Password Security Catch-All Thread [2015-06-16: Update your LastPass master password]

Pages

IMAGE(http://www.smbc-comics.com/comics/20110506.gif)

This is the thread for discussing password security, password management, articles like this one, etc.

Password managers:
* LastPass
* KeePass
* 1Password
* RoboForm

Two-factor Authentication:
* Yubiko (Yubikey)

Previous discussion: LastPass *possibly* Hacked

Mysteri0, in the previous thread wrote:

Legion, do you have any clue what the process is if you lose your Yubico? I'm curious what would happen since you're either going to have it on your keys or it's own keyring and you could always lose it.

You can get a replacement Yubikey programmed with the same identity if you contact Yubico and provide the necessary information to prove that you're the same person that bought the original one.

But a smarter way to go is to buy multiple Yubikeys and have a backup. While each Yubico identity is unique, services that use Yubico's authentication allow you to associate multiple Yubikeys with the same account, so that you can authenticate with any of the associated keys.

So, I figure the way to go is to buy two Yubikeys, associate both of them with all your accounts, and then stick one in a safe deposit box.

Done.

You should add RoboForm to the list of password managers. I believe it was one of the earliest password managers, as it was released in 1999. It's a mature product with excellent support, and I've been using it for 7 or 8 years now. I couldn't live without it!

/tagged Thanks *Legion*
Will post my questions later.

I haven't used a password manager before, but it might be something I do in the future. I generally pick mostly unique passwords, although, I will admit I reuse some with a few "unimportant" things.

I've found the easiest way for me to pick secure passwords that I can remember is the whole acronym thing.

As in, turn "Forest Gump ran 10 miles and is crazy at times." into "FGr10maica*."

That password is up for grabs if anyone wants it. Just let me know if you decide to use it.

For some time now, I've used KeePass for most of my password management needs. I also had Xmarks storing and syncing passwords, and LastPass buying them out and deprecating the Xmarks password feature prompted me to move to LastPass (I was happy to see Xmarks get bought because it meant the service survived, and I paid for a LastPass Premium account to put my financial support behind these projects that I like and use daily).

I've never been fully satisfied with KeePass for a few reasons. The official (Windows) version is not nearly as streamlined GUI-wise as it ought to be, which is annoying when I recommend it and set it up for someone only to have them be totally confused as to how to use it. And for Linux and Mac OS X support - the OSs I actually use myself - I have to turn to a third-party program, which is very slowly developed (last point release over a year ago) and only supports the old .kdb format instead of the new .kdbx one. (Supposedly a new 2.0 version of KeePassX is coming, but no releases yet in the 8 months since the announcement). Also, the KeePass options for mobile devices are... not great.

But I need to be able to store non-web passwords somewhere. Which now has me thinking if I want to use LastPass's "Saved Notes" feature for those.

YubiKey? Explain to me, as you would a child!

BadMojo wrote:

YubiKey? Explain to me, as you would a child!

Check back in a few days. My YubiKey is in the mail and I'll have a full write-up once I get it.

It appears to require the authenticating service to support their auth stubs or something? Not sure.

Password Safe was originally written by Bruce Schneier and has since become an open source project. The Java version is a bit clunky, but it's still the best password manager I've found. The others all have too much interface to deal with.

BadMojo wrote:

It appears to require the authenticating service to support their auth stubs or something? Not sure.

YubiKey works with services that support its authentication system (YubiCloud), or Symantec's VIP system.

But it also runs an OpenID server, which lets you create a two-factor authenticated OpenID identity, which will work on any service supporting OpenID.

And there is some other support in the mix that I haven't wrapped my head around yet.

tuffalobuffalo wrote:

I've found the easiest way for me to pick secure passwords that I can remember is the whole acronym thing.

As in, turn "Forest Gump ran 10 miles and is crazy at times." into "FGr10maica*."

That password is up for grabs if anyone wants it. Just let me know if you decide to use it. ;)

That's what I do as well. To make them site specific, I'll add something somewhere in there to remind me of the site name that I'll remember.

Why does no one make a non-system dependent Yubikey?

From what i understand of it, it's like one of those bank decoder key generation thingies.

So why can't you have your individual key "decoder" thing. If you know your password word, say stored on Lastpass, and then input it into the decoder and it shunts out a random string of 8-10 alphanumerics (plus special characters), you should be golden and not require the system in question to support the hardware. Your "password" would never be compromised from just storing it electronically or even on paper because no one but you would have the key and correct encryption algorithm...

tuffalobuffalo wrote:

I've found the easiest way for me to pick secure passwords that I can remember is the whole acronym thing.

As in, turn "Forest Gump ran 10 miles and is crazy at times." into "FGr10maica*."

Reminds me of one of mine (offline): bugs bunny ate 6 carrots for money before leaving, which translates to:

bb@6^4$b4leaving

then i added my standard 4 digit pin to the end of that.

Duoae wrote:

So why can't you have your individual key "decoder" thing. If you know your password word, say stored on Lastpass, and then input it into the decoder and it shunts out a random string of 8-10 alphanumerics (plus special characters), you should be golden and not require the system in question to support the hardware. Your "password" would never be compromised from just storing it electronically or even on paper because no one but you would have the key and correct encryption algorithm...

It's not supporting the hardware that's the issue, it's the middle-man service that does the authentication. What you're suggesting is giving every service you use a copy of your electronic identity, so that they can validate you directly.

That means when that service gets hacked, your electronic key's identity is compromised.

Having a service like Yubico or Symantec act as the "middle man", who performs the identity authentication and then passes along a token to the service saying, "yes, this person is who they say they are" means that your electronic identity exists in only two places on Earth: your key, and the middle man.

That significantly reduces the potential for compromise.

Under your system, if LastPass had indeed been hacked, both passwords and electronic identities could have been compromised, and YubiKey owners would not be one iota safer than anyone else.

But under the system that exists, even if LastPass were entirely hacked, YubiKey owners would remain safe as their electronic identity still only exists on their key and at Yubico. Hackers would not be able to replicate your identity from what they could extract from LastPass. To access your account, they'd still need that piece of information from Yubico that they could only get by having a copy of your electronic identity.

And, on the flip side, if Yubico is hacked and your electronic identity is compromised, that alone isn't enough to get into all your stuff either, as each service still requires the password you've created for accessing that specific service. That's the point of two-factor authentication - having only one factor compromised doesn't expose you.

The above is simply how I understand the issue. There could be inaccuracies in what I've said, and I welcome corrections.

I get your point. But it requires that the middle man service A) exists, B)is supported by every website you want to go on and C)doesn't go out of business or is working at the time you wish to use it.

What i was suggesting is a way of having a simple password generate a complex one. You remember the simple password, say, Dog for GWJ (ideally it'd be different for every site), and the scrambler puts out E12#pica*chu.

You could even have it so that you enter the URL/website name with the password and so there's two factors to encrypt/scramble there.

Let's face it. It doesn't matter if a particular site in question is hacked anyway as they'll still have the password to that particular site. What i'm talking about is being able to remember easy passwords - have them stored easily on something like Lastpass and without them actually being compromised if that service is hacked.

You could even use the same password for every site but when combined with the site name it spews out a unique password for that site.

Duoae wrote:

Let's face it. It doesn't matter if a particular site in question is hacked anyway as they'll still have the password to that particular site. What i'm talking about is being able to remember easy passwords - have them stored easily on something like Lastpass and without them actually being compromised if that service is hacked.

EDIT: OK, I think I'm understanding you now...

Your idea is that LastPass stores the "easy" passwords, which only become the "harder" (aka the "real" passwords) when put through the little converter.

The point is that you can store your passwords on Lastpass without them becoming compromised if lastpass is hacked because lastpass isn't actually storing the passwords you use.

As i said above, if a particular site is hacked it doesn't matter if you've got two-factor authentication because they've already got access to the system. They don't need to log in as you - they already have your information.

[edit]
To make it clearer:

You store "Dog" on Lastpass (note i've not used it so i'm not sure if services like lastpass are just lockers for password storage or if they feed into individual sites so you can log-in via the service. I'm assuming it's just a locker).

In order to log-in, you input "Dog" in your encrypter/scrambler with GWJ (the site name) and it comes out with a string which is based on and unique to the scrambler code in your unit.

You read the scrambled code off the display and input it into the password field of the website you want to log in at.

Duoae wrote:

The point is that you can store your passwords on Lastpass without them becoming compromised if lastpass is hacked because lastpass isn't actually storing the passwords you use.

I think there are a few issues with this, from least important to most:

1) Usability. How does the password get from LastPass to my password converter device to having the "real" password output? Now we're in the realm of the little fob requiring device drivers for more complex back-and-forth communication. (The beauty of the YubiKey is that, as far as the computer is concerned, it's just a USB keyboard, and requires no drivers beyond the standard USB keyboard support every modern OS has).

(EDIT: Your clarification deals with #1, as you state the process to be manual. Disregard. Though what you describe is something that isn't particularly usability-friendly.)

2) Password limitations. Many sites place limitations on what kind of password you can have (length, allowed characters, etc). How am I going to get my password converter device to conform to each of these varying limits as I go from site to site?

(EDIT: Again, if it's sort of a handheld computing device that you manually interact with, as opposed to a single touch-button sort of thing like YubiKey, I suppose this could exist in the interface).

3) Device breaks/lost = you're completely screwed. Since the "real" passwords don't actually exist anywhere, your passwords are only accessible so long as you maintain control of the device that has the specific algorithm that your passwords were originally encoded with. If you ever lose control of that, you're done for. It's not like the YubiKey where you're locking the front door and you can have more than one key that unlocks the door. You're generating passwords based on a specific encoded algorithm and if you ever lose control of that algorithm, all of your passwords become completely unrecoverable.

As i said above, if a particular site is hacked it doesn't matter if you've got two-factor authentication because they've already got access to the system. They don't need to log in as you - they already have your information.

Not necessarily true. If the LastPass hack that is thought to have possibly occurred actually did, for example, it would not be true in that case. Your statement is only true if the attackers succeed at extracting ALL data from the service. Often, that is a tall order - gigabytes and gigabytes of database tables without getting noticed? Maybe if they're hacking Sony. But often, what happens is that credentials are stolen, not the entire site of data. And in those cases, two-factor authentication absolutely still holds.

I think I've finally caught up with your line of thinking. I kept trying to think of a modification of the YubiKey style of authentication, and you were talking about coming from an entirely different direction instead.

Here's what I think, though: you're talking about sacrificing a ton of usability in order to solve a problem that doesn't need solving.

I get the idea: if your LastPass is completely compromised, you don't want the attackers having all your passwords. So why not have LastPass store something other than your actual passwords, but that you (and only you) can convert into the actual passwords?

Here's why I think that isn't a very meaningful thing to do: if you have strong master password, attackers aren't getting inside your vault even if they were able to download it and attack it offline.

Your LastPass vault is encrypted. The attackers have to crack your password in order to decrypt your vault. Your password is hashed with a strong hashing algorithm. Assuming you chose a strong password, the attackers aren't likely to crack it in this lifetime. I won't say "never", because you never say never, but even if you're the first person the attackers try to crack the password of, assuming your password is safe from dictionary attack, you'll still have plenty of time to change all of your passwords well before they ever are able to crack your password hash and decrypt your vault.

So I think what you're proposing is a pain in the rear (having to manually type in converted passwords every time you log in somewhere), is fraught with danger (losing your tool for converting passwords = passwords no longer accessible through any means), and solves an issue that doesn't need solving (keeping yourself safe in the very remote event of successful password vault decryption).

But correct me if I'm still misunderstanding any part of your idea.

Just keep in mind that spear-phishing can beat any system. RSA (similar to yubikey) is being phased out in the DoD right now because of their recent hacking of.

tuffalobuffalo wrote:

I've found the easiest way for me to pick secure passwords that I can remember is the whole acronym thing.

As in, turn "Forest Gump ran 10 miles and is crazy at times." into "FGr10maica*."

I read a research paper recently that showed that password security was directly linked to the number of characters in the password, not in the use of punctuation or anything like that. One of the problems seems to be that people think "password" implies a single word, while it could be a sentence. For example, "i like frogs" is tremendously more secure than "Ap9$%@" even though it's just a sequence of actual words.

complexmath wrote:
tuffalobuffalo wrote:

I've found the easiest way for me to pick secure passwords that I can remember is the whole acronym thing.

As in, turn "Forest Gump ran 10 miles and is crazy at times." into "FGr10maica*."

I read a research paper recently that showed that password security was directly linked to the number of characters in the password, not in the use of punctuation or anything like that. One of the problems seems to be that people think "password" implies a single word, while it could be a sentence. For example, "i like frogs" is tremendously more secure than "Ap9$%@" even though it's just a sequence of actual words.

That's definitely true. *Legion* brings up some good points against those types of passwords, though. I'm not sure where I stand on that issue.

Eezy_Bordone wrote:

Just keep in mind that spear-phishing can beat any system. RSA (similar to yubikey) is being phased out in the DoD right now because of their recent hacking of.

I expect the DoD will find or cook up something better.

For the rest of us, though, consumer-level stuff like YubiKey offers better protection than going without.

Because what happens to my LastPass account if my YubiKey ID is compromised? Answer: I'm in the exact same position as if I didn't use YubiKey at all: my account is protected only by my password. Multi-factor still trumps one factor - after all, the point is acknowledging that each factor is not bulletproof and can be compromised, and the protection is the fact that it takes more than one factor being compromised to get to your account.

*Legion* wrote:
Eezy_Bordone wrote:

Just keep in mind that spear-phishing can beat any system. RSA (similar to yubikey) is being phased out in the DoD right now because of their recent hacking of.

I expect the DoD will find or cook up something better.

Most DoD sites are PKI but those legacy systems that have been two-factor have now been told to move on or get turned off. Just pointing out that your trusted 3rd party can have their keys stolen too.

I don't mean to sound anti-everything. Rather as with anything on a computer now-a-days it is a judgement on the part of the operator to weigh the risk vs the convenience.
Can I make a simple algorithm that makes it harder to guess my password? Sure thing:
F*3hfow59fgwjf83hfow59 - Gamers With Jobs
F*3hfow59fsdf83hfow59 - slashdot

etc etc. But I still run the risk of if my password is found out on one site then someone can attempt to figure out my algorithm. Do I use a password similar to this for sites that I want to access from work? Sho'nuff but in reality the best thing to do is make a super hard random one for each site.
Then you've got to make notes of what you put in for secret answers because you don't want to put the real answers that just makes it easier for the criminal to get a new password sent to them.

tuffalobuffalo wrote:
complexmath wrote:
tuffalobuffalo wrote:

I've found the easiest way for me to pick secure passwords that I can remember is the whole acronym thing.

As in, turn "Forest Gump ran 10 miles and is crazy at times." into "FGr10maica*."

I read a research paper recently that showed that password security was directly linked to the number of characters in the password, not in the use of punctuation or anything like that. One of the problems seems to be that people think "password" implies a single word, while it could be a sentence. For example, "i like frogs" is tremendously more secure than "Ap9$%@" even though it's just a sequence of actual words.

That's definitely true. *Legion* brings up some good points against those types of passwords, though. I'm not sure where I stand on that issue.

I didn't know about sites truncating to 8 characters, though it makes sense. Assuming security vs. an undirected attack (ie. an automated program rather than an attack using specific knowledge of the victim), as long as the password isn't in a hacker's dictionary I don't think it matters what the contents are for a given length. Only a brute force attack will work at that point, so every character provides equivalent complexity. I think the suggestion to not use normal words is simply a guideline to help people avoid using something from that dictionary (and by "hacker's dictionary" I mean a list of popular passwords, l33t permutations of dictionary words, etc). So it's still a good rule to follow for the sake of simplicity, but not strictly necessary.

I read a research paper recently that showed that password security was directly linked to the number of characters in the password, not in the use of punctuation or anything like that.

Hmm, I don't figure it that way. Let's walk through the numbers. It's possible I'm missing something here, so jump in and correct me if I get something wrong.

For brute-force attempts, expanding the allowed possible characters does make a password harder to crack. It means that in the case of brute-force attempts, many more attempts will have to be made to cover all the possible punctuation symbols and so forth; if you get up into the actual non-typable symbols (which you can reach, on Windows, with alt+four digit code on the numeric keypad), then it expands the key search space a VERY great deal.

It's basically just math. With a short password, even purely alphanumeric, each additional digit you add multiplies the search space by 62 times (the 52 characters plus the numbers).

Adding punctuation increases search space for all the punctuation symbols for each character in your password. I'm not sure how many symbols there are, but just a quick visual count on my keyboard shows 32 symbols that are mapped onto the keyboard.

So if I have a one character password, adding a second alphanumeric digit increases the search space by 62 times, but a single-digit-plus-punctuation is 32 times harder to search. At two digits, punctuation increases it by 64 times; at 3, 96, and so on. The more digits in the password, the more rapidly the multiplier increases. You add 62 per character no matter how many characters you have in your password, but you add (roughly) 32 times per existing character if you go to punctuation.

So anywhere at 3+ characters, going to punctuation appears to be a bigger win than adding simple letters, and it very rapidly becomes MUCH MUCH larger. Going from 10 to 11 alpha is just straight 62 times harder, but going 10 alpha to 10 punctuation is 320 times harder.

But you couldn't assume "i like frogs" didn't use special characters or anything else, because it does, the space. So to a brute force it wouldn't matter, or a dictionary attack. Right?

I don't know if my workplace (a library, not exactly a high security facility) can be used as a valid example, but the IT department forcing us to use insanely complex passwords and to change them frequently just results in a LOT of passwords just sitting there in your email or written on post-it notes. So we'd probably be better off if they just let us use something like "i like frogs".

I used to think it was hilarious how in video games and movies so many passwords were just conveniently written down on a notepad or sitting in a chat window, until I started working for the state of Louisiana.

unntrlaffinity wrote:

But you couldn't assume "i like frogs" didn't use special characters or anything else, because it does, the space. So to a brute force it wouldn't matter, or a dictionary attack. Right?

You're counting on crackers not running dictionary attacks that cycle through word sequences.

That's the thing about shortcuts - it just begs for crackers to write attacks that follow the same semantics.

No doubt crackers have scripts ready to cycle through "(dictionary word) (dictionary word) (dictionary word)" instead of cycling character-by-character.

Eezy_Bordone wrote:

Can I make a simple algorithm that makes it harder to guess my password? Sure thing:
F*3hfow59fgwjf83hfow59 - Gamers With Jobs
F*3hfow59fsdf83hfow59 - slashdot

etc etc. But I still run the risk of if my password is found out on one site then someone can attempt to figure out my algorithm. Do I use a password similar to this for sites that I want to access from work? Sho'nuff but in reality the best thing to do is make a super hard random one for each site.

Then you've got to make notes of what you put in for secret answers because you don't want to put the real answers that just makes it easier for the criminal to get a new password sent to them.

And thanks to password managers, that's all a solved problem. Creating and managing random passwords for everything is trivial. Saving notes for things like security questions is right there too.

And the thing is, things like LastPass makes it more convenient to manage random strong passwords than remembering even bad passwords yourself is.

I agree, I've been using KeePass since the Gawker incident (though I didn't have an account there).

And because I work primarily with Windows, 10 Myths about Windows passwords. Some of it is out of date as you can definately set GPO's to mandate passwords longer than 14 characters.

Pages