords. That's just barely larger than my /usr/share/dict/words dictionary. My 25,000 figure above was assuming only 8 directions, and 13 or 14 reasonable password lengths, which should take care of the most likely usage scenarios; a cracker could very easily attempt those first, before expanding to the hundred thousand less-likely candidates, much less the shorter, longer, or crazy-path candidates. On the other hand, I can accept the billions upon billions figure for the crazy-path idea. If the direction of the path is allowed to change for each character, then that gives you 1.5 billion 8-character passwords even if the direction always has to be orthogonal and away from the previous character. 14 characters gets you to a trillion passwords; 157 quadrillion if you include diagonals. Granted, these figures allow overlapping paths and wrapping around the edges, which would be less likely in a real use case; far more likely is that someone takes a password in one direction for a while, switching once or twice before finishing. At the extreme case, one could claim over a decillion passwords by allowing any character after any other, but that assumes that each of the 232 characters are unique. - Eric /* PLUG: http://plug.org, #utah on irc.freenode.net Unsubscribe: http://plug.org/mailman/options/plug Don't fear the penguin. */
Re: [OT] Why the password this is fun is 10x more secure than J4fS2
On Tue, Apr 26, Nicholas Leippe wrote: Passwords are not infinite in length. I have never once found a system that allows me to choose a password of arbitrary length. Every one I have encountered has a hard upper limit on the length, usually 16-20, some (including some banks--shudder!) as short as 8. They're starting to be more common, because the hashed form is always the same length. Most of my passwords these days are 39 characters long, where allowed. Ironically, the places it isn't allowed are usually sites that store my financial information... I see no reason for password length restriction to be less than 127 characters. However, allowing a full megabyte would probably be excessive. Is there a best-practices limit? 1K, perhaps? - Eric /* PLUG: http://plug.org, #utah on irc.freenode.net Unsubscribe: http://plug.org/mailman/options/plug Don't fear the penguin. */
Re: [OT] Why the password this is fun is 10x more secure than J4fS2
On Thu, Apr 28, 2011 at 11:08 AM, Eric Wald esw...@brainshell.org wrote: On Tue, Apr 26, Nicholas Leippe wrote: Passwords are not infinite in length. I have never once found a system that allows me to choose a password of arbitrary length. Every one I have encountered has a hard upper limit on the length, usually 16-20, some (including some banks--shudder!) as short as 8. They're starting to be more common, because the hashed form is always the same length. Most of my passwords these days are 39 characters long, where allowed. Ironically, the places it isn't allowed are usually sites that store my financial information... I see no reason for password length restriction to be less than 127 characters. However, allowing a full megabyte would probably be excessive. Is there a best-practices limit? 1K, perhaps? Well, sure, but for all practical purposes 99.999% of the population are not going to type in a long paragraph for their password--they have enough trouble typing a short password in correctly every time. It's just too inconvenient to do so. I think a short sentence 20-40 chars would be easy to remember, convenient enough to type (if they are decent typists), and much stronger than a hard-to-remember sequence of 8-12 random chars, but there are so many systems that still have short limits. There's still plenty of systems that don't allow spaces. One of my accounts a while back changed their password method--they emailed me saying that to increase security they had stripped all non-alphanumerics out of my password! That is disturbing on many levels. /* PLUG: http://plug.org, #utah on irc.freenode.net Unsubscribe: http://plug.org/mailman/options/plug Don't fear the penguin. */
Re: [OT] Why the password this is fun is 10x more secure than J4fS2
On Thu, April 28, 2011 11:24 am, Nicholas Leippe wrote: One of my accounts a while back changed their password method--they emailed me saying that to increase security they had stripped all non-alphanumerics out of my password! That is disturbing on many levels. Ouch. The most disturbing part for me is that it meant they weren't storing a hash, but the actual password itself. -- Matthew Walker HAM Call Sign: N7TOX Kydance Hosting Consulting, Inc. - http://www.kydance.net/ PHP, Perl, and Web Development - Linux Server Administration /* PLUG: http://plug.org, #utah on irc.freenode.net Unsubscribe: http://plug.org/mailman/options/plug Don't fear the penguin. */
Re: [OT] Why the password this is fun is 10x more secure than J4fS2
On Thu, Apr 28, 2011 at 11:32 AM, Matthew Walker mwal...@kydance.net wrote: On Thu, April 28, 2011 11:24 am, Nicholas Leippe wrote: One of my accounts a while back changed their password method--they emailed me saying that to increase security they had stripped all non-alphanumerics out of my password! That is disturbing on many levels. Ouch. The most disturbing part for me is that it meant they weren't storing a hash, but the actual password itself. Yep. /* PLUG: http://plug.org, #utah on irc.freenode.net Unsubscribe: http://plug.org/mailman/options/plug Don't fear the penguin. */
Re: [OT] Why the password this is fun is 10x more secure than J4fS2
On Thu, Apr 28, 2011 at 10:58 AM, Eric Wald esw...@brainshell.org wrote: On Tue, Apr 26, Aaron Toponce wrote: On Tue, Apr 26, 2011 at 10:49:36AM -0600, Eric Wald wrote: Over 25,000 reasonable straight-line passwords; double that to include spirals. Certainly with range for a dictionary attack, but it would take long enough that I could re-print the card, print a new card, and change all of my most important passwords before you're likely to have cracked even one account. The passwordcard is just a new iteration in the evolution of one method of password security. Example evolution: 1. Use strong passwords to prevent dictionary/brute force attacks 2. Use different passwords for different services 3. Record your passwords so you don't have to rely on memory 4. Record them on paper in your wallet since you already have a habit of securing your wallet *5. Use a password card to obfuscate your password records and encourage strong passwords The ability to create a dictionary from a compromised passwordcard isn't the purpose or most risky factor of the system. It simply adds another layer of security on top of a long list of other layers. Also, since it's physical, it's relatively easy to be alerted to it's compromise so you can change any compromised passwords. Very akin to canceling your credit cards in case of theft. I think the passwordcard is a great alternative to using a password manager (lastpass, keepass, 1password). /* PLUG: http://plug.org, #utah on irc.freenode.net Unsubscribe: http://plug.org/mailman/options/plug Don't fear the penguin. */
Re: [OT] Why the password this is fun is 10x more secure than J4fS2
On Thu, 2011-04-28 at 11:08 -0600, Eric Wald wrote: I see no reason for password length restriction to be less than 127 characters. However, allowing a full megabyte would probably be excessive. Is there a best-practices limit? 1K, perhaps? Best practice has generally been salted hashes, but some have started recommending an HMAC or PBKDF (password-based key derivation function). Whatever you choose, at it's heart will be a hashing algorithm. As such, I don't think there should be any input length limitation. I'm not expert enough to pick a winner, but if you're researching how to store credentials I'd recommend you start by evaluating PBKDF2, bcrypt, and scrypt. /* PLUG: http://plug.org, #utah on irc.freenode.net Unsubscribe: http://plug.org/mailman/options/plug Don't fear the penguin. */
Re: [OT] Why the password this is fun is 10x more secure than J4fS2
Not sure how secure it is, but the best (as in most interesting) password system I've ever seen is not really a password at all. Instead a series of pictures say 10 or 20 is shown to the user, for instance square, circle, triangle, etc. The user then selects as many pictures as they want to build a picture word. This picword, is then their password and username IIRC. Admittedly I did see this on a proprietary system that was targeted at people with a handicap, and it was only used to allow them into some educational software, so it wasn't being used to guard sensitive information. /* PLUG: http://plug.org, #utah on irc.freenode.net Unsubscribe: http://plug.org/mailman/options/plug Don't fear the penguin. */
Re: [OT] Why the password this is fun is 10x more secure than J4fS2
On Mon, Apr 25, Nicholas Leippe wrote: On Mon, Apr 25, 2011 at 12:53 PM, Aaron Toponce aaron.topo...@gmail.com wrote: I'm actually surprised that no one has mentioned this, so I'll just drop this here: https://passwordcard.org Yes, there is nothing wrong with writing your passwords down, and keeping it in your wallet or purse. It's how you write them that makes all the difference in the world. Correct me if I'm wrong, but if your passwordcard is stolen it yields a rather small dictionary for an attack on your accounts. Better than plain text, but still not very secure--enough so that I'm not sure it's worth it. Over 25,000 reasonable straight-line passwords; double that to include spirals. Certainly with range for a dictionary attack, but it would take long enough that I could re-print the card, print a new card, and change all of my most important passwords before you're likely to have cracked even one account. Granted, I haven't tried it yet, but I keep telling myself to print out one with enough numbers for all those 4-digit PINs that are supposed to be different from each other. I could also see myself using it for other cases that can't be copied and pasted, such as computer logins. - Eric /* PLUG: http://plug.org, #utah on irc.freenode.net Unsubscribe: http://plug.org/mailman/options/plug Don't fear the penguin. */
Re: [OT] Why the password this is fun is 10x more secure than J4fS2
On Tue, Apr 26, 2011 at 10:49 AM, Eric Wald esw...@brainshell.org wrote: On Mon, Apr 25, Nicholas Leippe wrote: On Mon, Apr 25, 2011 at 12:53 PM, Aaron Toponce aaron.topo...@gmail.com wrote: I'm actually surprised that no one has mentioned this, so I'll just drop this here: https://passwordcard.org Yes, there is nothing wrong with writing your passwords down, and keeping it in your wallet or purse. It's how you write them that makes all the difference in the world. Correct me if I'm wrong, but if your passwordcard is stolen it yields a rather small dictionary for an attack on your accounts. Better than plain text, but still not very secure--enough so that I'm not sure it's worth it. Over 25,000 reasonable straight-line passwords; double that to include spirals. Certainly with range for a dictionary attack, but it would take long enough that I could re-print the card, print a new card, and change all of my most important passwords before you're likely to have cracked even one account. Granted, I haven't tried it yet, but I keep telling myself to print out one with enough numbers for all those 4-digit PINs that are supposed to be different from each other. I could also see myself using it for other cases that can't be copied and pasted, such as computer logins. - Eric I like the passwordcard idea..but how do you remember which password goes to which account? Get another card? /* PLUG: http://plug.org, #utah on irc.freenode.net Unsubscribe: http://plug.org/mailman/options/plug Don't fear the penguin. */
Re: [OT] Why the password this is fun is 10x more secure than J4fS2
On Tue, Apr 26, 2011 at 10:49:36AM -0600, Eric Wald wrote: Over 25,000 reasonable straight-line passwords; double that to include spirals. Certainly with range for a dictionary attack, but it would take long enough that I could re-print the card, print a new card, and change all of my most important passwords before you're likely to have cracked even one account. Granted, I haven't tried it yet, but I keep telling myself to print out one with enough numbers for all those 4-digit PINs that are supposed to be different from each other. I could also see myself using it for other cases that can't be copied and pasted, such as computer logins. No, not by a long shot. Because the length of your password could be infinite, this makes the number of possibilities infinite, even in one direction. But even using limited length, say 20, you still have billions upons billions of combinations based on starting location, and direction traveled. No dictionary attack is feasible with this card. -- . o . o . o . . o o . . . o . . . o . o o o . o . o o . . o o o o . o . . o o o o . o o o signature.asc Description: Digital signature /* PLUG: http://plug.org, #utah on irc.freenode.net Unsubscribe: http://plug.org/mailman/options/plug Don't fear the penguin. */
Re: [OT] Why the password this is fun is 10x more secure than J4fS2
On Tue, Apr 26, 2011 at 02:31:27PM -0600, Joel Finlinson wrote: I like the passwordcard idea..but how do you remember which password goes to which account? Get another card? Easy. You set up a mental map on where the password starts. For example. Say you want to use this card with your Facebook account. You could use the smiley face as the starting column, and the blue row for the starting character. Then go from there. Your bank could be the green dollar sign, your ldssingles.com account could be the pink heart, et cetera. Of course, using such easy mental maps might not be a good idea, but it conveys how it works. Further, once you've typed in the password enough, you'll likely memorize it, so pulling out the card becomes less and less of a chore. I would personally recommend keeping all passwords the same length, and take the same direction, to minimize what you need to remember. But, you could keep it simple, such as: 1. Travel in a counter-clockwise spiral, not repeating characters 2. Travel 12 characters, or the first non-alphanumeric symbol, whichever is first. You get the idea. It's really quite simple to remember where each password starts, its length and its direction. For the very rare accounts I access, I also use KeePass, so should I forget it's starting location, at least I have a secure backup. -- . o . o . o . . o o . . . o . . . o . o o o . o . o o . . o o o o . o . . o o o o . o o o signature.asc Description: Digital signature /* PLUG: http://plug.org, #utah on irc.freenode.net Unsubscribe: http://plug.org/mailman/options/plug Don't fear the penguin. */
Re: [OT] Why the password this is fun is 10x more secure than J4fS2
On Tue, Apr 26, 2011 at 2:36 PM, Aaron Toponce aaron.topo...@gmail.com wrote: No, not by a long shot. Because the length of your password could be infinite, this makes the number of possibilities infinite, even in one direction. But even using limited length, say 20, you still have billions upons billions of combinations based on starting location, and direction traveled. No dictionary attack is feasible with this card. Passwords are not infinite in length. I have never once found a system that allows me to choose a password of arbitrary length. Every one I have encountered has a hard upper limit on the length, usually 16-20, some (including some banks--shudder!) as short as 8. If you're already needing to use a card like this as a memory aid for your passwords, you're very likely to go in a straight line--vertical, horizontal, or diagonal. Memorizing a convoluted path would be harder, and why bother when you have such a great starting aid to occlusion in the first place. Furthermore, if someone is extremely paranoid enough to use this *plus* a convoluted path, it seems to me that if they have the memory skills to remember the path as well they likely wouldn't need the card in the first place. Thus I'd wager that for most people the card yields a finite number of say 20-character words, of which any length could be a possible password--but if we assume a minimum of 6 characters, that means we get 15 possible word lengths for each direction from each starting position--thus 6x15x29x8 = a 20880 word dictionary--less than half the size of the small dictionary that comes with crack lib--a very feasible dictionary as a starting point. But, as posted earlier, if you change your passwords as soon as you discover that your card has been lost or compromised (assuming you could know someone copied it?), you're likely to head off any dictionary attack in progress before it succeeds. So, all in all I now think that the passwordcard is a decent way to go. /* PLUG: http://plug.org, #utah on irc.freenode.net Unsubscribe: http://plug.org/mailman/options/plug Don't fear the penguin. */
Re: [OT] Why the password this is fun is 10x more secure than J4fS2
My two cents on this. The greatest danger isnt in someone brute forcing your password but simply social engineering a password change. Example, i personally had a paypal account that was hacked. The reset your password question was What is your frequent flier number thinking i was being unique i put 666. Looking back i wonder if the cracker who got in was even slowed down by it. Another example. My mother is elderly doesnt really like computers, refuses to use a debit card prefering to do all of her banking face to face, she sure as heck doesnt use online banking. One month her bank statement didnt arrive in the mail. She called the bank and they told her that she had called in and signed up for internet banking, which was paperless. She had also evidently wired several thousand dollars to various banks in mexico, using her banks easy transfer feature. She had them stop the internet banking and filed a police report. A few days later the bank called her up to finish setting up the internet banking. Evidently the criminal had called the bank and said something along the lines of Oh i didnt realize that this website banking was the reason for not getting a statement. I really need it, it's such a handy thing. The bank was fully prepared to reenable this criminal. It was only because the call dropped that the bank even bothered to call her back and that was only to finish the setup. For the record this perp has never been caught. My point is that passwords no matter how secure are only as secure as the person answering the phone who is always more than willing to go the extra mile to help! /* PLUG: http://plug.org, #utah on irc.freenode.net Unsubscribe: http://plug.org/mailman/options/plug Don't fear the penguin. */
Re: [OT] Why the password this is fun is 10x more secure than J4fS2
On 04/26/2011 04:08 PM, Steven Morrey wrote: My point is that passwords no matter how secure are only as secure as the person answering the phone who is always more than willing to go the extra mile to help! Amen. Shane /* PLUG: http://plug.org, #utah on irc.freenode.net Unsubscribe: http://plug.org/mailman/options/plug Don't fear the penguin. */
Re: [OT] Why the password this is fun is 10x more secure than J4fS2
On 4/16/2011 11:43 PM, Shane Hathaway wrote: Would you actually advise the public to write down their passwords, knowing that people leave their wallets or purses unattended quite frequently? Stealing a written password requires only a glance or a camera. There could easily be no evidence whatsoever of the password theft. Written passwords are not at all equivalent to physical security tokens. I'm actually surprised that no one has mentioned this, so I'll just drop this here: https://passwordcard.org Yes, there is nothing wrong with writing your passwords down, and keeping it in your wallet or purse. It's how you write them that makes all the difference in the world. -- . O . O . O . . O O . . . O . . . O . O O O . O . O O . . O O O O . O . . O O O O . O O O signature.asc Description: OpenPGP digital signature /* PLUG: http://plug.org, #utah on irc.freenode.net Unsubscribe: http://plug.org/mailman/options/plug Don't fear the penguin. */
Re: [OT] Why the password this is fun is 10x more secure than J4fS2
On Mon, Apr 25, 2011 at 12:53 PM, Aaron Toponce aaron.topo...@gmail.com wrote: On 4/16/2011 11:43 PM, Shane Hathaway wrote: Would you actually advise the public to write down their passwords, knowing that people leave their wallets or purses unattended quite frequently? Stealing a written password requires only a glance or a camera. There could easily be no evidence whatsoever of the password theft. Written passwords are not at all equivalent to physical security tokens. I'm actually surprised that no one has mentioned this, so I'll just drop this here: https://passwordcard.org Yes, there is nothing wrong with writing your passwords down, and keeping it in your wallet or purse. It's how you write them that makes all the difference in the world. Correct me if I'm wrong, but if your passwordcard is stolen it yields a rather small dictionary for an attack on your accounts. Better than plain text, but still not very secure--enough so that I'm not sure it's worth it. /* PLUG: http://plug.org, #utah on irc.freenode.net Unsubscribe: http://plug.org/mailman/options/plug Don't fear the penguin. */
Re: [OT] Why the password this is fun is 10x more secure than J4fS2
On Mon, 2011-04-25 at 13:15 -0600, Nicholas Leippe wrote: Correct me if I'm wrong, but if your passwordcard is stolen it yields a rather small dictionary for an attack on your accounts. Better than plain text, but still not very secure--enough so that I'm not sure it's worth it. The card is designed to thwart shoulder surfing and naive attackers. Obviously targeted theft is outside the threat model. Geez, what's so hard to grasp about perfect is the enemy of the good? In a perfect world we would all memorize different 20+ character randomized passwords for each service we use. Meanwhile, back in the real world... /* PLUG: http://plug.org, #utah on irc.freenode.net Unsubscribe: http://plug.org/mailman/options/plug Don't fear the penguin. */
Re: [OT] Why the password this is fun is 10x more secure than J4fS2
On Mon, Apr 25, 2011 at 01:15:18PM -0600, Nicholas Leippe wrote: Correct me if I'm wrong, but if your passwordcard is stolen it yields a rather small dictionary for an attack on your accounts. Better than plain text, but still not very secure--enough so that I'm not sure it's worth it. Explain how you would perform the dictionary attack, given the following criteria: 1. Your password can be any length. 2. Your password can start anywhere on the card. 3. Your password can take any directional path, be it diagonal, stright, spiral, or some other weirdness. If my wallet is lost, or an attacker gains access to the card, I'm not concerned about my accounts being compromised: 1. The attacker will have to successfully know the password. 2. The attacker will then have to map that password to the right account. Knowing that I use a different password for every account I have (thus the reason for the card), I'm not going to lose any sleep over it. If the card is no longer in my possession, I'll just reprint the card, and move on with my life. -- . o . o . o . . o o . . . o . . . o . o o o . o . o o . . o o o o . o . . o o o o . o o o signature.asc Description: Digital signature /* PLUG: http://plug.org, #utah on irc.freenode.net Unsubscribe: http://plug.org/mailman/options/plug Don't fear the penguin. */
Re: [OT] Why the password this is fun is 10x more secure than J4fS2
On Tue, Apr 19, Joshua Lutes wrote: So, the fellow in the article Stuart linked to recommended 1password as a password manager, but it doesn't support Linux. LastPass looks like it does. What are the other password managers folk use? I'm most interested in one that works on Linux, Windows, Mac as well as the various handheld devices. I tend to use LastPass for websites, and KeePassX for everything else. I seem to recall having opened the KeePassX database on a Windows computer at least once; however, I haven't yet tried it on Mac, and don't yet have a handheld with a useful browser. My biggest gripe with them is the ease with which they highlight security problems with websites. In particular, certain websites, including ones with extremely sensitive data, silently truncate new passwords. I don't even find out until the next time I try to log in, and have to chop characters off the end until it works. - Eric /* PLUG: http://plug.org, #utah on irc.freenode.net Unsubscribe: http://plug.org/mailman/options/plug Don't fear the penguin. */
Re: [OT] Why the password this is fun is 10x more secure than J4fS2
On Sat, 2011-04-16 at 08:40 -0600, AJ ONeal wrote: This is near and dear to my heart so I had to evangelize: http://www.baekdal.com/tips/password-security-usability http://www.troyhunt.com/2011/04/bad-passwords-are-not-fun-and-good.html /* PLUG: http://plug.org, #utah on irc.freenode.net Unsubscribe: http://plug.org/mailman/options/plug Don't fear the penguin. */
Re: [OT] Why the password this is fun is 10x more secure than J4fS2
On 04/17/2011 04:47 PM, Stuart Jansen wrote: On Sat, 2011-04-16 at 23:43 -0600, Shane Hathaway wrote: Would you actually advise the public to write down their passwords, knowing that people leave their wallets or purses unattended quite frequently? Stealing a written password requires only a glance or a camera. There could easily be no evidence whatsoever of the password theft. Written passwords are not at all equivalent to physical security tokens. Yes I would. Too many people base their notions of proper security on received lore instead of considering threat models and human behavior. First of all, we're not talking about nuclear launch codes, we're talking about email and bank logins. The primary threat model is brute force, drive-by attacks. Most people don't want to memorize complex passwords, and don't value their account enough to spend the effort required to pick good passwords and change them regularly. If you give them permission to write the password down, they'll be more willing to pick a higher quality password. I work for an ISP and something we see a lot is people who use the same password on every site getting their email and password stolen from one site and used on another. Sites where your login name is your email address are especially vulnerable to this. Typically we only see this when somebody's webmail gets used to send spam, but that's just selection bias. The possibilities are limitless. For that reason I've long recommended people use different passwords for every site and write them down. I use pwsafe[1], but a note in the wallet would be fine too. Corey 1. http://passwordsafe.sourceforge.net/ signature.asc Description: OpenPGP digital signature /* PLUG: http://plug.org, #utah on irc.freenode.net Unsubscribe: http://plug.org/mailman/options/plug Don't fear the penguin. */
Re: [OT] Why the password this is fun is 10x more secure than J4fS2
On Tue, April 19, 2011 10:15 am, Corey Edwards wrote: For that reason I've long recommended people use different passwords for every site and write them down. I use pwsafe[1], but a note in the wallet would be fine too. For the same reason, I recently started using LastPass to store all my passwords, with a new unique password created explicitly for my master password, in addition to using their 2-Factor Authentication Grid (Random coordinate sheet that I have to use to log in on new computers). They let me easily generate new highly complex passwords easily, and store them in an easy to use way. -- Matthew Walker HAM Call Sign: N7TOX Kydance Hosting Consulting, Inc. - http://www.kydance.net/ PHP, Perl, and Web Development - Linux Server Administration /* PLUG: http://plug.org, #utah on irc.freenode.net Unsubscribe: http://plug.org/mailman/options/plug Don't fear the penguin. */
Re: [OT] Why the password this is fun is 10x more secure than J4fS2
So, the fellow in the article Stuart linked to recommended 1password as a password manager, but it doesn't support Linux. LastPass looks like it does. What are the other password managers folk use? I'm most interested in one that works on Linux, Windows, Mac as well as the various handheld devices. Joshua. /* PLUG: http://plug.org, #utah on irc.freenode.net Unsubscribe: http://plug.org/mailman/options/plug Don't fear the penguin. */
Re: [OT] Why the password this is fun is 10x more secure than J4fS2
On 04/19/2011 01:04 PM, Joshua Lutes wrote: So, the fellow in the article Stuart linked to recommended 1password as a password manager, but it doesn't support Linux. LastPass looks like it does. What are the other password managers folk use? I'm most interested in one that works on Linux, Windows, Mac as well as the various handheld devices. Joshua. /* PLUG: http://plug.org, #utah on irc.freenode.net Unsubscribe: http://plug.org/mailman/options/plug Don't fear the penguin. */ I use KeepassX and am very happy with it. /* PLUG: http://plug.org, #utah on irc.freenode.net Unsubscribe: http://plug.org/mailman/options/plug Don't fear the penguin. */
Re: [OT] Why the password this is fun is 10x more secure than J4fS2
Two other factors to consider are: - you cannot solve a policy issue with technology - you cannot be other people's password/security nannies The best that we can do with technology is to implement the mechanisms that will allow people to be as secure as they desire--let them choose what risk they are willing to take. If a person decides that their banking password is safe on a sticky note in the their home office, then so be it. If a person decides that their email password can be their birthday, *even after it being explained to them* that their email account can be used to gain access to other accounts (such as banking, etc), then *so be it*--they've made their choice. Attempting to force higher security on someone that doesn't want it only results in those individuals finding other ways to make it less secure, simply because security and convenience are by definition at odds. The hard part is educating people of the risks--it's not a fun topic and people don't really have an attention span for it. You *want* to help people be more secure with their data, but at the end of the day, you have to sometimes just point people at the answers and let them discover it for themselves when they're ready. /* PLUG: http://plug.org, #utah on irc.freenode.net Unsubscribe: http://plug.org/mailman/options/plug Don't fear the penguin. */
Re: [OT] Why the password this is fun is 10x more secure than J4fS2
On Sat, 16 Apr 2011 23:43:41 -0600 Shane Hathaway sh...@hathawaymix.org wrote: Would you actually advise the public to write down their passwords, knowing that people leave their wallets or purses unattended quite frequently? Stealing a written password requires only a glance or a camera. One way to deal with this problem is to scramble the password when writing it down. Unscrambling it will be invisible to an observer because the password entry widget will only show asterisks. As for people leaving their wallets or purses about, that is a bad habit. Many years ago I took a course in self defense from John Farnam (http://defense-training.com/). He pointed out that in an emergency, you will do what your habits tell you to do. So, e.g., I *always* lock the car, even at a small town in Wyoming. So when I do travel to the big city, I have the right habits. One should be in the habit of carrying keys, wallet, mobile phone and other highly critical items on one's person so that one is not in the habit of setting them down. Purses, man bags, etc. are insecure. Fashion be damned. I'd rather be unfashionable than have those critical items stolen. -- Charles Curley /\ASCII Ribbon Campaign Looking for fine software \ /Respect for open standards and/or writing? X No HTML/RTF in email http://www.charlescurley.com/ \No M$ Word docs in email Key fingerprint = CE5C 6645 A45A 64E4 94C0 809C FFF6 4C48 4ECD DFDB /* PLUG: http://plug.org, #utah on irc.freenode.net Unsubscribe: http://plug.org/mailman/options/plug Don't fear the penguin. */
Re: [OT] Why the password this is fun is 10x more secure than J4fS2
On 04/17/2011 07:22 AM, Charles Curley wrote: One way to deal with this problem is to scramble the password when writing it down. Unscrambling it will be invisible to an observer because the password entry widget will only show asterisks. Most people would not be very creative in the way they srcmbale their password. As for people leaving their wallets or purses about, that is a bad habit. That bad habit often has a compelling cause. Have you ever noticed that women's pants typically have much smaller pockets than men's? Their pockets are generally too small to fit a wallet. The women I know find that quite annoying, but there is little they can do about it other than working very hard to find clothes. The audience I am addressing is the general public. In this tl;dr world, I can not give password advice to everyone. I can give them a password complexity meter and a password tips link that a few people might click. Shane /* PLUG: http://plug.org, #utah on irc.freenode.net Unsubscribe: http://plug.org/mailman/options/plug Don't fear the penguin. */
Re: [OT] Why the password this is fun is 10x more secure than J4fS2
On 04/16/2011 05:53 PM, Stuart Jansen wrote: They're all physical objects that are easy to steal, yet you (hopefully) realize immediately that because we keep them physically close they're sufficiently secure. Write down a password and it becomes the equivalent of of a physical security token, just keep it safe. Would you actually advise the public to write down their passwords, knowing that people leave their wallets or purses unattended quite frequently? Stealing a written password requires only a glance or a camera. There could easily be no evidence whatsoever of the password theft. Written passwords are not at all equivalent to physical security tokens. Shane /* PLUG: http://plug.org, #utah on irc.freenode.net Unsubscribe: http://plug.org/mailman/options/plug Don't fear the penguin. */ So, you see a post it note in my wallet. You take a picture. Now what? What is my name, email, etc? What website is this password to? Many people do use the same password for multiple sites, but I have about 10 that I rotate between. So, even knowing my password, good luck getting anywhere with it. -- Jessie Morris (801) 380-6820 jes...@jessieamorris.com /* PLUG: http://plug.org, #utah on irc.freenode.net Unsubscribe: http://plug.org/mailman/options/plug Don't fear the penguin. */
Re: [OT] Why the password this is fun is 10x more secure than J4fS2
On Sat, 2011-04-16 at 23:43 -0600, Shane Hathaway wrote: Would you actually advise the public to write down their passwords, knowing that people leave their wallets or purses unattended quite frequently? Stealing a written password requires only a glance or a camera. There could easily be no evidence whatsoever of the password theft. Written passwords are not at all equivalent to physical security tokens. Yes I would. Too many people base their notions of proper security on received lore instead of considering threat models and human behavior. First of all, we're not talking about nuclear launch codes, we're talking about email and bank logins. The primary threat model is brute force, drive-by attacks. Most people don't want to memorize complex passwords, and don't value their account enough to spend the effort required to pick good passwords and change them regularly. If you give them permission to write the password down, they'll be more willing to pick a higher quality password. Sure a pick pocket could steal their wallet, but that's already a threat they're used to. Personally, I'm much more worried about identity theft than I am about someone reading my email. Sure, someone at Starbucks could snap a picture of the post-it note in their wallet while they pay for a hot chocolate, but is that really a threat model that's worth worrying about? For Joe Public? Or even J. Random Employee? Very few people are or ever will be subject to an attack directed against them specifically. If an employee has significant access to sensitive health or financial data, there's a higher standard. Implement multi-factor authentication, robust auditing, etc. But don't expect a lecture about password safety to accomplish much. Experience has shown that the majority of people do not want to think much about security. Instead of pursuing a theoretic, mathematic ideal, it's time to acknowledge human psychology. /* PLUG: http://plug.org, #utah on irc.freenode.net Unsubscribe: http://plug.org/mailman/options/plug Don't fear the penguin. */
Re: [OT] Why the password this is fun is 10x more secure than J4fS2
On Sat, 2011-04-16 at 20:48 -0600, Andrew McNabb wrote: I agree with you, but some (or most?) people who write down passwords end up leaving them stuck to their monitor. As you mentioned, it becomes like a physical security token, so it's important to be careful with it. Too many people aren't. And some people leave their back door unlocked. That's not a reason to replace keys with subdermal microchips or voice recognition. Most people are lazy, not stupid. Explain to them that if they write down their password, they should treat it like their credit card. Most will realize that they should keep it in their wallet, not under their keyboard. Heck, you could even tell them not to put it on the monitor or under the keyboard. Many people hide a house key in a fake rock, or in a crack in the porch. You don't see a rash of burglaries as a result, do you? So why should I be any more worried if my mother writes down her bank password and keeps it in her sock drawer? If someone wants to target her specifically, they're more likely to use a keylogger or a phishing attack than spend time searching for a post-it note. /* PLUG: http://plug.org, #utah on irc.freenode.net Unsubscribe: http://plug.org/mailman/options/plug Don't fear the penguin. */
Re: [OT] Why the password this is fun is 10x more secure than J4fS2
On 04/16/2011 04:31 PM, Shane Hathaway wrote: On 04/16/2011 03:49 PM, Andy Bradford wrote: Thus said Shane Hathaway on Sat, 16 Apr 2011 12:41:31 MDT: I want to include this idea in the password meters I create for web applications. I need a better password scoring algorithm. I don't want to *require* any minimum password complexity (other than a minimum password length), but I do want to help the user choose a good password. Inform them of the risks of using a bad password and what kinds of information will be compromised due to a bad password, let them make their own risk assessment. Offer a button that says ``Generate a secure password for me,'' and then call apg -a 1 -M SLNC (or whatever options you think are good for your appliations), serve it up to them over SSL, and see if they take it. If this isn't enough to convince them to use a stronger password, then they have been warned. Hmm, apg -a 1 -M SLNC produces: K`4i-]r *Xeo]4 ,ru7V;RO}x CFp7xY[? K,$q42lCY C3@-*TD\k These are all insecure passwords because nearly everyone will write them down. Maybe you're saying we should scare people into using better passwords, but I suggest people don't react well to being frightened. I want to achieve better security by leveraging more human strengths. In particular, I think we humans are very good at handling words, while we are not as good at handling individual characters. We can't easily treat our linguistic memory as digital. Shane /* PLUG: http://plug.org, #utah on irc.freenode.net Unsubscribe: http://plug.org/mailman/options/plug Don't fear the penguin. */ We had a big discussion on password security and SSO back when I was in college. We came to the same conclusion that the best passwords were also the riskiest to use for the greater risk of physically compromising the password. One of my classmates favored an easy to remember keyboard combination like 5tgbBGT%. Not the best as far as randomness or patterns, but easy to remember. I came up with using the make or model of a familiar device, car, plane, chainsaw, whatever, and substituting a couple of the letters for symbols to increase the strength. 20GBIntelSSD - 20GB!nt3l$$D Still fairly easy to remember and quite secure. --Henry /* PLUG: http://plug.org, #utah on irc.freenode.net Unsubscribe: http://plug.org/mailman/options/plug Don't fear the penguin. */
Re: [OT] Why the password this is fun is 10x more secure than J4fS2
On 04/17/2011 04:26 PM, Jessie Morris wrote: snip So, you see a post it note in my wallet. You take a picture. Now what? What is my name, email, etc? What website is this password to? Many people do use the same password for multiple sites, but I have about 10 that I rotate between. So, even knowing my password, good luck getting anywhere with it. I think as John Q. Thugg, I am more interested in the newly-acquired identity set than in the cryptic piece of paper. haha /* PLUG: http://plug.org, #utah on irc.freenode.net Unsubscribe: http://plug.org/mailman/options/plug Don't fear the penguin. */
Re: [OT] Why the password this is fun is 10x more secure than J4fS2
On 04/17/2011 04:47 PM, Stuart Jansen wrote: Experience has shown that the majority of people do not want to think much about security. Instead of pursuing a theoretic, mathematic ideal, it's time to acknowledge human psychology. Yes, to acknowledge human psychology, passwords should be usable. Everyone agrees on that. The disagreement is about the right way to make passwords usable. The article [1] that started this thread advocated using word combinations instead of cryptic characters so that it's not necessary to write down passwords. Bruce Schneier, OTOH, said in 2005 that people should write down passwords. [2] A Microsoft representative said that even two-factor authentication is not secure because people tape their PIN to their token device anyway. [3] Bruce's opinion carries a lot of weight in my mind, but I don't think he backed it up with any evidence, so now I'm left hanging. I would like to find studies that try to objectively resolve this simple question: should people write down their password? In any case, my research on this question did lead me to some other interesting ideas, such as the suggestion that every password entry box should include a show me my password checkbox. I think that is correct. Shane [1] http://www.baekdal.com/tips/password-security-usability [2] http://www.schneier.com/blog/archives/2005/06/write_down_your.html [3] http://news.cnet.com/Microsoft-security-guru-Jot-down-your-passwords/2100-7355_3-5716590.html /* PLUG: http://plug.org, #utah on irc.freenode.net Unsubscribe: http://plug.org/mailman/options/plug Don't fear the penguin. */
Re: [OT] Why the password this is fun is 10x more secure than J4fS2
My strategy for passwords has been to write a couplet and then use the first letter of each word along with the syllable timing as a password. Maybe I should just skip the encoding and use the actual words. I have been told that my ten to fifteen character abbreviations are too long by some sites, though, so that might throw a kink into using passphrases. Joshua. /* PLUG: http://plug.org, #utah on irc.freenode.net Unsubscribe: http://plug.org/mailman/options/plug Don't fear the penguin. */
Re: [OT] Why the password this is fun is 10x more secure than J4fS2
On 04/16/2011 08:40 AM, AJ ONeal wrote: This is near and dear to my heart so I had to evangelize: http://www.baekdal.com/tips/password-security-usability I want to include this idea in the password meters I create for web applications. I need a better password scoring algorithm. I don't want to *require* any minimum password complexity (other than a minimum password length), but I do want to help the user choose a good password. Would it be reasonable to score based on the number of unique characters in the password? - abc gets 3 - aaa gets 1 - this is fun gets 8 - J4fS2 gets 6 - abcdefgh gets 8 This was OK until I got to abcdefgh, which should have a very low score. Maybe I could fix that by not increasing the score for obvious character sequences (either alphabetical or QWERTY-style). Then a1b2c3d4 would still get too high a score, which I might fix by detecting interleaved sequences as well. What about long words? The word mathematically has 14 characters and would score 9 using the unique character count algorithm, but any dictionary word is quite insecure. I can't just look for words in a dictionary, since names and foreign words are equally insecure, so it would be unreasonable to compile a list of all common words worldwide. Maybe the algorithm should look for word separators like spaces and dashes, then score each word separately and multiply the scores of all the words. Combining that with sequence detection: - abc gets 1 - aaa gets 1 - this is fun gets 4 * 2 * 3 = 24 - J4fS2 gets 6 - abcdefgh gets 1 - a1b2c3d4 gets 2 - mathematically gets 9 - i loved what i had for breakfast gets 1*5*4*1*3*3*8 = 1440 This is looking better, but I still want J4fS2 to get a higher score than mathematically. Maybe the algorithm should multiply the word score by the number of character classes it contains. J4fS2 contains 4 character classes (upper case, lower case, digit, and symbol), so it gets a score of 6 * 4 = 24. OTOH, Mathematically would then get 18, so if a word contains only letters, I don't want to boost that word's score. Does anyone have better suggestions? Or better... a complete password scoring algorithm? :-) Shane /* PLUG: http://plug.org, #utah on irc.freenode.net Unsubscribe: http://plug.org/mailman/options/plug Don't fear the penguin. */
Re: [OT] Why the password this is fun is 10x more secure than J4fS2
More importantly, why isn't SSO being used instead? And in the rare case that authorization depends on discrete authentication, what is the password being used for? If it's a *bank password*, then J4fS2 is terribly insecure. He has it written in his wallet. (My bank requires a short (6 min, 8 max) password with randomness. My muscle memory knows how to type it on a 100% full-sized qwerty keyword but I don't actually remember what it is, just how my fingers move. For the times when I'm mobile or using an 80% size keyboard I have to reach in to find it) Actually, all bank passwords are meaningless because every bank I've ever used asks the same 4 questions. A quick google search reveals that on facebook he's listed his mother's maiden name. His google profile shows that he's from Newport. He just tweeted a pic of spot, his dog. If it's a *corporate password*, J4fS2 is terribly insecure. She has it written on a sticky on her monitor. It's also in the meeting room whiteboard. (Just go to a user-group meeting hosted at a medium-sized business some time) Generally speaking, you can just call the secretary, say that you lost your sticky with the IT guy's number. Wait until the end of the month and then call the IT guy and tell him that you got locked out trying to put in Thursday's password after you were forced to reset it Friday and forgot it over the weekend. If it's *e-mail*, the strength of the password is incredibly important, but J4fS2 might work because it is typed every few days... just difficult to type on a mobile device. With the e-mail password you can get the plain-text password sent to you from any blog or like account. Then you can log into the bank account as well - even if you are too lazy for a quick google search. Furthermore, you can lock the user out so that she can't reset her bank password. The strongest password is one that you don't write down or give out. Mathematically fits the bill in my book. AJ ONeal On Sat, Apr 16, 2011 at 12:41 PM, Shane Hathaway sh...@hathawaymix.orgwrote: On 04/16/2011 08:40 AM, AJ ONeal wrote: This is near and dear to my heart so I had to evangelize: http://www.baekdal.com/tips/password-security-usability I want to include this idea in the password meters I create for web applications. I need a better password scoring algorithm. I don't want to *require* any minimum password complexity (other than a minimum password length), but I do want to help the user choose a good password. Would it be reasonable to score based on the number of unique characters in the password? - abc gets 3 - aaa gets 1 - this is fun gets 8 - J4fS2 gets 6 - abcdefgh gets 8 This was OK until I got to abcdefgh, which should have a very low score. Maybe I could fix that by not increasing the score for obvious character sequences (either alphabetical or QWERTY-style). Then a1b2c3d4 would still get too high a score, which I might fix by detecting interleaved sequences as well. What about long words? The word mathematically has 14 characters and would score 9 using the unique character count algorithm, but any dictionary word is quite insecure. I can't just look for words in a dictionary, since names and foreign words are equally insecure, so it would be unreasonable to compile a list of all common words worldwide. Maybe the algorithm should look for word separators like spaces and dashes, then score each word separately and multiply the scores of all the words. Combining that with sequence detection: - abc gets 1 - aaa gets 1 - this is fun gets 4 * 2 * 3 = 24 - J4fS2 gets 6 - abcdefgh gets 1 - a1b2c3d4 gets 2 - mathematically gets 9 - i loved what i had for breakfast gets 1*5*4*1*3*3*8 = 1440 This is looking better, but I still want J4fS2 to get a higher score than mathematically. Maybe the algorithm should multiply the word score by the number of character classes it contains. J4fS2 contains 4 character classes (upper case, lower case, digit, and symbol), so it gets a score of 6 * 4 = 24. OTOH, Mathematically would then get 18, so if a word contains only letters, I don't want to boost that word's score. Does anyone have better suggestions? Or better... a complete password scoring algorithm? :-) Shane /* PLUG: http://plug.org, #utah on irc.freenode.net Unsubscribe: http://plug.org/mailman/options/plug Don't fear the penguin. */
Re: [OT] Why the password this is fun is 10x more secure than J4fS2
On 04/16/2011 02:21 PM, AJ ONeal wrote: More importantly, why isn't SSO being used instead? Let's say you're developing a public web site and you want people to access it more securely than they would access a blog. What kind of authentication would you use? I doubt it would make sense to use Facebook, Twitter, Google, and so on as a SSO service since people frequently use poor passwords with those services. OpenID has major usability problems. Are there any other SSO options that public web sites can use? (Shibboleth, Kerberos, client SSL certs, and others require client-side configuration, making them useless for public web sites.) And in the rare case that authorization depends on discrete authentication, what is the password being used for? If it's a *bank password*, then J4fS2 is terribly insecure. He has it written in his wallet. Agreed, that's why all password fields should allow passphrases and password meters should rank this is fun at least as high as J4fS2. (My bank requires a short (6 min, 8 max) password with randomness. Your bank is foolish to disallow more than 8 characters. If it's *e-mail*, the strength of the password is incredibly important, Correct. In today's environment, e-mail passwords are effectively SSO passwords. With the e-mail password you can get the plain-text password sent to you from any blog or like account. I assume you're also talking about clueful web site operators who store only a salted password hash, never the plaintext password; clueful web sites still allow you to reset your password by sending a secret URL to your email address. The strongest password is one that you don't write down or give out. Mathematically fits the bill in my book. I think mathematically should be allowed as a password, but not scored very high, since I believe it is much more guessable than a phrase even as simple as this is fun. Shane /* PLUG: http://plug.org, #utah on irc.freenode.net Unsubscribe: http://plug.org/mailman/options/plug Don't fear the penguin. */
Re: [OT] Why the password this is fun is 10x more secure than J4fS2
Thus said Shane Hathaway on Sat, 16 Apr 2011 12:41:31 MDT: I want to include this idea in the password meters I create for web applications. I need a better password scoring algorithm. I don't want to *require* any minimum password complexity (other than a minimum password length), but I do want to help the user choose a good password. Inform them of the risks of using a bad password and what kinds of information will be compromised due to a bad password, let them make their own risk assessment. Offer a button that says ``Generate a secure password for me,'' and then call apg -a 1 -M SLNC (or whatever options you think are good for your appliations), serve it up to them over SSL, and see if they take it. If this isn't enough to convince them to use a stronger password, then they have been warned. Andy /* PLUG: http://plug.org, #utah on irc.freenode.net Unsubscribe: http://plug.org/mailman/options/plug Don't fear the penguin. */
Re: [OT] Why the password this is fun is 10x more secure than J4fS2
On 04/16/2011 03:49 PM, Andy Bradford wrote: Thus said Shane Hathaway on Sat, 16 Apr 2011 12:41:31 MDT: I want to include this idea in the password meters I create for web applications. I need a better password scoring algorithm. I don't want to *require* any minimum password complexity (other than a minimum password length), but I do want to help the user choose a good password. Inform them of the risks of using a bad password and what kinds of information will be compromised due to a bad password, let them make their own risk assessment. Offer a button that says ``Generate a secure password for me,'' and then call apg -a 1 -M SLNC (or whatever options you think are good for your appliations), serve it up to them over SSL, and see if they take it. If this isn't enough to convince them to use a stronger password, then they have been warned. Hmm, apg -a 1 -M SLNC produces: K`4i-]r *Xeo]4 ,ru7V;RO}x CFp7xY[? K,$q42lCY C3@-*TD\k These are all insecure passwords because nearly everyone will write them down. Maybe you're saying we should scare people into using better passwords, but I suggest people don't react well to being frightened. I want to achieve better security by leveraging more human strengths. In particular, I think we humans are very good at handling words, while we are not as good at handling individual characters. We can't easily treat our linguistic memory as digital. Shane /* PLUG: http://plug.org, #utah on irc.freenode.net Unsubscribe: http://plug.org/mailman/options/plug Don't fear the penguin. */
Re: [OT] Why the password this is fun is 10x more secure than J4fS2
On Sat, 2011-04-16 at 16:31 -0600, Shane Hathaway wrote: K`4i-]r *Xeo]4 ,ru7V;RO}x CFp7xY[? K,$q42lCY C3@-*TD\k These are all insecure passwords because nearly everyone will write them down. Maybe you're saying we should scare people into using better passwords, but I suggest people don't react well to being frightened. I'm tired of hearing that writing down passwords is insecure. Do you consider your car key insecure? Your house key? Your credit card? They're all physical objects that are easy to steal, yet you (hopefully) realize immediately that because we keep them physically close they're sufficiently secure. Write down a password and it becomes the equivalent of of a physical security token, just keep it safe. /* PLUG: http://plug.org, #utah on irc.freenode.net Unsubscribe: http://plug.org/mailman/options/plug Don't fear the penguin. */
Re: [OT] Why the password this is fun is 10x more secure than J4fS2
Thus said Shane Hathaway on Sat, 16 Apr 2011 16:31:16 MDT: Maybe you're saying we should scare people into using better passwords, but I suggest people don't react well to being frightened. Being informed of risks is not the same thing as frightening someone. I I was suggesting that you expose them to the *true* risk of having their account compromised due to insecure passwords. If the risk they incur is merely that someone might obtain access to their private stash of family photos, then they will know how secure to keep their password. And yes, if the system contains high risk material, then I would argue that an extremely difficult password written down on a piece of paper and stored in a wallet is very secure, compared to a weak password policy which allows people to use dictionary based passwords. It all depends on where the system is located, how it is accessed. I don't think there is a universal password policy that applies everywhere. In particular, I think we humans are very good at handling words, while we are not as good at handling individual characters. We can't easily treat our linguistic memory as digital. You might be right on this point. In this case, you should require a minimum of 32 characters, that way people will naturally start using passphrases instead of passwords (you can help saying ``pick a sentence for your passphrase.'' Andy /* PLUG: http://plug.org, #utah on irc.freenode.net Unsubscribe: http://plug.org/mailman/options/plug Don't fear the penguin. */
Re: [OT] Why the password this is fun is 10x more secure than J4fS2
On Sat, Apr 16, 2011 at 05:53:50PM -0600, Stuart Jansen wrote: I'm tired of hearing that writing down passwords is insecure. Do you consider your car key insecure? Your house key? Your credit card? They're all physical objects that are easy to steal, yet you (hopefully) realize immediately that because we keep them physically close they're sufficiently secure. Write down a password and it becomes the equivalent of of a physical security token, just keep it safe. I agree with you, but some (or most?) people who write down passwords end up leaving them stuck to their monitor. As you mentioned, it becomes like a physical security token, so it's important to be careful with it. Too many people aren't. -- Andrew McNabb http://www.mcnabbs.org/andrew/ PGP Fingerprint: 8A17 B57C 6879 1863 DE55 8012 AB4D 6098 8826 6868 /* PLUG: http://plug.org, #utah on irc.freenode.net Unsubscribe: http://plug.org/mailman/options/plug Don't fear the penguin. */
Re: [OT] Why the password this is fun is 10x more secure than J4fS2
On Sun, Apr 17, 2011 at 10:48 AM, Andrew McNabb amcn...@mcnabbs.org wrote: I agree with you, but some (or most?) people who write down passwords end up leaving them stuck to their monitor. As you mentioned, it becomes like a physical security token, so it's important to be careful with it. Too many people aren't. Arguably, if people can get to your monitor, they could probably also do something like install a keylogger on your keyboard. Of course, that would increase the complexity of the attack, but even so there is a limit to how much one can trust a computer that isn't physically secure. -- John C. McCabe-Dansted /* PLUG: http://plug.org, #utah on irc.freenode.net Unsubscribe: http://plug.org/mailman/options/plug Don't fear the penguin. */
