|
AlternateAccount posted:Can you explain this better? Don't blindly trust entropy calculators. They will sometimes give you "bonus entropy" for things that are actually non-random, common patterns. They need specific functions to detect a keyboard-walk pattern, because keyboards are not an inherent feature of mathematics. And the reason they need to write code to detect non-random patterns is because lots of people do them. If you're using a non-random pattern that they don't yet have code for, you will get a better score than you deserve. For example, your second phrase gets a much higher score than the first one because it includes characters that aren't letters. But spaces between words aren't random, and for anyone cracking hashes trying with both spaces and no-spaces only doubles the search space. That's a no-brainer. I'd call that a flaw in the calculator, to add that much entropy for words with spaces between them. Let's look at the formula that gets used to calculate "bits of entropy". It is: code:Looking for both spaces and no-spaces only doubles the number of possibilities: log2(1000*2000*2000*7000*2). That's 45 bits -- each bit equals twice as long to search. So now we look at the third example. Which is much better, but does it really have 103 bits of entropy? You have '+'s between the words. How many symbols are likely choices to be used between words in a passphrase? Well '_', '-', '+', and '.' are gonna be by far the most common. But you're using the same symbol each time. So that really only adds 4 new possibilities, plus the 2 of space & no-space. log2(1000*2000*2000*7000) = 44 log2(1000*2000*2000*7000*6) = 47 Then we need to add the "87#". This is the tricky one, and it does add a lot of entropy. How many extra characters is someone going to use? What patterns are most likely? At the start or at the end? Just looking for 3 extra numbers or symbols, at either the front or back will be: log2(1000*2000*2000*7000*6*42^3*2) = 64.4 bits, too much for any hacker (but not for the NSA). But tacking on the "extra randomness" at the end is by far the most popular choice. And one thing that people love is their birth year, so 2-digit numbers is a common test. So lets try 2 digits, plus any numeral or symbol, at the end... log2(1000*2000*2000*7000*6*100*42) = 59 bits, which is just verging into the possible. Someone with quad 1080s could find that if it was a bad website that used MD5 hashes and they ran it for a month. So you see how different assumptions come up with different results for entropy. I am totally cheating because I know I'm looking for a 4 word passphrase -- but if the whole world was using passphrases those could be good assumptions to make. Klyith fucked around with this message at 21:25 on Feb 14, 2018 |
#
?
Feb 14, 2018 21:02
|
|
|
|
| # ? Apr 25, 2024 04:50 |
|
|
Trabisnikof posted:How many password attempts can an attacker achieve per hour? No, I don't think that's right. Cracking should+lonely+folks+leaf87# brute force is something like 60^27 possibilities = 1.02e48. But yeah, yeah, brute force. Cracking it by utilizing 1000 most common words(which doesn't contain all four of those) with symbols and numbers gives you ~1050^10 = 1.63e30. Even if we grant that you figure out that only a single symbol is used between letters, that's still ~1050^8 = 1.48e24. Even at ten billion hashes per second, it's going to take 5 million years. Well, wait. If you somehow gather that the pattern is word/symbol/word/symbol, it becomes easier. Throwing a symbol between a couple of the words, rather than all 4 is safer, I guess. Klyith posted:Real good entropy stuff, thanks for this post. Yeah, it's so difficult to come up with an actual metric that can be universally applied. The logic behind cracking is so much higher level than it used to be. And ideally, a proper difficult to crack password would be used on 1Password, with truly obscene generated passwords like VV$m6LKh72xaC;xFG)oYcZaapa unique for each website. I guess it all also points toward passwords being more and more on the losing end of the arms race and need to die.
|
|
#
?
Feb 14, 2018 21:27
|
|
|
Thermopyle posted:Is this right? an actual dog posted:This isn't wrong, but even if it's encrypted correctly I wouldn't be happy if someone hacked my dropbox and downloaded my vault files. Like I can think of several ways that could go wrong. I always thought one of the keys to security is "defense in depth". You keep each and every layer of security as secure as possible, and you avoid the whole "single point of failure" issue.
|
|
#
?
Feb 14, 2018 21:55
|
|
|
Kerning Chameleon posted:Cheetah Outrunning Security Theory. And now let's use this to talk about the follow up. I'd call it the "I don't have to be faster than the bear, I only have to be faster than the average guy" theory of password security. And it's wrong, even if you're not being specifically targeted. You still can't reuse passwords. Password reuse is feeding yourself to the bear. It doesn't matter how many bits of entropy your password has if some website stores it in plaintext or something. Now your legs are broken, and the bear eats everyone that reused passwords. The passphrase should+lonely+folks+leaf87# is a great password, and right now is pretty secure against anyone that isn't cheating like I was to artificially narrow the possible combinations. But can you also need to memorize code:GPU hashrate doubles every 2-4 years. The bear gets faster. I might have been cheating, but all of those ideas to reduce the possible combinations to brute force your password are real ideas. People really do have consistent patterns in how they make "random" passwords. As hashing power advances, it costs less and less time to try out more rulesets. I don't expect the 4word+3symbols passphrase to be broken today, because even the right ruleset guess would take weeks to hit. But it gets cheaper all the time. You still have to change passwords when someone gets their hash database stolen. The bear never forgets. Once those hashes get out in the world, the bad guys will have them forever. If you don't change your password based on the assumption that "my password is too strong to crack" then you will eventually be proven wrong by future bears. So yes, AlternateAccount posted:ideally, a proper difficult to crack password would be used on 1Password
|
|
#
?
Feb 14, 2018 21:56
|
|
|
I'll add to it that once the cryptocurrency stupidity finally bottoms out, we're gonna have a looooot of extraneous GPU holders sitting around, being a waste of investment. Most of them will probably try to flip their cards on craigslist, but who's to say some of the more industrious ones won't try to set up or engage in a "crowdsourced password cracking" effort? Those types are used to dealing with shady sellers already, maybe they figure they could make some cash back by "helping out" crack some of the tougher hashes in the lists that have and will come out?
|
|
#
?
Feb 14, 2018 22:58
|
|
|
moved. wrong thread
post hole digger fucked around with this message at 19:06 on Feb 15, 2018 |
|
#
?
Feb 15, 2018 00:46
|
|
|
Klyith posted:So yes, Yeah, I don' think personal password security is accomplishable without some kind of vaulting, which of course imports its own headaches of either trusting someone else with all your secrets or managing all of it yourself correctly. Thanks for your posts though, the bear analogy is a good one that I will steal. Meanwhile our AD passwords are 8 characters with only modest character set requirements, so uhhh...
|
|
#
?
Feb 15, 2018 17:25
|
|
|
Klyith posted:Talk about bears. So your point very much still stands: Don't reuse passwords.
|
|
#
?
Feb 15, 2018 18:05
|
|
|
Heads up, there's a problematic OpenType ligature that triggers a heap buffer overrun in CoreText's OpenType layout engine, crashing... well, pretty much any macOS or iOS application that shows text. I found a workaround for macOS but it's a little involved:
|
|
#
?
Feb 15, 2018 18:24
|
|
|
For iPhones, the iOS 11.3 beta reportedly fixes the issue
|
|
#
?
Feb 15, 2018 19:48
|
|
|
hackbunny posted:Heads up, there's a problematic OpenType ligature that triggers a heap buffer overrun in CoreText's OpenType layout engine, crashing... well, pretty much any macOS or iOS application that shows text. I found a workaround for macOS but it's a little involved: Thanks for this. I tried to handle the character of power, and burned myself.
|
|
#
?
Feb 15, 2018 23:11
|
|
|
If y'all are at BSides Vancouver, here are details on what I am talking about : https://www.bsidesvancouver.com/cariad-keigher/ The talk title listed is wrong (I've pinged them about it) but everything else is correct. Lain Iwakura fucked around with this message at 06:54 on Feb 16, 2018 |
|
#
?
Feb 16, 2018 03:20
|
|
|
I’ll keep an eye out for the recording, good luck with the talk
|
|
#
?
Feb 16, 2018 09:17
|
|
|
Proteus Jones posted:Lastpass is a garbage fire, but what's wrong with 1Password? Or Keepass? I don’t understand the issue people have with LastPass, sure they were hacked but my understanding is that they encrypt using your “master key”. So all you’d have to do to remain secure is not share your private key. Certainly it would be good to keep your vault secret too but it’s as safe as your keepass database would be if say your Dropbox was hacked...
|
|
#
?
Feb 16, 2018 17:18
|
|
|
ElCondemn posted:I don’t understand the issue people have with LastPass, sure they were hacked but my understanding is that they encrypt using your “master key”. So all you’d have to do to remain secure is not share your private key. Certainly it would be good to keep your vault secret too but it’s as safe as your keepass database would be if say your Dropbox was hacked...
|
|
#
?
Feb 16, 2018 17:24
|
|
|
You can also sync keepass db over scp. Also, the problem with lastpass isn't that they got caught with bugs, it's that they got caught doing really loving stupid poo poo, repeatedly. All software has bugs, but some exploits manifest from bugs, others out of incompetence. The kind of poo poo lastpass keeps producing is the latter ones. Maybe they've fixed their poo poo recently, but we'll only know it when there's no more extremely dumb poo poo going on in their thing for the next 3 years.
|
|
#
?
Feb 16, 2018 17:24
|
|
|
ElCondemn posted:I don’t understand the issue people have with LastPass, sure they were hacked but my understanding is that they encrypt using your “master key”. So all you’d have to do to remain secure is not share your private key. Certainly it would be good to keep your vault secret too but it’s as safe as your keepass database would be if say your Dropbox was hacked... Wiggly Wayne DDS posted:Here's a rundown of an audit publicised last month: https://www.martinvigo.com/even-the-lastpass-will-be-stolen-deal-with-it/ https://blog.lastpass.com/2015/06/lastpass-security-notice.html/ quote:Was my master password exposed? quote:Were passwords or other data stored in my vault exposed? in response to that rough audit they had the following to say: Wiggly Wayne DDS posted:Especially given their response to the issues presented.
|
|
#
?
Feb 16, 2018 17:32
|
|
|
ElCondemn posted:I don’t understand the issue people have with LastPass, sure they were hacked but my understanding is that they encrypt using your “master key”. So all you’d have to do to remain secure is not share your private key. Certainly it would be good to keep your vault secret too but it’s as safe as your keepass database would be if say your Dropbox was hacked... It's not just that they were breached and that serious exploits were found in their software, it's that they responded to it in an extremely poor manner. These days it's more of a "when" than an "if" for companies being breached and/or their software being exploited. This means that they need to plan for these scenarios and know how to respond. The folks behind LastPass clearly did not plan for such a situation either through lack of understanding or not giving a gently caress. Either way, their lacklustre response to the incidents and their attempts to downplay them have shown that they don't give two fucks about security. Also what Truga said. Edit: and Wiggly Wayne.
|
|
#
?
Feb 16, 2018 17:32
|
|
|
Wasn't the latest problem with LastPass something really stupid like having an API call that just let you dump all the login credentials and it was trivial to exploit or am I thinking of something else?
|
|
#
?
Feb 16, 2018 17:46
|
|
|
Stanley Pain posted:Wasn't the latest problem with LastPass something really stupid like having an API call that just let you dump all the login credentials and it was trivial to exploit or am I thinking of something else?
|
|
#
?
Feb 16, 2018 17:55
|
|
|
Wiggly Wayne DDS posted:here's an audit publicised nov 15: So reading through your links the only really concerning bit is the custom_js stuff. I think most browser integrated password managers would have similar client side exploits. If your goal is perfect security then using anything that isn’t self hosted and air gapped is going to fall short of that. I think the trade off is probably worth it, at least for average users. Enabling MFA in addition to using a password manager will mitigate most security concerns.
|
|
#
?
Feb 16, 2018 18:04
|
|
|
Sounds like you've already committed to LastPass and nothing anyone could say would change your mind.
|
|
#
?
Feb 16, 2018 18:12
|
|
|
ElCondemn posted:So reading through your links the only really concerning bit is the custom_js stuff. I think most browser integrated password managers would have similar client side exploits. If your goal is perfect security then using anything that isn’t self hosted and air gapped is going to fall short of that. I think the trade off is probably worth it, at least for average users. Again, the problem isn't just that they were exploited but that they didn't handle the exploits well. With some of these exploits it's just embarrassing that a security company had them. Also, you're kind of artificially constraining the space here...you don't have to use a "browser integrated" password manager. You could use KeePass. It's like if you have a house alarm company and it turns out there's a way to surreptitiously disable the alarm and the alarm company sues you for pointing it out and throws a big fit and also the way you disable the alarm is by pressing '1111' on the keypad within 3 seconds. And then people go "yeah, you should keep using them because you can't make a perfect alarm system". Thermopyle fucked around with this message at 18:28 on Feb 16, 2018 |
|
#
?
Feb 16, 2018 18:26
|
|
|
 ElCondemn works for Amazon and is shill
|
|
#
?
Feb 16, 2018 18:31
|
|
|
Jabor posted:Sounds like you've already committed to LastPass and nothing anyone could say would change your mind. it's like the Discord of password managers
|
|
#
?
Feb 16, 2018 18:37
|
|
|
Jabor posted:Sounds like you've already committed to LastPass and nothing anyone could say would change your mind. This is the problem I have with a lot of people in infosec and in tech in general. Far too many people like this poster cannot see the forest from the trees even when they're presented with all of the facts. They're the reason why my job is exceedingly difficult in getting people to adopt new methodologies. They're like magpies: attracted to shiny things because of how they shimmer, not understanding that they're probably useless and potentially dangerous.
|
|
#
?
Feb 16, 2018 18:46
|
|
|
yeah there's a high burnout rate in security of people who actually care and want to get things fixed running against people who just want a paycheck and will patch around the issue to make sure that paycheck keeps coming
|
|
#
?
Feb 16, 2018 18:50
|
|
|
Wiggly Wayne DDS posted:yeah there's a high burnout rate in security of people who actually care and want to get things fixed sup 
|
|
#
?
Feb 16, 2018 18:56
|
|
|
Wiggly Wayne DDS posted:yeah there's a high burnout rate in security of people who actually care and want to get things fixed running against people who just want a paycheck and will patch around the issue to make sure that paycheck keeps coming There's also the crowd that does it to look really freaking cool not realising that they're tools and aren't doing anything interesting.
|
|
#
?
Feb 16, 2018 18:57
|
|
|
Wiggly Wayne DDS posted:yeah there's a high burnout rate in security of people who actually care and want to get things fixed running against people who just want a paycheck and will patch around the issue to make sure that paycheck keeps coming Don't leave out the Nessus scan results middlemen.
|
|
#
?
Feb 16, 2018 19:02
|
|
|
Lain Iwakura posted:There's also the crowd that does it to look really freaking cool not realising that they're tools and aren't doing anything interesting.
|
|
#
?
Feb 16, 2018 19:06
|
|
|
Lain Iwakura posted:There's also the crowd that does it to look really freaking cool not realising that they're tools and aren't doing anything interesting. I want to get into the industry because I find it fascinating, but I secretly fear ending up being that guy. Wiggly Wayne DDS posted:yeah there's a high burnout rate in security of people who actually care and want to get things fixed running against people who just want a paycheck and will patch around the issue to make sure that paycheck keeps coming Also this, but the same thing can be said for the other career path I'm looking at getting into. 
|
|
#
?
Feb 16, 2018 19:08
|
|
|
Thermopyle posted:Again, the problem isn't just that they were exploited but that they didn't handle the exploits well. I used to only use keepass, when I got off Dropbox and started self-hosting my file sync that became a non-starter. Also the fact that my family isn't as tech savvy has made browser integrated password managers the only option for me. Believe me if every website supported OIDC I'd use that in a heartbeat but the options are limited. I haven't seen anything that makes me want to immediately drop Lastpass since there hasn't been a remote or server-side exploit that doesn't require a compromised client. But sure I'm just a shill who works for Amazon (what?) that wants everyone to be insecure... for reasons...
|
|
#
?
Feb 16, 2018 19:34
|
|
|
ElCondemn posted:I used to only use keepass, when I got off Dropbox and started self-hosting my file sync that became a non-starter. Also the fact that my family isn't as tech savvy has made browser integrated password managers the only option for me. Believe me if every website supported OIDC I'd use that in a heartbeat but the options are limited. I haven't seen anything that makes me want to immediately drop Lastpass since there hasn't been a remote or server-side exploit that doesn't require a compromised client. But sure I'm just a shill who works for Amazon (what?) that wants everyone to be insecure... for reasons... also my post wasn't directed at you at all, there's more than one conversation happening.
|
|
#
?
Feb 16, 2018 19:37
|
|
|
Wiggly Wayne DDS posted:ah so you just weren't reading anything, gotcha I did read what was posted in the post I quoted, as I said the custom_js stuff is concerning. The remote code execution is also concerning but it seems they dealt with the issue pretty quickly. Again browsers are inherently insecure, anyone could exploit any number of browser extensions to do the same thing. It's unfortunate that a security company had an exploit like that but it happens and the best any company can do is push fixes when those kinds of exploits are found. If I had to drop every company that had exploitable software/systems I'd have very little options.
|
|
#
?
Feb 16, 2018 19:45
|
|
|
what part of that required a compromised client...?
|
|
#
?
Feb 16, 2018 19:49
|
|
|
What would it take for you to stop using lastpass? An RCE they balk at patching?
|
|
#
?
Feb 16, 2018 19:49
|
|
|
Trabisnikof posted:What would it take for you to stop using lastpass? An RCE they balk at patching? Yeah, that seems like a reasonable limit to me. Y'all keep more up to date with the industry than I do so I'm definitely open to suggestions for alternatives, I just have specific usability requirements that normal rational people have. 1password was my other option but at the time only Lastpass had Brave integration (not sure if that's changed), also I'm not sure that requiring a separate client install for desktop is great for my family but I can help them get past that step if necessary. ElCondemn fucked around with this message at 19:57 on Feb 16, 2018 |
|
#
?
Feb 16, 2018 19:55
|
|
|
of course you use brave of course
|
|
#
?
Feb 16, 2018 19:58
|
|
|
|
| # ? Apr 25, 2024 04:50 |
|
|
Lain Iwakura posted:There's also the crowd that does it to look really freaking cool not realising that they're tools and aren't doing anything interesting. That's me, feed me more impressive sounding Unix commands
|
|
#
?
Feb 16, 2018 19:58
|
|
