Tips for memorising a strong password

obsidianclock

Blowfish wrote: »

It's not really realistically possible though in all cases. I've 100+ passwords for different things, there's no way I could memorise unique strong passwords for all of them.

A combination of both is best, have a few 'core' services that you memorise strong passwords for and let a password manager handle the less important stuff.

Sounds very sensible! I have been experimenting with memory techniques, it's great fun but hundreds of passwords is pushing it!

Very fond of your namesake cipher Blowfish.

Keyzer

obsidianclock wrote: »

My worry would be using these kinds of apps, is that once someone has the one password, all of them are available to an adversary.

Thats why I setup two factor authentication on dashlane !!!

obsidianclock

Keyzer wrote: »

Thats why I setup two factor authentication on dashlane !!!

Two factor authentication to access data they already own? Don't we have to take their word for it that the data is encrypted and they don't have access to it?

Do they have a warrant canary? If so how do we know they can't be subpoenaed to gather user data? There is a precedent after all!

Nothing against storing passwords in the cloud in principle but perhaps open source software like KeePass might be a better idea? You can encrypt with keyfile which can be stored offline and I believe there's also a plugin for OTP authentication.

Update : It also seems Two Factor Authentication is done by Google Authenticator which is closed source - cringe. Do you know if it's possible to use an Open Source authenticator like FreeOTP Authenticator ?

Keyzer

obsidianclock wrote: »

Two factor authentication to access data they already own? Don't we have to take their word for it that the data is encrypted and they don't have access to it?

Do they have a warrant canary? If so how do we know they can't be subpoenaed to gather user data? There is a precedent after all!

Nothing against storing passwords in the cloud in principle but perhaps open source software like KeePass might be a better idea? You can encrypt with keyfile which can be stored offline and I believe there's also a plugin for OTP authentication.

Update : It also seems Two Factor Authentication is done by Google Authenticator which is closed source - cringe. Do you know if it's possible to use an Open Source authenticator like FreeOTP Authenticator ?

I'll ring them now and find out...

obsidianclock

Keyzer wrote: »

I'll ring them now and find out...

I prefer to frame things in the form of a question as it's less hostile than saying:

- You can't take a third party's word for it that your data is safe.
- There is no warrant canary.
- Google Authenticator is closed source and can't be trusted.
- Therefore Dashlane or indeed any third party service can't be trusted with your personal data unless they use open source software which is encrypted client side, and even then...

Khannie

obsidianclock wrote: »

- Google Authenticator is closed source and can't be trusted.

Not so.

https://github.com/google/google-authenticator-android

obsidianclock

Khannie wrote: »

Not so.

https://github.com/google/google-authenticator-android

It would seem to be closed source these days, apparently they made a switch.

I have a lovely article from Chris Drake where he releases a scathing attack on it, also a lively discussion on the matter available here.

I can't summarise it better than Wikipedia:

"Open Source status on Android

The Authenticator app as available on Google's Android app market is proprietary, as explained on the project's development page:

"This open source project allows you to download the code that powered version 2.21 of the application. Subsequent versions contain Google-specific workflows that are not part of the project."[30]

An independent fork of the Android version of the software named OTP Authenticator[31] has been created, which is based on the last version of the open source code that had been provided by Google. Another Open Source fork named FreeOTP[32] has been published by Red Hat."


I suppose though there's no reason you couldn't compile your own Android version of the open source tool as it was, provided you know what you're doing.

obsidianclock

Summary of Chris Drake's comments re: Google Authenticator:

(The "exchanges" he's referring to are those who hosted Bitcoins.

Google Authenticator (GA) is not open source (only same antique version no longer in use ever got released)

They store their bypass codes in plaintext on the server (any serverside break-in grants the attacker full ability to authenticate as you)

Their bypass codes have insanely low entropy (7 numeric digits only - guessable in a mere 5 million attempts on average)

Their app provides QR code enrollment - and the QR codes are generated by putting your (supposed to be secret) private key into the HTTP GET parameter of a google-owned URL: or in other words - regardless of where you enroll with GA, they're sending your private keys to google.

"HTTP GET" parameters get stored in log files (granting access to your secret keys to anyone who can get the logs - such as by hacking, or legal subpoenas, or intercept)

The GA app uses a 3rd party QR code scanner to read your secret keys. This 3rd party tool is a supermarket barcode app, designed to send all scanned codes to their server. This is all "closed source", so it's impossible to tell if they're recording your secret keys. Even if they're not, the author (which is not Google, and not under their control) merely has to make an update to grab GA keys if he wants.

GA uses TOTP, which works with "shared secrets". This is a horrifying mistake. Again - anyone who can crack either end of the channel can forever impersonate the other end (read: a serverside breakin can own your client side auth). I am gobsmacked google were so stupid on this one. Asymmetric crypto was invented to stop that kind of problem - did they choose not to use it on purpose ?

In the limited source that's available, there is a race-condition error in their brute-force-prevention code: you're supposed to only be able to guess 3 codes, but if you open 2+ channels for guessing, only 1 of those channels gets blocked - all the other ones can keep on indefinitely guessing new codes without getting blocked.

And of course - to state the bleeding obvious - most of the exchanges that have already been looted were also "protected" by GA, with many of the victim operators publicly announcing that the hackers just bypassed it.

It's cool that GA costs nothing, but that's pretty much all it's worth!

Source : http://bitcoin.stackexchange.com/questions/4113/which-two-factor-authentication-methods-are-available-at-which-exchanges

Khannie

Interesting read. Thanks for that.

Keyzer

obsidianclock wrote: »

I prefer to frame things in the form of a question as it's less hostile than saying:

- You can't take a third party's word for it that your data is safe.
- There is no warrant canary.
- Google Authenticator is closed source and can't be trusted.
- Therefore Dashlane or indeed any third party service can't be trusted with your personal data unless they use open source software which is encrypted client side, and even then...

I get where your coming from but I don't consider Dashlane combined with google authenticator as the be all and end all in regards password protection. I use both as a layer of extra protection for protecting my passwords.

Yes, I'm afraid I do put my trust in Dashlane that the service they provide is what they advertise as. That's my own personal decision, if it turns out they don't then whatever fallout occurs will be on me an me alone.

Risk can never be 100% eradicated, we can only manage it to an acceptable level.

obsidianclock

Keyzer wrote: »

I get where your coming from but I don't consider Dashlane combined with google authenticator as the be all and end all in regards password protection. I use both as a layer of extra protection for protecting my passwords.

Yes, I'm afraid I do put my trust in Dashlane that the service they provide is what they advertise as. That's my own personal decision, if it turns out they don't then whatever fallout occurs will be on me an me alone.

Risk can never be 100% eradicated, we can only manage it to an acceptable level.

I am pleaed to hear you have another level of obfuscation Keyzer.

Of course having a strong password in and of itself isn't the best form of protection and I applaud the idea behing using Two Factor Authentication - even if google-authenticator has its foibles, there are plenty of open source solutions out there.

The advantage of a service like LastPass or Dashlane is of course your passwords are more conveniently to hand and can be used to populate forms in your browser - a classic example of the balance that has to be struck between security and convenience.

I think so long as you wouldn't mind the authorities having access to the data it protects e.g your e-mails then there's no cause for concern with using services like these but speaking for myself I'd rather use memory techniques to keep one or two more vital passwords in my head only.

Khannie

obsidianclock wrote: »

The advantage of a service like LastPass or Dashlane is of course your passwords are more conveniently to hand and can be used to populate forms in your browser

I achieve this with keepass and a browser plugin. I used to use lastpass, but I put myself in the shoes of the big security agencies (a useful thing to do) and decided that they would be mad not to force lastpass to back door the system and get a shed load of passwords.

Keepass is open source and so are the browser plugins. I know this doesn't guarantee much, but it is better than using closed source solutions IMO.

obsidianclock

Khannie wrote: »

I achieve this with keepass and a browser plugin. I used to use lastpass, but I put myself in the shoes of the big security agencies (a useful thing to do) and decided that they would be mad not to force lastpass to back door the system and get a shed load of passwords.

Keepass is open source and so are the browser plugins. I know this doesn't guarantee much, but it is better than using closed source solutions IMO.

I think you have cracked it Khannie, much safer than trusting to a third party.

Anyone interested in seeing the plugins available for Keepass can visit:

http://keepass.info/plugins.html